A survey of 2,226 people commissioned by Microsoft has found that 22% of UK employees admit to having illegally accessed sensitive internal information such as salary details on their employer’s IT systems and over half (54%) would do, given the opportunity.

The research by YouGov, commissioned by Microsoft highlights the challenge facing IT, HR and finance departments in protecting confidential information from non-authorised employees. When asked what type of information would tempt them most, respondents said that HR and payroll information was the most popular target (36%), followed by their manager’s personal notes (28%) and their colleagues’ personal notes (25%). If presented with the opportunity, 6% said they would steal a colleague’s password.

It seems that men tend to be more dishonest than their female colleagues with 27% of men, compared to 16% of women, admitting to having stolen confidential information. Workers in London and Scotland (25%) were the most likely to offend, with the most honest workers living in the Midlands (18%).

“The results of this survey were surprising,” commented Annemarie Duffy, infrastructure server marketing team lead at Microsoft UK. “Not only are more than half of all UK employees prepared to snoop on confidential data, nearly a quarter have actually already done so. Particularly worrying is how vulnerable HR and payroll information has become. HR departments typically hold information that could be damaging for business and individuals if in the wrong hands. Details of salary, bank accounts, health records, National Insurance numbers, home address, family members could all be taken by a determined internal snooper or identity thief.”

The issue isn’t just confined to the four walls of a business and its current employees; the survey also highlighted an external risk with a 33% of respondents admitting that they would access documents, files, customer details and old accounts from previous employers if they still had access. This shows the importance for organisations on controlling their users’ accounts and ensuring that there are processes in place to lock down accounts when employees leave organisations.

“Many organisations may already have the tools to resolve this issue but aren’t making the most of them,” said Duffy. “Companies need to ensure they are maximizing the service of their existing servers. For example, the implementation of a directory service, such as Active Directory, which ships as an integral part of Windows Server 2003, making it easier for the IT department to manage users identities and their access to information. The set-up of a directory service should be the first step for any organisation wanting to manage identities and secure access to information.”

“Organisations have statutory as well as moral obligations to all their stakeholders to protect this sort of information,” said Hugh Simpson-Wells at Identity and Access Management consultancy Oxford Computer Group. "Solutions are available for any size of business that are not only technically sound, but are accessible and affordable, and support flexible business processes for securing this kind of data. Failure to provide such systems not only risks prosecution under the Data Protection Act but invites destructive and divisive internal espionage -- and is just plain inefficient.”

Jim Stirling