According to a recent survey of workers in London, New York and Amsterdam, many employees will have already stolen valuable information from their employer in anticipation of losing their jobs, while others will find ways to access old accounts after their employment has finished.
The survey of 600 workers, done by security company Cyber-Ark Software Ltd., revealed that more than half had already downloaded competitive corporate data which they planned to use as a negotiating tool to secure their next post. At the top of the list of desirable information was customer and contact databases.
The findings serve as a reminder that the biggest security threats come from inside the organisation, especially when staff may be coming under financial pressures or worrying about their jobs.
Danny McLaughlin, a fraud expert at auditing firm KPMG LLP, warns that staff under pressure, if given the opportunity, will find ways of justifying stealing from their company. The opportunity can arise through lax controls or a general approach in the organisation that encourages people to bend the rules. "Some will have access to sensitive data that they can use to give them a flying start with their new employer, or to set up on their own," he says.
Last year, KPMG analysed 360 cases of fraud, and produced its 'Profile of a Fraudster' to show the type of person that is most drawn to swindling their company. They found that most (85%) were male and 70% were between 36 and 55 years old. Members of management, including board members, accounted for 86% of all profiles.
"Most destructive fraud is done by senior management, because they know how things operate and they have the ability to coerce or intimidate others in the company," said McLaughlin. "Just think of people like Robert Maxwell and Conrad Black. They are less likely to be challenged by subordinates, and less likely to be suspected of wrongdoing by their colleagues."
McLaughlin added that technical controls were not enough to deter senior management from crime, and that companies need effective corporate governance through its auditing committee and non-executive directors. "They need to challenge and question. They need to look at the effectiveness of controls, audit and other supervisory functions."
When companies are planning to lay off staff, it is in their best interests to do it sensitively, says Steve Flatt, a director of the Liverpool-based Psychological Therapies Unit who has recently advised car companies on how to manage redundancies. "If employees are kept in the picture throughout [the redundancy process], then the employees affected are much more likely to treat the company reasonably and accept the situation and move on without trying to destroy or disrupt," he said.
But he acknowledged that some people may react aggressively regardless of how they are treated: "If an employee is a defensive, angry and resentful character in the first place, often well hidden in order to survive, then a loss of position can been seen as yet another reinforcement of that employee's victim status and produce a vengeful response no matter how the company treats them."
In other words, you always need some technical controls in place to prevent, or at least record, where information is copied. That may be done by installing data loss prevention software to control the movement of information, or by blocking off parts of the system, such as USB ports. But that is unlikely to be effective unless companies have gone through some form of data classification exercise to identify their most sensitive data, and few so far have done this.
Another vital step is to ensure that when staff leave the company, they do not retain access to systems. Stuart Hodkinson, U.K. country manager for security company Courion Corp., says that with the fast pace of change in companies, especially financial services, access control is in danger of being forgotten.
"The best way of handling it, especially when a large number of people are being asked to leave, is to do a bulk deprovisioning," he said. "An aggrieved employee has an opportunity to do damage or to take away privileged information."
Hodkinson said that companies underestimate the task of deprovisioning. "Organizations may think that simply terminating an employee's network access is sufficient protection. However, due to the complexity of today's Web-enabled IT environments, this approach is increasingly ineffective because it does not remove access to some Web-based accounts or online SaaS providers like Salesforce.com," he said. "Laid-off employees can easily exploit the lag time between being laid off and having all of their accounts shut off to access sensitive company information."