A workplace behavior survey by Gurucul has found that a quarter of IT security professionals would steal information from their company if doing so might help further their career.
The survey was conducted at the 2019 Blackhat USA Conference in the form of a questionnaire. When asked "Would you take company information to help you apply for a more senior role at a competitor?" 24% of the 476 respondents answered yes.
Interestingly, the respondents who admitted that they would steal company information were happy to do so on the mere promise that it might help their career progression. Perhaps a higher number of respondents would have said yes if the proposed theft was guaranteed to give them a leg up on the career ladder.
Despite one in four respondents apparently one step away from making off with company data, the department in their company that those surveyed considered to be most at risk from fraud was the finance department.
The survey also asked respondents about their internet use and found that 44% of respondents spend at least an hour a day at work surfing the web for non-work-related activities. More than a quarter (28%) spend at least two hours a day visiting sites that aren’t related to their jobs.
Which sites are IT security professionals visiting on the sly while at work? Social media tops the list at 32%. More than 10% people admitted to looking for a new job while at work, while 19% said they explored possible vacations.
Asked to consider external threats, 76% of respondents said they had tightened up third-party access to their systems in light of recent third-party breaches. The third-party vendors that respondents most expected to find in the library with the lead pipe along with a blushing Miss Scarlet were managed service providers (MSPs).
The survey found 34% of respondents were most concerned about third-party access by MSPs, while 30% had a similarly bad feeling about developers.
Commenting on how close an eye companies should keep on their employees, Saryu Nayyar, CEO of Gurucul, said: “Companies should draw the line at monitoring activity and access logs, not people. Identify threats with behavior-based security analytics. Don’t try to watch what every person is doing at all times to root out the malicious insiders. True threats will surface with the right technology, and users won’t feel like it’s 'Big Brother' if it’s analytics – just a bunch of numbers!"