New Study Highlights Data Losses from Employee Turnover
- By James E. Powell
- March 23, 2009
It's no surprise that when employees leave a firm, some data may go with them. Whether from enterprise-instituted layoffs or employees voluntarily changing jobs, these changes can put a company at risk for a data breach if employees leave with sensitive or confidential material. A new national survey conducted by Ponemon Institute quantifies that exposure -- and the numbers may be a wake-up call for every enterprise.
Sponsored by Symantec, the report Data Loss Risks During Downsizing found that of the 945 U.S. adult participants, 59 percent who left a firm (voluntarily or not) steal company data. Of these, 79 percent admit that such action was against company rules.
Nor are employees reluctant to use the information they take. Two-thirds (67 percent) of respondents "used their former company's confidential, sensitive or proprietary information to leverage a new job." Almost 7 in 10 (68 percent) plan to use the data, including e-mail lists (taken by 65 percent of respondents), non-financial business information (45 percent) and customer contact lists (39 percent), a data breach that puts customer and enterprise information at risk.
The report sheds light on the type of information stolen, how it is used, and how employees justify their actions. For example, employees who are terminated or who are disgruntled -- and thus have unfavorable views of the employer -- are more likely to commit a data breach. Trust is a key issue: "employees who do not trust their former employer to act with integrity and fairness are more likely to take the data." In fact, 61 percent of respondents who had negative perceptions about their employer stole data; only 26 percent of those who viewed their employer favorably did so.
Sixty-four percent took old e-mails; 62 percent took history and hard copy files with them. Of least interest: PDF files (9 percent), Access files (8 percent), and source code (3 percent). Most employees take hard copy data (that is, paper documents); the next most popular media are CDs and DVDs (53 percent) and small USB drives (42 percent). Over a third (38 percent) sent the data as e-mail attachments to their personal accounts.
When justifying data theft, the most popular reasons include "everyone else is doing it, the information may be useful to me in the future," "I was instrumental in creating this information," "the company can't trace the information back to me," and "the company does not deserve to keep this information."
Only 16 percent say they were permitted to keep sensitive, confidential or proprietary information, but the report questions respondents' reasoning. For example, the top two reasons given were that other laid-off employees kept this information when they left the company (54 percent used this to justify their behavior) and "no one checked their belongings when they left the company (which half of respondents used)." Over a tenth of respondents (11 percent) said that "their former supervisor said it was permissible to keep this information."
The survey indicates that companies are not actively doing much to thwart the problem. For example, only 15 percent of companies "conducted a review or performed an audit of the paper and/or electronic documents" employees took. Even those companies that did conduct audits received low marks; respondents rated company efforts as "not complete" (45 percent) or "superficial" (29 percent). A director, supervisor, or manager conducted the review according to 41 percent of respondents, but nearly 89 percent said that their exit procedure did not include an electronic scan of electronic data-storage devices such as thumb drives.
Researcher Dr. Larry Ponemon explained that exit interviews can be valuable for an enterprise's learning, but "we know from experience that these often take very little time at all. The employee sits down, is asked 'Do you have any questions?', there's a handshake, and it's over."
Exit interviews shouldn't be the time when an enterprise determines whether information is leaving the company. "When you look at how people are transferring data, the enterprise doesn't know if employees are sending data to their personal e-mail account unless you have the right tools monitoring this activity all the time. Checking for this at the exit interview -- by then it's really too late." By having those tools in place, you will also be able to shorten the duration of an in-depth and appropriate interview.
Data thefts can continue long after an employee has left the physical premises according to nearly a quarter of respondents, who said that access to data continued after they left the enterprise. In over one-third of these cases (35 percent), a former employee had access to the system for one week or longer. In some cases, that may be the company policy; 51 percent reported that their supervisor said they "would have access to the company's system, e-mail, or network for a specified period of time. More than 44 percent continued to receive e-mail on their company's account."
The report recommends that companies "immediately assess the potential data loss from former employees who had access to sensitive and confidential data as part of their job." Among its other recommendations:
Make sure policies and procedures "clearly state former employees will no longer have access to sensitive and confidential information they used in their jobs." The policy should cover data stored on laptops and other devices as well as on paper. The policy should state what kinds of data are sensitive and proprietary.
Companies should monitor employee access to network and system resources to ensure no sensitive and confidential data is downloaded or included in a message to an employee's personal e-mail account.
Companies must ensure access to resources is terminated when the employee leaves the firm.
During the exit interview, a manager or IT staff member should "conduct a thorough review and audit of the employee's paper and electronic documents. This includes checking electronic devices as well as paper documents."
Dr. Ponemon says the last recommendation is a tricky one. "If you're a large organization like General Motors and you have a big layoff, you probably don't have enough people in your human resources department to be able to conduct a good exit interview and audit."
The potential for data thefts highlighted by the survey cannot be overemphasized, but risks can be mitigated. Shun Chen, director of product management at Symantec Data Loss Prevention Solutions, points out that in audits/risk assessments Symantec conducts for clients, generally one out of every 400 e-mails sent from a company contains confidential information. "What you want to do is be proactive up front. You need to have the network monitoring to know exactly what users are doing and reinforce any of your confidential data policies. You need to tell your employees about your policies, but you need the enforcement in place so, for example, a notice pops up so users immediately know when they've violated a policy."
James E. Powell is the former editorial director of Enterprise Strategies (esj.com).