I love second hand book stores: not because I’m too miserly to buy new books but because of the random nature of what you’re likely to find and buy. For less than a pound I recently came home with a book entitled “Shoplifting and Shrinkage Protection” by Loren E. Edwards, the first edition of which was published in 1958. There’s an interesting chapter entitled Employee Thefts which discusses the motivations behind insider crime. Here are some quotes:
“Another employee committed acts of fraud to gain the good will of both customers and employees who depended upon her for favours.”
“I merged my identity with that of the company to the extent of thinking what was theirs, was mine.”
“Practically every employee under the previous management was stealing.”
“Correct, complete controls are necessary, but they are no better than supervision which should be disciplinary, but fair.”
Skip forward 50 years and the book appears to still be very relevant in the database age: there’s really not much difference between an employee stealing physical goods or stealing a database: the motivations are the same (usually profit or some other advantage) and they both result in losses of items that the company owns. In fact, database theft is sometimes refered to as an equivalent to shoplifting: for instance in this short article here: http://www.sswug.org/columnists/editorial.asp?id=1408.
Insider theft is a recurring topic of this blog: as I mentioned here, latest research is that 62% of large businesses in the UK have dealt with a security incident instigated by a
current or former employee. That’s a lot but we shouldn’t be surprised because it’s clearly not a new problem. “Employees cause 75% of inventory shrinkage” is one of the more alarming quotes from the above mentioned book .
The chapter in question closes by stating that “prevention is a logical policy to use in dealing withn crime. Punishment and other methods of treatment are, at best, methods of defense. It is futile to take individual after individual out of the situations which produce criminals and permit the situation to remain as they were.”
The word “criminal” is strong and still valid. If an employee is stealing data then that’s what they are. It’s no different from stealing a box of stuff.