Only 39% of UK employees recognise that intellectual property (IP) could damage their company if leaked, according to new research from data loss prevention company Clearswift.
This laissez faire attitude is particularly worrying, given many employees have both access and a relatively high propensity to lose or give away data.
44% of respondents say they have access to such sensitive IP, with 35% also saying they have access to organisation’ information that is above their pay grade.
Clearswift research also shows 35% of employees would sell IP for the right price, with 3% saying they’d consider £100, 18% at £1,000 and 29% at £10,000. Meanwhile, 12% of employees had lost or misplaced a company device containing sensitive corporate data.
The research was carried out amongst 4,000 employees split evenly across the UK, USA, Germany and Australia.
Heath Davies, CEO at Clearswift says: “The value of a company’s IP is frequently misunderstood. First off, IP comes in many guises and it’s essential for organisations to recognise ‘what’ their IP is; where it exists and who has access to it. IP is often a company’s most prized possession, if it were to fall into a competitor’s hands, or even unauthorised hands, it could cause immense financial damage to a company, or as in the case of the recent attempted US naval espionage charge, potentially result in dire effects. It is incredible that so many survey respondents say they have access to such information, yet so few seem to realise its value”.
The potential for different data forms to cause damage was widely underappreciated by UK employees. Only 53% thought financial data such as accounts would cause considerable damage to their company if leaked or somehow compromised. Customer data, e.g. contact details, came in at 50%, information on employee salaries and medical records at 45% and payment and credit card details at 39%.
A parallel Clearswift study of 500 security professionals supports these concerns: 73% believe their business will experience a serious information breach in the next 24 months, resulting from employee behaviour. Despite this, 72% believe internal security threats are not treated with the same importance as external threats by the Board, and 14% say internal threats won’t be taken seriously enough until their organisation experiences a serious internal data breach.
Davies says: “All this paints a picture of a sizeable number of organisations which do not understand the value of their critical information and the risks posed, should this not be adequately protected. There is clear evidence that around half of companies do not control access to sensitive data and do not put in place proper training or proactive safeguards to prevent that data leaking.”
“The research suggests, and our experience shows, that many employees don’t appreciate the relative values of their data, but perhaps more worryingly how the Boards and Leaders of these organisations are underestimating the ramifications of not securing their critical information.”
“Most employees are not acting maliciously but their carelessness can be just as damaging. Companies need to wake up to the fact employees have the potential to cause the company huge damage through their actions, and ensure that training, policies and technology are in place to minimise that risk. Those sitting on the Board need to sit up and pay attention (only recently, Aviva sacks employee for malicious data breach); critical information needs to be governed at the highest levels or it could jeopardise the future of a company.”