Toward the end of 2010, Symantec surveyed more than 3,000 workers in North America and Europe about the risks they take with information in the workplace. The results paint a troubling picture that shows employees are ignoring risks posed by being careless with company data.

Employees tend to be risk takers with 46% taking risks “when appropriate” and 21% admitting that they “like to take risks.” While 60% of workers surveyed said they were more cautious with their online behavior at work than at home, this did not prevent 54% of them from removing information from company systems without permission.

They know they shouldn’t remove corporate data from the workplace, but they do it anyways because they seem to think either that company security policies are a hindrance to their jobs or that they can get away with it as long as they’re careful. In the simplest terms, employees believe it’s okay to do the wrong thing as long as it’s for the right reasons.

At a time when many organizations are being bombarded on every side, they sometimes forget about the inside. Because so much has been said about the dangers imposed by malicious outsiders and insiders intent on wreaking havoc and reaping money, the non-malicious insider threat remains somewhat unspoken.

I recently wrote a whitepaper outlining the threat posed by well-meaning insiders. See it here (registration required).

The well-meaning insider represents a weak link in the security posture of many organizations and few seem to realize the critical role they play in keeping information safe.  A survey of office employees in North America and Europe, for example, found that 78 percent think that their IT department solely holds the responsibility for information confidentiality. To be able to fully protect against threats resulting from such misconceptions, companies must identify who constitutes a risk, as well as why and how they might be a threat. Not all insider risk profiles constitute the same type of threat, so security has to be tailored to their particular characteristics.

Eight in ten organizations have poor visibility into their IT risk, taking three to nine months or longer to classify their IT risk levels, according to research from the IT Policy Compliance Group. That’s an alarming figure. But what does better “visibility into IT risks” really mean?

Visibility into IT risks is about managing the business risk related to the use of IT. Clearly, the convenience and business value of “information anywhere” comes with risks. And, while companies want to support technologies that make it possible for employees to get the job done, they must carefully monitor and manage business risks related to the use of information and IT.

Visibility into IT risks starts with identifying critical business process, figuring out which IT assets support those processes and if those assets are properly patched and configured. Organizations that have a handle on this can quickly identify what their IT risks are and which ones need to be fixed first.