A surprising number of the people working to keep their company networks safe from hackers have actually broken into their company or other organization's systems themselves, according to a new report from Absolute Software Corporation.

The Canada-based information security firm polled more than 500 information technology (IT) leaders at mid-size and larger US companies, with one-third admitting they had "successfully hacked their own or another organization." The results also showed a stark contrast between young and old: 41% of IT leaders aged 18 to 44 admitted to hacking, while just 12% aged 45 and up did.

“Given that IT is the security gatekeeper for an organization, it was alarming to see such high incidents of non-compliant behavior by IT personnel,” Stephen Midgley, vice president of Global Marketing at Absolute, said in a statement. “Even if these actions are being performed to validate existing infrastructure, senior leadership should be aware that this activity is occurring. It may also be worthwhile to consider third-party audits to ensure adherence with corporate security policies.”

Information security at most companies is a serious priority, especially as cybercrime is a $1 billion business in itself. Just this week, a Los Angeles hospital had to pay a $17,000 ransom to gain back control of its systems after they were infected with malicious software.

A cybersecurity expert monitors telecommunications traffic at a network operations center in a Verizon facility in Ashburn, Virginia July 15, 2014. REUTERS/Jonathan Ernst   Thomson ReutersA cybersecurity expert monitors telecommunications traffic at a network operations center in a Verizon facility in Ashburn, Virginia

But the report from Absolute found that outside hackers are not the #1 fear. It's employees who already have inside access, or what is called the "insider threat." It's a consistent problem, backed up by an even larger survey that found "careless or unaware employees" were a company's top vulnerability.

To mitigate this, many companies require people to use stronger passwords, and conduct regular training on staying safe from "phishing" attempts — when hackers send files to a user that will load malware onto their systems.

But as this report shows, there's still plenty of work to be done.

You can check out the full report here >