As layoffs continue apace, a survey released on Monday shows what many companies fear--exiting workers are taking a lot more with them than just their personal plants and paperweights.
Of about 950 people who said they had lost or left their jobs during the last 12 months, nearly 60 percent admitted to taking confidential company information with them, including customer contact lists and other data that could potentially end up in the hands of a competitor for the employee's next job stint.
"I don't think these people see themselves as being thieves or as stealing," said Larry Ponemon, founder of the Ponemon Institute, which conducted the online survey last month. "They feel they have a right to the information because they created it or it is useful to them and not useful to the employer."
The survey also found a correlation between people who took data they shouldn't have taken and their attitude towards the company they are leaving. More than 60 percent of those who stole confidential data also reported having an unfavorable view of the company. And nearly 80 percent said they took it without the employer's permission.
Most of the data takers (53 percent) said they downloaded the information onto a CD or DVD, while 42 percent put it on a USB drive and 38 percent sent it as attachments via e-mail, according to the survey.
The survey also found that many companies seem to be lax in protecting against data theft during layoffs. Eighty-two percent of the respondents said their employers did not perform an audit or review of documents before the employee headed out the door and 24 percent said they still had access to the corporate network after leaving the building.
The survey was commissioned by Symantec, which offers software that helps companies protect against data loss by indexing database and monitoring for patterns of word combinations that might be used by exiting employees to steal data. The Symantec software also can monitor outbound e-mail for confidential data and alert IT if large amounts of certain types of data, such as Social Security numbers, are being copied to removable storage devices.
Reports of data breaches in the United States increased 47 percent in 2008 from the year before, mostly as a result of lost or stolen equipment, and accidental exposure of data online, according to a new study from the nonprofit Identity Theft Resource Center.
There were 656 reports of breaches last year, compared with 446 for 2007, and an estimated 35.7 million records were potentially breached based on notification letters and information from breached companies, the study released this week found.
The breaches run the gamut, including: laptops stolen from Merrill Lynch and Starbucks; bank card information stolen from fake card readers at gas stations in Georgia; Ohio State University student Social Security numbers exposed on the Internet; a former Library of Congress employee using co-workers' data to open bogus credit card accounts; a Seattle school district inadvertently releasing teacher data to a union; financial information on mortgage files abandoned outside a Boise recycling center; and the World Bank Group's computer network being penetrated.
The reports of insider theft more than doubled to represent 15.7 percent of the breaches, while more than a third of the breaches were a result of data on the move, such as stolen laptops, and accidental exposure.
Breaches from data theft by employees doubled, to nearly 16 percent, while hacking and use of data-stealing software represented about 14 percent of the breaches. Only 2.4 percent of all breaches had encryption or other protection methods in use, and only 8.5 percent of victims using password protection.
More than 80 percent of the breaches were electronic in nature, with the rest involving paper documents.
The breaches are broken into five different data loss categories and industry areas.
(Credit: Identity Theft Resource Center)
In Germany it's apparently OK to have non-employees roam the offices, while in Brazil corporate secrets are commonly shared with family members, and even with total strangers. These are some of the results of a survey (PDF) commissioned by Cisco Systems and released Tuesday.
"It's interesting to see the cultural differences in terms of what's allowed and what's not allowed in different countries," said Marie Hattar, vice president of network and security solutions at Cisco. "If you look towards doing a data leakage prevention strategy, you've got to consider physical security as much as you do network security."
Hattar told CNET News that the survey came about because of dramatic changes in the workplace within the last few years. Two of the changes--a younger workforce and the rise of smart mobile phones--are "completely blurring between what's personal and what's your work life." She also cited the recent rise of the knowledge worker in countries such as India, China, and Brazil. "So it becomes key that as you implement your network security strategy, your physical security strategy, that you are also putting into place some of these educational policies to drive your employees to good behavior," she said.
In Brazil, the study found, 39 percent of employees surveyed talk about sensitive company information with their friends and family and 8 percent of the time they talk to strangers. By comparison, the numbers for the U.S. were 16 percent friends and family and only 2 percent strangers. "If you look at China," Hattar said, "it's one of the more lower countries in terms of who they talk about company business outside the company." Cisco's data showed that while 17 percent of Chinese workers talk about work to friends and family members, none said they talked to strangers.
Another data point was how permissive employees are of non-employees in the office. "In Germany, one out of five actually admit to letting partners or vendors or what have you roam their office buildings unsupervised." Hattar admitted this alone would not lead to data leakage, but warned that employees should "put their computers on standby, (prevent) their passwords from being posted on the computer or written down somewhere, and have a physical security mechanism that will alert you so that you know whether someone is looking or doing something that they shouldn't be doing."
The Cisco report further recommends that companies know where the data is stored and how it is accessed and used. Companies should educate employees on how data protection equates to money earned and money lost, the bottom line. Finally, international companies should determine global policy objectives and create localized education programs tailored to a country's culture and threat landscape.
Hattar observers that "as you evolve your business into different cultures, even if you have locked down your physical security and your network security you can't escape from having to put into place an education program to raise the awareness that you have to educate your employees about the possibility of verbal disclosure."
The Cisco study was conducted by InsightExpress, a U.S.-based market research firm, and involved more than 2,000 employees and information technology professionals. Specifically, the study surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries.
Unencrypted data on all 84,000 prisoners in England and Wales has gone missing after a Home Office contractor lost a USB stick on which it had been stored.
Contractor PA Consulting alerted the Home Office to the loss last Monday evening--and by midday Tuesday, the contractor confirmed "rigorous" searches had failed to uncover the whereabouts of the memory stick and its cachet of sensitive information.
According to a Home Office statement, the missing USB stick contains:
- Data relating to all prisoners in England and Wales, including names, birth dates, and, in some cases, expected prison release data of about 84,000 individuals
- Data relating to prolific and other priority offenders, including the names and birth dates of approximately 10,000 individuals
- Drug Interventions Programme data, with offenders' initials
"We have been made aware of a security breach at the offices of an external contractor involving the loss of personal information about offenders in England and Wales," a Home Office statement said. "A full investigation is being conducted. Police and the Information Commissioner have been informed."
It added: "The data was held in a secure format on the contractor's site. It was downloaded onto a memory stick for processing purposes, which has since been lost. The transfer of data on this assignment to the external contractor has been suspended."
Following the breach, a member of PA Consulting staff has been suspended, a Home Office representative said.
The company was appointed by the Home Office in June 2007 to provide application support for tracking prolific and priority offenders through the criminal justice system.
Asked whether the Home Office will be terminating PA Consulting's contract in light of the security breach, the representative told Silicon.com, "We are investigating the external contractor's contractual obligations."
The Home Office refused to comment on whether security measures should have been in place to prevent unencrypted data being transferred onto a USB stick. The representative also refused to clarify exactly what security requirements the Home Office has for external contractors who handle sensitive data.
PA Consulting--which was selected in 2004 to also work with the Home Office on the design, feasibility, and business and procurement elements of the government's ID card program--said in a statement, "We are collaborating closely with the Home Office on this matter. We have no further comment to make at this time."
This is not the first time sensitive data held by the government has gone missing.
Just last month, it emerged that the details of 45,000 people, including criminal records and banking and court information, have been lost or compromised in the past year by the Ministry of Justice. And last year, two CDs containing the confidential personal details of 25 million child benefit recipients were lost by HM Revenue & Customs.
"It is deeply worrying that after a number of major data losses and the publication of two government reports on high-profile breaches of the Data Protection Act, more personal information has been reported lost," David Smith, deputy commissioner for U.K. data protection watchdog the Information Commissioner's Office, said in a statement. "The data loss by a Home Office contractor demonstrates that personal information can be a toxic liability, if it is not handled properly and reinforces the need for data protection to be taken seriously at all levels. It is vital that sensitive information such as prisoner records is held securely at all times."
Smith added: "The Home Office has informed us that an internal investigation is being carried out into the data security arrangements between the Home Office and its contractor, PA Consulting. We expect the Home Office to provide us at the Information Commissioner's Office with a copy of the report and its findings. We will then decide what further action may be appropriate. Searching questions must be answered about what safeguards were in place to protect this information."
Natasha Lomas of Silicon.com reported from London.
With information technology, you can look at problems and solutions in lots of different ways. For end users and academics, this can lead to a lot of experimentation, skunk works projects, and trial-and-error. But that is not the case when it comes to technology vendors. Start-ups also see lots of ways to solve problems, but they are bound by business plans, directors, and funding to pick their battles and build focused solutions. Some make the right choice and get lucky, some don't.
As an example, I offer two different solution types for data security: Data Loss Prevention (DLP) and Enterprise Rights Management (ERM). These two segments are focused on protecting confidential and private data but each took a bit of a different approach. At a high level, DLP solutions sort of assume that you don't know where your confidential data is or what people are doing with it so you need some way to prevent bad things from happening. Alternatively, ERM assumes that you do know where the data is and what people should be doing with it so you need automated tools for policy enforcement.
These two related product segments have had vastly different fortunes. DLP became the toast of the town with a number of visible acquisitions. Port Authority was scooped up by Websense, EMC grabbed Tablus, and Symantec purchased Vontu. Others like Orchestria and Vericept continue to do well as independent companies. ERM players didn't fair quite as well, however. Companies like Authentica and Sealed Media were purchased at discounted prices while others simply shut their doors.
DLP initially proved to be a better financial bet, but ultimately there are a few ironies in this victory:
Ironic point No. 1: DLP vendors are now adding ERM-like functionality like data usage policy enforcement into their products. I guess this means that as users get a better understanding about their data and how people use it, they realize that they need better ways to control these activities.
Ironic point No. 2: ERM vendors like Adobe Systems, Liquid Machines, and Microsoft that were able to ride out the market storm are now in high demand. Users finally recognize the value here.
Like comedy, timing is everything when it comes to technology start-ups. Believe me, I learned this lesson first-hand. The DLP guys found a goldmine while ERM companies faded away. What's old is new again, however. ERM, as an adjunct to DLP or as a standalone security suite, will ultimately benefit users and investors alike.
- prev
- 1
- next
