Security Bytes

Feb 26 2009   11:30PM GMT

Data walks out the door, but what do you really care about?



Posted by: NBRoiter
Tags:
Data Breaches and Identity Theft
Data leakage
insider threats

There were only two of us on the graveyard shift.

“If it’s not locked up,” a colleague at my first newspaper declared as he snatched a folder of papers from our boss’ desk and strode towards the office copying machine, “Xerox it.”  (Old-tongue for photocopy.)

That was long before CDs, and USB drives and, certainly, iPods, but the lesson was the same. If you are stupid about protecting company information, shame on you.

I guess that’s the message behind the “revelation” released in a survey this week that the majority of people who leave their jobs, voluntarily or otherwise, are taking company information with them.

Lots of it.

My reaction was the same as when I watched my fellow journalist grab and copy whatever it was that had been so carelessly left in the open. I shrugged. (We are by nature an overly curious species, and that overrides our normally dominant ethics gene.)

Data Loss Risks During Downsizing conducted by the Ponemon Institute and sponsored by Symantec, was apparently designed to test the hypothesis that in this dire economy (ominous music in background), former employees are going to take important company information out the door. And, in fact, the poll of 945 former employees who left their jobs or were dismissed in the last 12 months showed that 59% stole company data.

What kind of data? Email lists, non-financial business information and customer information, including contact lists. Not the secret formula for Coke, not the clinical trial reports on a cure for cancer, no insider information on proposed mergers and acquisitions. Not even a few thousand credit card numbers.

Hardly worthy of shock and dismay. This is what a lot of people do when they leave jobs. Are they supposed to? No. Is it wrong? Yeah, but it’s sort of like cheating on taxes. Folks rationalize it in a variety of ways, or it just doesn’t weigh heavily enough on their conscience to set off an internal alarm.

Most of the people who took data — 79% — said it was not permitted. So, the other 21% were either ignorant, their managers said it was OK, or their former employers didn’t make a big enough deal about this sort of thing to make it worth remembering. Let’s face it. If this kind of grayish area thievery were really important, every single employee with a desk, a computer and a file cabinet would be escorted out of the building by security when they were laid off, fired or gave two weeks notice.

The report, perhaps, should have emphasized the smaller, but more important numbers, which show that some of these former employers did take financial information, did take source code, or did take intellectual property. That’s the stuff that gives management chills. Those numbers are much smaller than the 59% who admit taking some sort of information they shouldn’t or the 65% of those who took email lists. But those smaller numbers represent the kind of information leaks that can do serious harm to a business.

The real crime — and this is where the report excels — is that the overwhelming majority of the companies these people left didn’t even try to check what kind of information was about to walk out. Only 15% of the companies performed any sort of audit or review of what information the former employees were removing, and even these reviews were, in many cases, characterized as incomplete or even superficial.

So, the message employees take away is the same as it was in that cramped, dank newsroom, many years ago in the dead of night: “If it’s not locked up, Xerox it.”

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: