December 17, 2014 By Jaikumar Vijayan 3 min read

The recent massive data breaches at Sony, Target, Home Depot and other major brands appear to have convinced many IT executives that external attackers pose a bigger threat to enterprise data than insiders with privileged access to corporate networks and systems. However, a new survey by identity and access management vendor SailPoint suggests it may be premature to diminish the risk posed by insiders just yet.

Survey Shows Risky Behavior

The report by independent research firm Vanson Bourne to study employee attitudes toward corporate data and found that cloud applications have actually increased risky behavior by employees at many companies.

The research firm polled about 1,000 office workers at medium-sized companies in the United States, United Kingdom, France and three other countries for the survey. About 20 percent of the respondents said they had uploaded corporate data to cloud applications such as Dropbox and Google Docs without corporate’s blessing for the purpose of using and sharing the data outside of work.

Some 25 percent of U.S. respondents said they had purchased and were using applications such as Concur, Workday, Dropbox and DocuSign at work without any IT help or knowledge. A stunning 69 percent said they would be able to access corporate data stored in the cloud even after they left their company, while more than 1 in 4 admitted to taking corporate data with them when they left a company.

Security Awareness

The survey showed that employees engaged in such behavior despite being clearly aware of corporate policies pertaining to data usage and protection. For example, though more than 60 percent of respondents said they were aware that their employer strictly forbade them from taking intellectual property when leaving the company, 25 percent did so anyway.

The insider threat issue is certainly not new. Security experts have long cautioned about the threat posed to corporate data from employees, partners, suppliers and others with privileged access to business systems. Organizations such as the U.S. Computer Emergency Response Team describe an insider threat as a situation where a current or former employee, contractor or anyone with authorized access to an organization’s network intentionally misuses that access to compromise the confidentiality or integrity of corporate data or computer systems.

However, in addition to intentional sabotage and damage, insiders can also compromise data security and privacy through careless or negligent actions — often through accidental misuse of corporate data.

Cloud Apps Heighten Risk

The SailPoint report does not distinguish between the two threats. Instead, it shows that the growing tendency among employees to purchase and use consumer cloud apps for storing and sharing corporate data without involving IT departments has caused new risks for enterprises.

“The survey results are an eye-opener of how cloud applications have made it easy for employees to take information with them when they leave a company,” said Kevin Cunningham, founder and president of SailPoint, in a prepared statement accompanying the report.

Another recent report by the Ponemon Institute showed that a lack of control over who has access to confidential and sensitive information often exacerbates the insider threat problem. The survey of over 2,200 employees in both U.S. and European organizations found that many employees who work in areas such as sales, financing and accounting often have too much access to intellectual property, customer lists, contact information and other valuable corporate data.

More than 70 percent of those polled said they had access to corporate data to which they should not have access. About 55 percent described that access as “frequent” and “very frequent.” Unsurprisingly, respondents in the survey believed that IT security controls and data oversight at their organizations were weak, with 4 in 5 IT practitioners concurring and admitting their organizations did not enforce a strict least-privilege data security model.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today