Data loss due to the actions of insiders is a well-known problem. Every company has employees, and employees – being human – are prone to make mistakes. They email information to unauthorized recipients, they leave laptop computers in airports, they drop their PDFs in taxis, they take information home to get some work done over the weekend and they connect to non-secure networks or open their computer to the Pandora’s Box of peer-to-peer networks…
Consistently, research by the Ponemon Institute and other groups has confirmed this to be true. Insiders are responsible for the vast majority of all data breaches. The Ponemon Institute’s
most recent Annual Cost of a Data Breach Study puts this figure at 88 percent.
My gut tells me that a foundering economy would exacerbate this situation, but my gut (and the collective gut of everyone who has thought about this situation) isn’t considered credible evidence by anyone making decisions in the corner office. That’s why the Institute has released a
new study that examines this situation – and the results are pretty interesting.
Jobs at Risk = Data at Risk (sponsored by the good folks at
Symantec) has a number of interesting findings. In short, 59 percent of employees who lost or changed jobs over the last year reported taking sensitive information with them when they left – 79 percent of whom knew they were doing so against company policy. In cases where the employee had negative view of their former employer the likelihood for data theft was 61 percent, but for those with positive view the rate of theft was only 26 percent.
One critical takeaway from this study has to be that this is a preventable problem. There’s a sentiment within the data security community that data loss at the hands of insiders is merely a cost of doing business. As they do with paperclips and ballpoint pens, employees are going to access and swipe information and there’s not much that can be done about it. That’s a defeatist conclusion that is simply not supported by these findings.
Most of the individuals stealing information are non-IT staff who lack the technical sophistication to effect clever schemes to defeat IT security protections. They are, by-and-large, administrative(16%), sales (30%), and contract employees (13%) who are motivated by financial pressure and job-loss anxiety.
Given the markedly lower rate of theft among employees who had positive feelings for their former employer, simply doing a better job building positive employee relationships would go a long way toward dissuading folks from making bad exit decisions. Such a program should include the development and communication of clear and enforceable policies related to data handling – including consequences for data theft.
Employees are stealing information because they recognize data has immense value in today’s economy. They regard this information as their “parting gifts,” but if they know that stealing information might put their severance package at risk, they’ll think twice.
Of course, a thorough data loss prevention program must include an investment in the appropriate technology tools. DLP technology, properly deployed, can prevent the vast majority of accidental and intentional data theft events.