Two findings to file under ‘doh!

Employees are playing fast and loose with IP, and they’re still using soft passwords. What are you doing to stop it?

Two pieces of information caught my eye over the last week that have to do with what I’ll politely call “security-challenged behavior” among employees.

The first is a report from Symantec this month that finds half of employees who left or lost their jobs in the last 12 months kept confidential corporate data, and 40 percent plan to use it in their new jobs.

As writer John P. Mello Jr. notes in the story he wrote for CSO, the report also finds:

Half the employees in businesses regularly send work documents to their home computers using a personal account, such as Google's Gmail, according to Symantec. That can be problematic because home networks are typically less secure than those at offices. Gartner reported last year that 20 percent of consumer-grade endpoints are compromised by malware.

Fully 40 percent of employees download work files to a personal mobile devices -- a tablet, for example, or smartphone -- and a third of workers move files using file-sharing apps, like Dropbox, without proper permission, according to Symantec

"The almost ubiquitous availability of storage in the cloud has made it easier than ever to move data around, whether it's for stealing data or taking it home," Tim Matthews, Symantec's senior director for product marketing said in an interview.

Most of the workers who move files outside the workplace, he said, don't delete the files after they've finished with them.

"Because you have unlimited storage, what we find is employees never think to delete anything or clean it up, so you end up having intellectual property just left in places."

"That will cause data leakage or IP [Intellectual Property] leakage issues down the line," Matthews said.

[See also: The 4 security rules employees love to break]

The second tidbit was contained in a press release I received from Trustwave offering me a copy of their 2013 Global Security Report.  Among its highlights, the press release claims the report finds “50 percent of users, especially employees, are still using easily-guessed passwords, the most common being Password1.”

The fact that so many people are still using easily-guessed password surprises me not because I expect the average employee to be much more security savvy these days, but because I thought organizations had made strides in policy and software that requires employees to use strong passwords – and to change them frequently.  The 50 percent estimate, if accurate, shocks me.

Who is the onus on for strong passwords to be standard policy within an organization? Who is responsible for policy and enforcement that stems the flow of IP out the door, particularly IP that can be used elsewhere when employees leave their jobs for new opportunities?

[Also see: With weak passwords continuing, blame turns to security pros]

The Symantec research goes on to say organizations are failing to create a culture of security.

“Only 38 percent of employees say their manager views data protection as a business priority, and 51 percent think it is acceptable to take corporate data because their company does not strictly enforce policies,” according to a summary of the report.

What are you doing within your organization to address some of these challenges? Are you educating employees about ownership of IP? Have you asked them to sign non-disclosure agreements with clear language about protecting confidential information, even after leaving the company? Have you implemented technology that addresses passwords - and requires each employee to have a strong password that is changed regularly? Or have you invested in technology that that monitors inappropriate access and use of IP and notifies employees of violations? 

What is working, and what hasn’t, in your organization to raise security awareness and deter theft? Comment or email me at jgoodchild@cxo.com with your thoughts.

Copyright © 2013 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline