Laid off workers likely to steal company data, survey warns

By Erin Kelly, Contributor 24 Feb 2009 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Employees who leave their companies -- whether voluntarily or by force -- are now more likely to steal confidential company information on their way out, especially if they don't trust their employer, according to a recent survey.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The report, "Jobs at Risk = Data at Risk," is based on a Symantec Corp. and Ponemon Institute survey of 945 participants located in the U.S. who have been laid off, fired or changed jobs in the last 12 months. It found 59% of employees who leave or are asked to leave are stealing company data, such as contact lists, employee records and other business documents.

Rob Greer, senior director of product management at Symantec, said often times when company security policies are unclear, some employees feel they are entitled to take data with them when they leave as parting gifts because they helped build or create the data. However, there are also instances where malicious insiders may take being laid off or let go personally and try to inflict harm on the company.

Economic doldrums: PCI costs slow compliance projects in down economy: PCI projects at some firms face scrutiny and funding shortfalls due to the economy. Security spending continues despite shaky economy, Forrester finds: An uncertain economy is causing many companies to do some budget tightening, but the continued barrage of data breach news has helped keep data security a priority in most companies. Four ways to prioritize security programs in bad economy: While IT pros should evaluate their ongoing security processes and technologies, security vendors also need to make an assessment of their overall value and adjust the business. Report offers security strategy tips to overcome funding problems: The economy is forcing companies to accept more risk, but a new report offers tips to showcase the value of the security team.

The report found that 61% of respondents who had negative feelings about their company took data, while only 26% of those with a favorable view of their company took data. Employers should focus on communicating with their employees to prevent negative sentiments that may result in malicious activity and stolen information after a layoff, Greer said.

The financial crisis has sent the economy spiraling, resulting in increased layoffs in many industries. The U.S. unemployment rate is at 7.6%, the highest in more than 16 years. Banks and other financial institutions have been especially hard hit with layoffs and could face the greatest risk of data leakage from insiders. The highest percentage of survey responses came from the financial services industry, Symantec said.

"Generally speaking when thinking about companies that are dealing with this economy and laying people off, if [employers] focus more on communicating and being more open as to what's going on within the company as much as they can, the likelihood of having employees take data would be less likely as [employees] are not constantly wondering about the status of their job," Greer said.

Companies are failing to take proper measures to stop employee data theft. Eighty-eight percent of respondents reported their company did not do an electronic scan of devices such as portable data-bearing equipment or USB memory sticks before they left.

Greer advised companies to be proactive in managing their data and to form a comprehensive prevention strategy to prevent data loss.

"Know where your data is, how it is being used, and the best way to prevent its loss and do that across all three threat vectors -- endpoint, network, and storage -- and lastly, be consistent with the policy," Greer said.

Employee education is also instrumental in preventing data loss, Greer said.

SearchSecurity radio:

"Employees should know what the company's polices are and be aware of their actions and what actions might be used against them in the future," Greer said.

Another way to prevent employees from stealing data is implementing a solution that monitors end users, Greer said.

"If people know they're being monitored, they'll be less likely to do foolish things if they end up getting laid off."

While employees are taking information without permission, the majority are not looking to ruin the entire company, he said.

"You may have some employees that are very upset and more focused on damaging the employer, but the majority [of employees], based on the information in the survey, are more focused on utilizing that information in the future [for another job]," Greer said.

Tags: Information security policies and end-user awareness training,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security policies and end-user awareness training Cloud Security Alliance releases top cloud computing security threats Fraud risk management is key to avoid Wipro-like incidents Security awareness is the key... cultivate employee loyalty Information security awareness mantras from the Apeejay campaign Preventing password fatigue with single sign-on (SSO) authentication PCI DSS checklist: Mistakes and problem areas to avoid Creating and enforcing a clear-desk policy CISO career 101: Chief Information Security Officer route basics Creating a HIPAA employee training program Information security threat modeling is immature in India

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CERT-In  (SearchSecurityIN.com) Information Technology Amendment Act 2008  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary