A new report highlights that employees' carelessness when it comes to corporate security is leading to major security problems.

Culture of Carelessness
Culture of Carelessness: 27% of people admits to having lost up to three work devices, half of them while out drinking.

UK workers don't seem to have much repect for the mobile devices they use for work - or the information stored on them.

According to a report from security firm Trend Micro, more than a quarter (27%) have had up to three devices lost or stolen, with 52% of those losses taking place when out drinking.

The report was carried out to assess how people behave and how responsible they are when it comes to the security of devices like smartphones and tablets given to them by work.


The results show a "careless attitude by Britons to work devices and corporate data" the report says. The difference in attitude between work and personal devices/data is highlighted by the fact that just one in 10 people had a personal device lost or stolen.

Rik Ferguson, global vice-president of security research at Trend Micro said: "This survey shows a worrying attitude of carelessness towards work devices and an ignorance of the full impact of losing data without the correct security measures being put in place."

Only 3% of the respondents said they were concerned by the loss or theft of corporate data and this strikes at the heart of the problems facing corporations theses days.

People fail first

While companies may invest millions in antivirus software and IT security hardware, cyber-criminals will always look for the weakest link in the security chain in order to get at the informaiton they are looking for.

That weakest link is typical an employee.

Speaking at the publication of the report, Peter Wood, CEO of First Base Technologies said that when his company ran tests to assess the security of a company "it is people that fail first."

Security evangelist

Wood spoke about the lack of understanding of the risk involved with information security these days, and that he knew of one company with a global turnover of £3 billion who had just a single people taking care of all its IT security.

Wood says that one solution to this laissez-faire attitude to cyber-security would be the creation of a role of a 'Security Evangelist'.

"Their job is to go around, all the time, every day, and inspire people to follow whatever the organisation has determined is good practice. To take feedback where that so-called good practice doesn't work, and to feed that back as an ambassador."

No excuses

The problems extend from the very bottom to the very top, and Wood beleive that the exmaple should be set at the senior executive level, something which is not always done:

"I think there is no excuse for a C-Suite individual to say: 'Well, I'm not interested in IT. I just want it done for me.' I think that is irresponsible for someone who is driving a large corporation. Take some personal responsibility for understanding [the problems] so that it becomes easier for their staff to advise them on best practice."

The problem is also one of compliance and regulation, as most major companies see data breach fines so negligible that most big companies are happier to pay them than make the necessary changes, which would cost much more money.


This attitude could soon lead companies into much bigger problems however, it new EU legislation comes into force.

Vinod Bange, partner at international law firm Taylor Wessing says that things are beginning to change in the UK: "We're seeing the importance of [data protection] elevating, or has been elevated, in the last few years."

He thanks the UK government, (or specifically HMRC) for this, following the loss of two CDs in 2007 containing the personal details of all families in the United Kingdom claiming child benefit - of which take-up in the UK is near 100%.

"That raised the whole awareness level. The fact the information commissioner obtained increased powers to issue a monetary penalty up to £500,000, suddenly there is more risk to be aware of as far as organisations are concerned."


The situation is even better in Europe, with regulators there "even more proactive" when it comes to dishing out fines, according to Bange.

The European Union (EU) is also making interesting move in relation to legislation in this area. It is currently debating new regulations on data protection which could impose much heavier levy on companies, which could have a big impact on the bottom line of organisations:

"Under this regulation a breach of data security could lead to a fine in what I am referring to as the third tier, which is up to 2% of a company's global annual turnover - that is a serious figure," Bange says


Another issue which is being addressed at a European level is the reporting of data breaches, which is currently limited to certain companies in certain sectors.

Just this week we have seen reports of an Australian dating website which had the details of 42 million of its worldwide customers stolen and exposed to online criminals. The breach happened over 10 months ago, but was only reported this week when the theft was spotted by security researcher Brian Krebs.

While legislation may tell a company what data it need to keep safe, there is no set of rules in place to say how this should happen.

"[Legislation] tells you to keep data secure but does't tell you what you are supposed to be doing to change that," Bange said.

Fog of fear

There are some key aspects of compliance which are being proposed at the moment by the EU and if passed these will help explain exactly what UK companies need to do to protect customer data.

When asked what these companies can do to begin to address the problems highlighted in this report, Wood said that the first step need to be for companies to "understand what the real risks are."

Wood adds that there is "a general fog of fear" within companies where companies become obsessed with certain threats, such as DDoS attacks, when that company may never become the victim of such an attack.

"People running a £3bn turnover company really ought to be a bit better educated than that."