They say that everyone has a price. For a quarter of employees, that price is just £1,000 to sell on corporate information to a third party.
That’s according to research by UK cybersecurity firm Deep Secure, which surveyed 1,500 UK office workers to gauge the extent of the insider threat, in which the risk of a breach comes from within.
It’s a risk that has long been difficult to defend against and Deep Secure found an alarming number – 45% – of employees willing to sell information about their own company. That includes its sales pipeline, sensitive information about their colleagues and customer information.
For some employees (10%), their price would be as low as £250 to sell company intellectual property.
And some – presumably nihilists or disgruntled staff – don’t have a price at all, with 5% admitting they would readily give away company information away for free.
The research suggests the problem isn’t just hypothetical either, with an alarming 59% of office workers conceding that they have taken information from their company network.
In some cases, this was for personal use, such as keeping a record of successes. But for 47%, information was passed on to a third-party, such as their new company.
One high-profile example of this type of insider threat is Anthony Levandowski, a former Waymo engineer who allegedly downloaded 9.7GB of Waymo documents before resigning to start his own driverless car company, Otto.
When Otto was acquired by ride-hailing firm Uber, Levandowksi allegedly brought those documents with him and a legal battle between Uber and Waymo ensued.
In February 2018, Uber made a $245m settlement payment to Waymo to settle the case and Levandowski was fired by Uber.
Insider threat: “The cost of employee loyalty is staggeringly low”
As companies face a constant battle to defend its information from external threats, it’s sometimes easy to forget about the insider threat under your nose – whether that’s exfiltrating via USB, printed documents, photographs or old-fashioned handwritten notes.
The findings were revealed in Deep Secure’s ‘What is the Price of Loyalty’ report, all of which suggests the “cost of employee loyalty is staggeringly low”, according to Dan Turner, CEO of Deep Secure.
“With nearly half of all office workers admitting that they would sell their company and clients’ most sensitive and valuable information, the business risk is not only undisputable but immense in the age of GDPR and where customers no longer tolerate data breaches,” he said.
“And it appears to be growing, with the 2018 Verizon DBIR showing that insiders were complicit in 28% of breaches in 2017, up from 25% in 2016. Given the prevalent use of digital and cyber tactics to exfiltrate this information, it’s critical that businesses invest in a security posture that will help them both detect and prevent company information from leaving the network,” he continued.
But what happens when a breach occurs? Separate research from nCipher Security has painted a rather bleak picture of employees responding to a breach, internal or external.
In its survey of 250 UK IT decision makers, 61% said they would be prepared to cover up a data breach if it meant they could escape fines. That figure rises to 71% at the C-level.
Peter Galvin, chief strategy and marketing officer, nCipher Security said:
“Organisations are under a greater obligation than ever to disclose data breaches, particularly when personal information is at risk, but evidently many IT leaders – particularly at C-Level – still feel they can avoid being subject to fines and other punitive measures from regulatory bodies.
“By implementing the right security measures to protect their business critical information and applications up front by using tools such as encryption, investing in training and talent as well as understanding the regulatory landscape, businesses can take steps to avoid a damaging breach in the first place.”