Around 40 per cent of staff in British and American corporations have access to sensitive data that they don’t need to complete their jobs, according to recent research.

In a survey commissioned by IT security firm Forcepoint of just under 900 IT professionals, 40 per cent of commercial sector respondents and 36 per cent working in the public sector said they had privileged access to sensitive data through work.

Worryingly, of that number, about a third again (38 per cent public sector and 36 per cent private) said they had access privileges despite not needing them. Overall, out of more than 1,000 respondents, just 14 per cent from the private sector thought their org was fully aware of who had the keys to their employers’ digital kingdoms.

Carried out by the US Ponemon Institute, a research agency, the survey also found that about 23 per cent of IT pros across the board reckoned that privileged access to data and systems was handed out willy-nilly, or, as Forcepoint put it in a statement, “for no apparent reason”.

Access management is a critical topic for IT security bods, especially as COVID-19-induced remote working introduces challenges for the monitoring of data access and intra-org flows.

In a finding bound to shore up frontline workers’ opinions of each other, fully half of the respondents (49 per cent public sector, 51 per cent private) expressed the view that users with elevated access privileges would browse through data “because of their curiosity”, while just over 40 per cent thought their co-workers could be “pressured” to share login credentials.

More than half thought incident-based security tools yielded false positives as well as too much data “than can be reviewed in a timely fashion”, revealing that workers think gotta-log-em-all security tools may be more of an obstacle to finding and plugging system breaches – or malicious people exfiltrating valuable data.

“To effectively understand the risk posed by insiders, it takes more than simply looking at logs and configuration changes,” said Nico Popp, chief product officer at Forcepoint, in a canned statement.

“Incident-based security tools yield too many false positives; instead IT leaders need to be able to correlate activity from multiple sources such as trouble tickets and badge records, review keystroke archives and video, and leverage user and entity behaviour analytics tools. Unfortunately, these are all areas where many organizations fall short.”