Stuttgart – Companies in Germany are too complacent about compliance, IT security and the threat of data misuse by their own employees. That is the conclusion of a study by CMS Hasche Sigle and Kroll Ontrack, the market leader in data recovery and computer forensics. Although the survey reveals that some 87% of companies have policies in place on using the Internet and e-mail at work, more than 75% do not check regularly for violations. Only about half of the companies have compliance programmes to monitor legal requirements and company guidelines. 52% of companies have not yet established a compliance programme. A total of 118 personnel managers from German companies took part in the survey, responding to questions on data theft, computer misuse and employee misconduct from a technical and legal viewpoint.
"The survey suggests that companies still lack awareness about the growing risk of data theft and computer misuse," says Dr Antje-Kathrin Uhl, partner at CMS Hasche Sigle. "For their own protection, they should be familiar with the various legal and technical options available and take appropriate steps before problems occur."
"Companies run a very real risk of becoming a victim of computer crime," comments Reinhold Kern, Director of Computer Forensics at Kroll Ontrack. "Criminal statistics for 2009 show almost 75,000 cases and an upward trend. Theft, sabotage and manipulation of data often takes place from within the organisation. Our study reveals a need for companies to protect themselves more effectively against employee misconduct."
The survey shows that 87% of companies have laid down policies on use of the Internet and e-mail, with 88% blocking certain websites, e.g. X-rated. Significantly, though, a large majority of companies (77%) do not monitor compliance with these policies.
In the absence of compliance checks, such policies remain a blunt instrument. Many companies tolerate private use of the Internet. If employees' private surfing habits are excessive or they expose confidential information, usage policies only provide a basis for action if they are regularly monitored.
The study also reveals considerable room for improvement with regard to compliance. Roughly half of the companies surveyed (48%) do not have compliance programmes in place for sales and competition or HR. Accordingly, only 46% of the companies have a Compliance Officer to monitor a programme of this type.
Companies are thus exposing themselves to considerable risks. Compliance programmes aim to ensure that an enterprise meets all relevant legal requirements, i.e. that it complies with regulations on occupational safety and data protection, for example. A company that breaches these requirements faces hefty fines and in some cases those responsible will be personally liable. A compliance programme provides protection for the company in this respect.
The surveyed companies are likewise inadequately equipped to deal with specific instances of illegal conduct on the part of employees. Only 37% of the companies have a whistleblowing hotline for employees to report misconduct (anonymously if desired). An emergency plan or escalation procedure for when illegal actions are suspected has been set up by less than half of the surveyed companies, specifically only 44%.
In summary, the study finds significant gaps and omissions in protection against data misuse within German companies. Businesses underestimate the risks associated with private Internet use, the possibility of data theft, or threats around routine access by staff to corporate networks.
Companies should take a series of measures to combat these risks effectively. Foremost among these are guidelines and policies on Internet use and handling sensitive data – backed by regular monitoring. Companies in Germany also need to give compliance a higher priority. Any compliance programme must also be carefully tailored to particularly sensitive areas of the enterprise. In-depth knowledge of the technical and legal requirements will help companies to implement effective measures.
To find out more about Kroll Ontrack, visit www.krollontrack.de.