By Ricci Dipshan , From Legaltech News

Employees’ increasingly risky behavior at the office has led some to ask if data breaches are becoming a self-fulfilling prophecy.

When it comes to data security, knowledge and good intentions are falling short. Employees in organizations across the Western world may worry about the danger of breaches, but their behavior is exacerbating the problem, according to SailPoint’s Market Pulse Survey.

 Data breaches are no longer just focused entirely on companies, with one-third of those surveyed stating they experienced a breach of their personal information over the past year. Employees in the U.S. experienced the most breaches, with 44 percent affected, compared to 37 percent in France and 28 percent in the UK.

 In all countries but the Netherlands, at least 85 percent of employees said they would negatively react to a data breach, with 22 percent ceasing to do business with an affected company entirely and 78 percent wanting to learn more information about the breach first. A similar amount, 84 percent, expressed worry that their personal information was being shared by corporations.

 Yet the seriousness with which employees view data security did not translate into tangible action or caution at the workplace. In fact, employees have become more lax with data access since 2014. 

 Around two-thirds of employees only have one password for all their applications in 2015, a rise of 16 percent. And one-third admitted to sharing passwords with co-workers, a rise of 62 percent since the previous year.

 The company interviewed 1,000 office workers across the U.S., UK, Australia, France, and the Netherlands who worked at private large organizations for the report. Six hundred of those surveyed were from Europe, with the rest from the U.S.

 In a statement provided to Legaltech News, SailPoint chief marketing offer Juliette Rizkallah said, “It’s become an expectation on the part of employees that their personal data remain safe, but many don’t draw a correlation between their activities and the security of company data, which includes employee data as well as that of customers and partners. As a result, employees are practicing security incredibly ineffectively, unintentionally leaving organizations exposed. …The disheartening news stemming from survey results this year shows that the problem seems to be worsening versus improving over time.” 

 What’s perhaps most troubling, however, is that 20 percent of employees said they would sell their passwords to external third parties in 2015, up from 14 percent in 2014.

 The most willing employees are those in the U.S. — 27 percent would make money off potential business data access, compared to the 20 percent in Denmark and 16 percent in the UK and France. Of those who would sell their passwords, 44 percent would do so for less than $1,000.

 But U.S. employees are more likely than their European counterparts to hold out for a higher price, as only 40 percent would sell for less than $1,000 compared to 50 percent or more in France or the UK. American workers were second only to those in The Netherlands in their unwillingness to sell passwords for what they view as a nominal price.

 Interestingly, employees in the U.S. and the Netherlands also had access to their passwords and company data for lot longer than those in other countries. At least 45 percent could access corporate accounts and data after termination, almost double the amount who could do the same in Australia. 

 Rizkallah noted the survey did not seek to discover how employees sell their passwords, but instead “demonstrate a person’s threshold for considering selling their password. We also see it as a demonstration of the prevalent lack of understanding when it comes to what a hacker can do with that password, since many respondents did go on to say that they would simply change their password once they received the money – meaning that their intentions are not fully malicious, but simply misguided. However, there are definitely channels on the dark web that allow users to sell their password without any trace, and without any contact with the purchaser.”

 To be sure, employees do not bare the all of the responsibility for poor data security at organizations. While the amount of employees downloading shadow IT SaaS programs rose 55 percent to encompass around one-third of the workforce in 2015, and while an average of 70 percent of employees uploaded sensitive data to the cloud during the year, poor security protocols are as much an IT department’s failings as it is shortcomings in employee behavior. 

 All parts of a company, said Rizkallah, have to be on the same page when it goes to data security to ensure complete protection. “The commonality across almost every breach is hackers are now targeting the weakest link in the security infrastructure: people. Ultimately, in order for companies to truly manage and secure the identity data, end users must be involved in security processes in a more prominent way.”

 “It is our belief that employee education goes beyond educating on corporate policy in a way that makes each individual act as a shepherd of the company’s data, treating it in the same way they clearly expect companies to treat their own information — think of it as the ‘golden rule’ for corporate data. Just as organizations need to be committed to ensuring the proper security policies and IT controls are in place, it’s imperative that employees understand the implications of how they practice those policies,” she said.

For more on this story go to: http://www.legaltechnews.com/id=1202752694004/Rise-in-Shadow-IT-Password-Sales-Disconnect-with-Employee-Breach-Concerns-Survey#ixzz43eAZJOWy