More than half of ex-employees admit to stealing company data 26 February, 2009 By Vanessa Ho

"Does the economic downturn have an effect on data privacy and security?" asked Mike Spinney, senior privacy analyst with Ponemon Institute. "We worked with Symantec to investigate this with clarity and came out with surprising results."

For example, while 59 per cent of respondents admitted to stealing confidential company information, 79 per cent of individuals that took that information knew full well it was a violation of company policy.

"It is disappointing to see fellow human beings reacting to the economy and potential job loss by mitigating personal risk by taking customer data or something with company information [in order ] to make them more attractive to another company or give them a competitive edge if they start their own business," Spinney noted.

Of respondents who admitted to taking company data, 61 per cent also reported having an unfavorable view of their former employer. Spinney believed these employees took sensitive information as a grudge and to show their former employers that they were making a mistake in letting them go. However, if an employee left with a positive feeling of their ex-company, only 28 per cent took company data. The most commonly identified kinds of records taken included e-mail lists, employee records, customer information including contact lists and non-financial information.

Spinney said those employees with positive feelings who took confidential data may not have been clear on company policy or felt that they owned that information because they had a key role in managing that database, for instance.

Although respondents were spread across many different industries, the highest percentage of survey responses came from the financial services industry followed by communications services, government organizations and manufacturing.

The results also showed that if respondents companies had implemented better data loss prevention policies and technologies, many of those instances of data theft could have been prevented.

"Data loss during downsizing is preventable. We can prevent employees from e-mailing sensitive content to personal webmail accounts or downloading it onto USB drives," said Rob Greer, senior director of product management for Data Loss Prevention (DLP) solutions at Symantec, in a statement. "Companies need to implement data loss prevention technologies so they know exactly where sensitive data resides, how it is being used, and prevent it from being copied, downloaded or sent outside the company."

Other findings of the study include 53 per cent of respondents said they downloaded information onto a CD or DVD, 42 per cent onto a USB drive and 38 per cent sent attachments to a personal e-mail account; 79 per cent of respondents took data without an employers permission; 82 per cent of respondents said their employers did not perform an audit or review of paper or electronic documents before the respondent left his/her job; and 24 of respondents had access to their employers computer system or network after their departure from the company.

Shun Chen, director of product management, Data Loss Prevention solutions at Symantec, said that all of these data loss issues come down to user education about company policy on how to handle company data.

"There are good employees that don't know what the policy is," said Chen "Data loss is happening through good employees inadvertently doing bad things or broken business processes."

He added what customers are looking for in a DLP solution is something that is comprehensive to monitor and enforce policy across different channels (network, webmail and ports) as well as the ability to identify what data needs to be protected and apply the right access control on it.

In addition, Chen said a DLP solution needs to be able to not only define what data is important to the company but also enforce policies at the network, perimeter, end point or storage device in real time and provide feedback to the employee informing them of different policy violations and how to prevent them in real time. For example, if an employee attempts to burn information onto a DVD, the DLP solution would prevent it but also tell the person why it is a violation of policy.

Reprinted by permission of Integrated mar.com (integratedmar.com), EchannelLine © Copyright 2009 Integratedmar.com Corporation.