On Monday Ponemon Institute published the results of a survey titled Data Loss Risks During Downsizing which was sponsored by Symantec to get a clear perception of the data-theft problem. The study involved 945 individuals from various industries located in US who were laid off, fired or changed their jobs in the past 12 months. More than half of the participants admitted to stealing data from their former company and nearly a two third used the stolen confidential information to leverage a new job.
Most of the respondents justified their action with reasons like
- everyone else is doing it,
- the information may be useful to me in the future,
- I was instrumental in creating this information,
- the company can't trace the information back to me and the company does not deserve to keep this information
The survey revealed that employees who have unfavorable views of the employer are far more likely to steal data. More than 61% of respondents with unfavorable views took data, whereas only 13% with favorable views took data.
Taking away e-mails in storage devices or sending documents out as e-mail attachments to personal e-mail account & walking out with paper documents happen often and employees are least interested in database files or source code or PDF files. Email lists, non-financial business information such as company memos, and customer information including contact lists are the most commonly cited types of data taken away.
The report also mentions that companies do a very poor job at preventing former employees from stealing data. Nearly 1/4th of the surveyed individuals had access to their former employer's computers even after they left the company. 15% of the respondents' companies perform a review of the paper and electronic documents that employees take with them when they quit. Even if the audit happens either it was incomplete or superficial.
To prevent data theft, companies need to know where sensitive data resides, how it is being used, and prevent it from being copied, downloaded or sent outside the company. The report recommends employers to:
- Clearly define data access policies
- Conduct a thorough review and audit of the employee's paper and electronic documents as a part of exit process
- Deny any access to the company's network and take extra precautions and monitor employee's access to the network