Employees leaving a company are likely to take more than a few envelopes and the office stapler with them. Many former employees also make a copy of their customer file, just in case it comes in handy at their new job.
The evidence on employee data theft emerges from a new survey carried out by Texas-based security company SailPoint Technologies Inc., which took opinions from 1,065 UK workers. It discovered that 53% of workers would take some company property with them -- such as office stationery -- but 23% admitted they would also take customer data, company files or contact details, and 17% said they would take product or design information.
The motive does not appear to be monetary gain, however. The survey asked the workers what they would do if they were given access to a confidential file by mistake. While 57% said they would look at the file, only 1% said they would attempt to sell the information.
Jackie Gilbert, vice president of marketing for SailPoint, said the aim of the survey was to highlight the need for companies to put more value on data. "We were testing the hypothesis that people do not feel the same moral qualms about stealing proprietary information as they do about stealing cash from their employers," she said. "It poses a problem for companies, as they tend to keep their intellectual property in electronic form -- customer lists, sales plans, production pipelines, even software."
She said it remains a "moral grey area" that employers need to clarify. "Companies need to be more heavy-handed with policy and education. They should make people aware that the company's policy absolutely forbids this. If you make the policy explicit and make it clear you will be monitoring to enforce it, it has a psychological impact," Gilbert said.
She added that companies tend to allow users access to more information than they need. "You tend to get entitlement creep. Someone gets a new job so they just acquire the same privileges as some similar workers. You end up giving people far more access than they really need. It's common because it is hard to manage," she said.
According to Alan Calder, founder and director of IT Governance Ltd., a consultancy specialising in standards and compliance, the guidelines set out in the ISO 27001 information security standard provide plenty of useful help.
ISO 27001 control 8.3, "Termination or change of employment," provides a checklist of actions employers should take when employees leave, from making sure all equipment is returned, to sending out a letter to remind the former employee that terms of confidentiality and information ownership still apply, even after they have left the company.
ISO 27001 also provides a blueprint for managing how much information users can access. "You need to deal with the risks through a structured approach to securing information," Calder said. "You have to structure proper access controls; you need to have controls over who can see what data, and what can be exported on a day-to-day basis."
The public sector is already tackling the problem. Ever since the government's Data Handling Review of June 2008 (.pdf), more emphasis has been placed on preventing data leaks. As a result, the government's technical authority for information assurance, CESG, developed the Security Policy Framework and has issued Good Practice Guide 13, which outlines the necessary elements for protective monitoring of information.
Fundamental to the government standard is the keeping of system logs to provide alerts and forensic evidence in the event of a security breach.
But many companies still choose to turn off logs because they can slow down system performance, according to Ross Brewer, vice president and managing director of international markets for Boulder, Colo.-based log management company LogRhythm Inc. "Technically, it is difficult to capture users taking information from the organisation because USB sticks and DVDs are not often logged," he said. "These can be blind spots on the network."
Bill Roth, chief marketing officer for San Jose, Calif.-based rival company LogLogic Inc., agreed, adding that companies should make better use of user profiles to determine what files users can access.