Monday, February 11, 2013

Laughing out the door: half of employees admit to stealing corporate data

Do you worry about the information, data, and other property your employees are taking with them after a resignation or termination? If you believe the results of a recent survey conducted by Symantec, if you’re not worried, you should be.

According to the survey, half of employees who left or lost their jobs in the last 12 months kept confidential corporate data, and 40 percent plan to use it in their new jobs. The results are jarring:

  • 62 percent of employees believe that it is acceptable to transfer work documents to personal computers, tablets, smartphones, or into the cloud, and most never delete the data they’ve moved.
  • 56 percent see nothing wrong with using a competitor’s trade secrets.
  • Given the example of a software developer who develops source code for a company, 44 percent believe the employee has some ownership in the work and inventions.
  • 51 percent think it is acceptable to take corporate data because their company does not strictly enforce policies.

Based on these results, Symantec makes the following three recommendations for companies hoping to shore up their data:

  • Employee education: Organizations need to let their employees know that taking confidential information is wrong. IP theft awareness should be integral to security awareness training.

  • Enforce non-disclosure agreements (NDAs): In almost half of insider theft cases, the organization had IP agreements with the employee, which indicates the existence of a policy alone—without employee comprehension and effective enforcement—is ineffective¹. Include stronger, more specific language in employment agreements and ensure exit interviews include focused conversations around employees' continued responsibility to protect confidential information and return all company information and property (wherever stored). Make sure employees are aware that policy violations will be enforced and that theft of company information will have negative consequences to them and their future employer.

  • Monitoring technology: Implement a data protection policy that monitors inappropriate access and use of IP and automatically notifies employees of violations, which increases security awareness and deters theft.

Of these three, the enforcement of agreements and other legal rights against the theft of confidential information and other corporate data is the most effective. Companies do not like litigation—it’s expensive, time consuming, and uncertain. Yet, when your intellectual and other property is involved, you have no choice. There exists no greater deterrent to copycat misconduct in the future than putting a thief through the legal wringer. Your employees will know that your agreements have teeth and that you will go to mat to enforce them. The hopeful result is that they will think twice about walking out the door with even a promotional pamphlet, keeping your corporate information and other property secure.