As layoffs continue apace, a survey released on Monday shows what many companies fear--exiting workers are taking a lot more with them than just their personal plants and paperweights.
Of about 950 people who said they had lost or left their jobs during the last 12 months, nearly 60 percent admitted to taking confidential company information with them, including customer contact lists and other data that could potentially end up in the hands of a competitor for the employee's next job stint.
"I don't think these people see themselves as being thieves or as stealing," said Larry Ponemon, founder of the Ponemon Institute, which conducted the online survey last month. "They feel they have a right to the information because they created it or it is useful to them and not useful to the employer."
The survey also found a correlation between people who took data they shouldn't have taken and their attitude towards the company they are leaving. More than 60 percent of those who stole confidential data also reported having an unfavorable view of the company. And nearly 80 percent said they took it without the employer's permission.
Most of the data takers (53 percent) said they downloaded the information onto a CD or DVD, while 42 percent put it on a USB drive and 38 percent sent it as attachments via e-mail, according to the survey.
The survey also found that many companies seem to be lax in protecting against data theft during layoffs. Eighty-two percent of the respondents said their employers did not perform an audit or review of documents before the employee headed out the door and 24 percent said they still had access to the corporate network after leaving the building.
The survey was commissioned by Symantec, which offers software that helps companies protect against data loss by indexing database and monitoring for patterns of word combinations that might be used by exiting employees to steal data. The Symantec software also can monitor outbound e-mail for confidential data and alert IT if large amounts of certain types of data, such as Social Security numbers, are being copied to removable storage devices.
In Germany it's apparently OK to have non-employees roam the offices, while in Brazil corporate secrets are commonly shared with family members, and even with total strangers. These are some of the results of a survey (PDF) commissioned by Cisco Systems and released Tuesday.
"It's interesting to see the cultural differences in terms of what's allowed and what's not allowed in different countries," said Marie Hattar, vice president of network and security solutions at Cisco. "If you look towards doing a data leakage prevention strategy, you've got to consider physical security as much as you do network security."
Hattar told CNET News that the survey came about because of dramatic changes in the workplace within the last few years. Two of the changes--a younger workforce and the rise of smart mobile phones--are "completely blurring between what's personal and what's your work life." She also cited the recent rise of the knowledge worker in countries such as India, China, and Brazil. "So it becomes key that as you implement your network security strategy, your physical security strategy, that you are also putting into place some of these educational policies to drive your employees to good behavior," she said.
In Brazil, the study found, 39 percent of employees surveyed talk about sensitive company information with their friends and family and 8 percent of the time they talk to strangers. By comparison, the numbers for the U.S. were 16 percent friends and family and only 2 percent strangers. "If you look at China," Hattar said, "it's one of the more lower countries in terms of who they talk about company business outside the company." Cisco's data showed that while 17 percent of Chinese workers talk about work to friends and family members, none said they talked to strangers.
Another data point was how permissive employees are of non-employees in the office. "In Germany, one out of five actually admit to letting partners or vendors or what have you roam their office buildings unsupervised." Hattar admitted this alone would not lead to data leakage, but warned that employees should "put their computers on standby, (prevent) their passwords from being posted on the computer or written down somewhere, and have a physical security mechanism that will alert you so that you know whether someone is looking or doing something that they shouldn't be doing."
The Cisco report further recommends that companies know where the data is stored and how it is accessed and used. Companies should educate employees on how data protection equates to money earned and money lost, the bottom line. Finally, international companies should determine global policy objectives and create localized education programs tailored to a country's culture and threat landscape.
Hattar observers that "as you evolve your business into different cultures, even if you have locked down your physical security and your network security you can't escape from having to put into place an education program to raise the awareness that you have to educate your employees about the possibility of verbal disclosure."
The Cisco study was conducted by InsightExpress, a U.S.-based market research firm, and involved more than 2,000 employees and information technology professionals. Specifically, the study surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries.
With information technology, you can look at problems and solutions in lots of different ways. For end users and academics, this can lead to a lot of experimentation, skunk works projects, and trial-and-error. But that is not the case when it comes to technology vendors. Start-ups also see lots of ways to solve problems, but they are bound by business plans, directors, and funding to pick their battles and build focused solutions. Some make the right choice and get lucky, some don't.
As an example, I offer two different solution types for data security: Data Loss Prevention (DLP) and Enterprise Rights Management (ERM). These two segments are focused on protecting confidential and private data but each took a bit of a different approach. At a high level, DLP solutions sort of assume that you don't know where your confidential data is or what people are doing with it so you need some way to prevent bad things from happening. Alternatively, ERM assumes that you do know where the data is and what people should be doing with it so you need automated tools for policy enforcement.
These two related product segments have had vastly different fortunes. DLP became the toast of the town with a number of visible acquisitions. Port Authority was scooped up by Websense, EMC grabbed Tablus, and Symantec purchased Vontu. Others like Orchestria and Vericept continue to do well as independent companies. ERM players didn't fair quite as well, however. Companies like Authentica and Sealed Media were purchased at discounted prices while others simply shut their doors.
DLP initially proved to be a better financial bet, but ultimately there are a few ironies in this victory:
Ironic point No. 1: DLP vendors are now adding ERM-like functionality like data usage policy enforcement into their products. I guess this means that as users get a better understanding about their data and how people use it, they realize that they need better ways to control these activities.
Ironic point No. 2: ERM vendors like Adobe Systems, Liquid Machines, and Microsoft that were able to ride out the market storm are now in high demand. Users finally recognize the value here.
Like comedy, timing is everything when it comes to technology start-ups. Believe me, I learned this lesson first-hand. The DLP guys found a goldmine while ERM companies faded away. What's old is new again, however. ERM, as an adjunct to DLP or as a standalone security suite, will ultimately benefit users and investors alike.
- prev
- 1
- next
