Businesses spending money guarding against industrial espionage might have the wrong target in their sights.

A recent poll by security company Sophos has revealed that internal employee fraud is one of the growing threats to organisations, with 18 percent of businesses claiming that employee fraud was a major concern. In contrast, physical break-in and corporate espionage received just seven and five percent of the vote respectively. Top of their concerns, however, were viruses and hackers, cited by 70 percent of employers.


Sophos also found that a worrying 41 percent of 533 business PC users admitted they had the same password across multiple websites. 45 percent said they had a handful of passwords to choose from while only 14 percent used a unique password for every website they accessed.


Speaking at the InfoSecurity 2006 conference, Graham Cluley, senior technology consultant at Sophos, cited some basic guidelines that PC users needed to be educated about: "Not to use a password that’s from the dictionary - which is easy for a hacking program to crack - not to use one that contains only letters and definitely not to use the same password across different websites."


"Company defences are only as strong as the weakest link in the chain - which can often be the users. If users decide to make their password the name of their girlfriend, favourite football team, or pet goldfish then they are risking business data. Similarly, they need to be educated not to choose dictionary words which are easy for a hacking program to crack," added Cluley.


Sophos’s poll revelation is backed by research by UK’s financial fraud prevention service CIFAS, which has a paper outlining why employee fraud within the business is emerging as a serious issue and how it is linked to organised crime. CIFAS has also listed some warning indicators for employers, which can be found on its website.