CyberArk has revealed what employees would be most likely to do if they were able to anonymously access sensitive company data including salaries, vacation time and sensitive human resources information. The findings highlight the importance of controlling access to privileged credentials that can provide insiders and external cyber attackers with broad, unfettered access to a company’s most valuable assets.
This survey, also, further reinforces the need to guard against insider threats and external cyber attackers who use exploit powerful insider credentials.
What would employees most like to access?
The research amongst 1,000 UK office workers in companies of 250+ employees found the most coveted information would be other colleagues’ salaries (26%), conversations about themselves (22%) and sensitive HR information (20%).
>See also: Insider threat detected: now what?
If employees could change any information on their company systems without being caught, just over a third (31%) would treat themselves to a pay rise and nearly one in five (19%) would reward themselves with extra holiday days.
Matt Middleton-Leal, regional VP for the UK, Ireland and Northern Europe, CyberArk, said: “Security teams have long known that one of the most effective ways for attackers to access sensitive data is to masquerade as a legitimate insider – using existing privileged credentials to roam around a network and conduct reconnaissance virtually undetected. While this survey highlights the potential mischief that employees can get up to without proper access controls, it’s also an important reminder that insiders – or cyber attackers posing as insiders – pose one of the greatest security threats to organisations today.”
In good news for UK PLC, most employees surveyed were happy in their current job. However, very unhappy employees are 2x more likely to want to spy on company information than very happy employees (61% compared to 29%).
>See also: The insider threat – are legacy systems the weakest link?
After making sure they were being fairly rewarded (33%) and searching for office gossip (27%), disgruntled employees would want to expose unethical or corrupt business (20%) and show up dishonest or lazy people in the organisation (18%).
The main reason people don’t break into company computers is a belief that it wouldn’t be morally right (40%). However, just over a quarter of people (27%) said the repercussions of being caught is a turn-off, and one in five (21%) cited their lack of technical skills. This suggests that many employees would be tempted to access or manipulate company information if they knew they could get away with it.
What employees would do if they wouldn’t get caught
More than half (51%) of all respondents said they would be prepared to go one step further and break into other companies’ systems or online accounts – but only if they knew they wouldn’t get caught.
>See also: Why insider threats are the next big security challenge
The most popular responses had personal perks at their heart, such as getting free holidays (23%), adding funds to bank accounts (23%), receiving free online shopping (20%) and writing off loans (14%). Others had more political motives, such as stopping immoral companies from operating (14%), seeing secret government intelligence (11%) or changing the law (5%).
Middleton-Leal continued: “Cyber criminals are getting more aggressive with their attacks, which are escalating more quickly than ever before – as with the WannaCry ransomware attacks. With cyber skills advancing all the time and attackers hiding behind valid credentials to avoid being noticed and caught, companies have to be more alert than ever to monitor and stop unwanted insiders in their tracks and protect their most valuable information.”