HMRC is not alone in failing to protect confidential information.
Navigant Consulting warns that employees’ work habits and lack of awareness about security are increasingly putting companies and organisations’ confidential information at risk from opportunistic identity thieves. Andrew Durant, managing director in Navigant Consulting’s Fraud Investigations team, urges employers to make sure that basic measures are in place rather than obsess about complicated IT security.
“Our survey shows that 17 per cent of the British work force now uses a company laptop at home – that’s nearly five million people – and indicates that working from home is an established working practice rather than a trend,” says Andrew Durant. “Yet only 25 per cent of these said that their laptops are encrypted to protect the confidential information they contain”.
“In addition, more than 11 million employees – 39 per cent of workers and/or their colleagues – save data onto a PDA, thumb-drive, CD, or other device, to work from home. It is unrealistic to expect employees to stop using technology to work more flexibly, and frankly reckless for companies not to put measures in place to protect their confidential information in view of this change in working habits.
“Information security is a complex and expensive area, and I can understand why businesses want to bury their heads in the sand. But most frauds perpetrated using stolen confidential information can be prevented by taking some simple, common sense measures,” claims Durant.
In the first half of 2007 reported stolen data included:
“Companies should have a policy regarding what information should and shouldn’t be stored on laptops and other devices and communicate this clearly to staff. Many employees will be unaware that information is confidential or could be used to perpetrate a fraud against the company or individuals connected to it.
“Laptop hard drives should be encrypted so that data is protected if it is stolen or mislaid. This can equally apply to specific files that contain sensitive data stored on a server to prevent them being copied or read by unauthorised people. Companies can also prevent electronic data containing confidential information from being stored locally on an individuals’ PC or laptop, instead forcing them to be stored centrally – this, greatly reduces the threat if a computer were lost or stolen,” advises Durant.
Other work practices which are considered risky include employees sending documents containing confidential information to their own or other people’s personal web mail accounts such as Yahoo! or Hotmail for work reasons – 15 per cent of British workers, approximately 4.3 million people admit to doing this; and allowing company laptops to be used by friends and family. As many as 29 per cent of employees who use a company laptop at home are happy to let others use their work laptops – more women than men are content to let this happen (37% and 25% respectively).
“Both of these practices illustrate how organizations are losing control of their confidential information as data flows out of the organization and into the hands of individuals who may have no relationship or loyalty to the owner of the information,” says Durant.
Basic security is also failing in the work place according to Durant: “Identity fraudsters and organised criminals place bogus employees, and bribe temporary staff or even disillusioned employees to steal information from the inside.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
“Yet 23 per cent of British employees know other employees’ computer passwords; 14 per cent claim that colleagues know their password; four per cent write their password down; four per cent all use the same password and five per cent don’t have one at all. It would be child’s play for a fraudster to sit down at a colleagues’ computer and access confidential information if there wasn’t a system of restricted access in place or data encryption that would prevent an unauthorised person from gaining admission to computer files.
“This practice also negates the value of audit logs as it would direct an investigation towards an innocent person.”