Risk & Economy » Financial crime » Almost half of office workers would sell their firm’s corporate information

Almost half (45%) of office employees would be willing to sell corporate information to people outside their organisation, according to new research that exposes the extent of the insider threat.

Just £1,000 would be enough to tempt 25% of employees to give away company information – and 5% would give it away for free, says a report from cyber security firm Deep Secure.

The report reveals how 15% of office workers reported that for £1,000, they would pass on confidential market information about their company or customers’ businesses, details of their firm’s sales pipeline, sensitive information relating to their colleagues, and customer information.

One in 10 respondents (10%) would also sell intellectual property, such as product specifications, product code and patents, for £250 or less.

This is not just a hypothetical threat – with 59% of office workers admitting to having taken information off corporate networks. In some instances, this was for personal use, with the potential value to the individual’s future career success a key driver: either because it would be of use in a new role or they wanted to keep a record of their work (both 12% respectively).

However, 47% of those that had taken information from their corporate network admitted it was given to a third-party (rising to 62% among male respondents). Frequently the information was taken from a previous company and given to their new employer or employees (16% and 19%), but 17% were approached by someone they didn’t know.

The findings also reveal that criminals are targeting younger employees: one in five (19%) respondents in graduate-level roles admit that they were paid to source the information, with 29% of 16-24-year-olds reporting they had been approached by someone they didn’t know to take it.

Exfiltration tactics

When exploring how this information is being taken, some individuals report using traditional techniques to take information from corporate networks, including printing, handwriting and taking a photo of the information (11%, 9% and 8% respectively).

However, digital techniques are more commonly used with 11% of respondents reporting having sent the information to the third-party by email, directly uploading it into their personal cloud storage, or given it them on an external storage device.

Eight per cent also reported using cyber tools to hide and exfiltrate company information (such as steganography or encryption). This was not only prevalent in the IT & Telecoms industry (13% of respondents), but the HR and finance industry also reported comparable use of cyber tools (15% and 12% respectively).

Commenting on the findings, Dan Turner, CEO of Deep Secure said: “The cost of employee loyalty is staggeringly low. With nearly half of all office workers admitting that they would sell their company and clients’ most sensitive and valuable information, the business risk is not only undisputable but immense in the age of GDPR and where customers no longer tolerate data breaches. And it appears to be growing, with the 2018 Verizon DBIR showing that insiders were complicit in 28% of breaches in 2017, up from 25% in 2016.

“Given the prevalent use of digital and cyber tactics to exfiltrate this information, it’s critical that businesses invest in a security posture that will help them both detect and prevent company information from leaving the network,” he added.