Corporate hacking - can employers stop their employees?

By: Jeanine Haenel

Technological progress is like an ax in the hands of a pathological criminal. -Albert Einstein

Corporate hacking is much more prevalent today than it was 10 years ago.  The abilities of even the "average" person have increased and they are able to get information that they may not have had before.  Companies are cautious on who they hire and trust.  Companies now have to hire, not only on the skills and experience of the potential employee but they must also consider their psychological and criminal history.  But, how do they get this information easily and ethically?  

The article, Methods for evaluating and effectively managing the security behavior of employees by Hu, Xu, Dinev, and Ling in 2011 states, "The 2008 CSI Computer Crime and Security Survey shows that 44% of respondents reported insider abuse of computer systems, making it the second most frequent form of security breach, only slightly behind virus incidents (49%), but well above the 29% of respondents who reported unauthorized access from external sources."  By taking extra precaution on who is allowed to access their confidential information, corporations can certainly control some of the potential abuse they would have to rectify later on.

In a survey of IT managers of global companies, 60% of the respondents said employee misconduct involving information systems is a top concern.  Employee information security policy violations vary widely because the motives, forms, and targets are different with each employee.  An information security policy violation is defined as any act by an employee using computers that is against the established rules and policies of an organization for personal gains.  Individuals with low self-control are more likely to give into the temptation. This is because low self-control leads to higher levels of perceived extrinsic benefits and perceived intrinsic benefits, which in turn strongly influence the intention to commit policy violations.

Employers previously thought that deterrence would be effective, however the results of this study suggest it may not be enough.  So, what can an employer do? There are two options they may follow: lowering the perceived benefits of committing the violations, and screening applicants with a high level of self-control and strong moral beliefs for sensitive positions.  To lower the perceived benefits, companies can take a number of proactive actions to reduce the perceived value of the data assets in the corporate information systems.  To screen applicants, employers can use psychometric instruments to ensure that only those who are strong on self-control and have high morals are assigned to sensitive positions.

Employers must use caution when using the results of this study.  The findings are based on a data sample from a population with a unique Eastern culture where the concept of following rules and policies may be very different than Western cultures.  Finally, the small number of organizations where the surveys were administered could bias the data as well.  A follow-up would be to replicate this study in multiple countries with various cultures using random samples that cover a large number of organizations.

References
Technology Quotes. (n.d.). Quoteland.com - Quotations on Every Topic, by Every Author, and in Every Fashion Possible. Retrieved February 10, 2012, fromhttp://www.quoteland.com/topic/Technology-Quotes/141/

Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Methods for evaluating and effectively managing the security behavior of employees. Communications of the ACM,54(6), 54-60. doi: 10.1145/ 1953122.195314

4 comments:

DPETERSON said...

At the last company I worked for, I actually witnessed a significant amount of hacking. There were some initial employees who were "supervisors" that abused their privileges and we're able to take some internal data/information. The major hole in the entire system was that there were not enough security measures put in place by out outside IT firm. The company didn't want to spend the extra money, and ended up losing a lot because of it.

Chris Agui said...

Corporate hacking is very unethical. I'm in disbelief on how employees are able to do such unfavorable acts towards the company they work for. It still boggles my mind on how deceitful anyone can be. I believe companies should be cautious on who they hire.

Doug Leven said...

This is definitely a sad but true fact. Hacking inside the company can happen, but it can be prevented by seeking the advice of reputable software programmers. Time is of the essence here; don’t wait until you find your company having losses because of hacking. Protect your system while it is not too late.
Doug Leven

Ruby @ WilliamsDataManagement said...

When dealing with corporate data and important documents, the management must be sure that they'll be monitoring the employees’ access to all these files. They must place a password on every file, trusting only a few people with the passwords. You can also trust some data management services and data administrators to handle all your files and protect it against the hackers inside your office. :)