Beware the enemy within


If your IT department seems paranoid about security, they may have good reason to be. According to a new survey, nearly a quarter of UK employees admit to having illegally accessed sensitive information on their company network and more than half would do so given the opportunity.

Research commissioned by Microsoft has found that businesses face a very real security threat from inside their own walls, with 22 per cent of employees having gained access to information such as salary details.

When asked what type of information would tempt them most, respondents said that HR and payroll information was the most popular target (36 per cent), followed by their manager's personal notes (28 per cent) and their colleagues' personal notes (25 per cent).

If presented with the opportunity, six per cent even said they would steal a colleague's password.

The survey, carried out by YouGov, also found that men tend to be more dishonest than their female colleagues with 27 per cent of men, compared to only 16 per cent of women, admitting to having stolen confidential information.

Microsoft's Annemarie Duffy said that the findings underlined the challenge facing IT, HR and finance departments in protecting confidential information from non-authorised employees.

"The results of this survey were surprising," she said. "Not only are more than half of all UK employees prepared to snoop on confidential data, nearly a quarter have actually already done so.

"Particularly worrying is how vulnerable HR and payroll information has become, HR departments typically hold information that could be damaging for business and individuals if in the wrong hands. Details of salary, bank accounts, health records, National Insurance numbers, home address, family members could all be taken by a determined internal snooper or identity thief."

But the issue appears to go deeper still, with a third of those admitting that they would access documents, files, customer details and old accounts from previous employers if they still had access - a strong motive if ever there was one for organisations to ensure they have processes in place to lock down accounts when employees leave.

"Organisations have statutory as well as moral obligations to all their stakeholders to protect this sort of information," said Hugh Simpson-Wells at Identity and Access Management consultancy Oxford Computer Group.

"Solutions are available for any size of business that are not only technically sound, but are accessible and affordable, and support flexible business processes for securing this kind of data. Failure to provide such systems not only risks prosecution under the Data Protection Act but invites destructive and divisive internal espionage - and is just plain inefficient."