fren·e·my [fren-uh-mee] noun. Someone who is both friend and enemy, a relationship that is both mutually beneficial or dependent while being competitive, fraught with risk.
When it comes to taking your intellectual property (IP), employees are the less obvious player but they can be frenemy #1. In many cases, these trusted employees are moving, sharing and exposing sensitive data in order to do their daily jobs. In other instances, they are deliberately taking confidential information to use at their next employer. It’s not that these employees are inherently malicious – often they just don’t know it is wrong to do so.
According to a new Symantec survey examining employee behavior and attitudes around IP theft, this is happening more than we’d like to think. Half of employees admit to taking corporate data when they leave a job, and 40 percent say they plan to use the data in their new job. This means valuable intelligence is falling into the hands of competitors. Ultimately, this puts everyone at risk – the employee who takes the IP, the organization that invested in it and the new employer who unwittingly receives it. Everyone can be held accountable, and no one wins.
What’s startling is the sheer number of employees who don’t think taking corporate data is wrong. Sixty-two percent of employees think it’s acceptable to transfer corporate data to their personal computers, tablets, smartphones and cloud file-sharing apps. And once the data is there, it stays there – most employees never delete it.
Employees don’t think twice about taking corporate data because they don’t see the harm – 56 percent don’t think it’s a crime to use trade secrets taken from a previous employer. Underlying this belief is a lack of understanding who owns the IP. The survey shows that employees attribute ownership of IP to the person who created it.
Companies are failing to train people in what belongs to the employee and what belongs to the company, and they are not creating an environment that promotes employees’ responsibility and accountability in safeguarding business information. Additionally, they are not educating employees that using a former employers’ confidential data puts the current employer at risk.
What can businesses do to reduce the risk of insider IP theft? Symantec has created three key recommendations based on the survey results:
- Employee education: Organizations need to let their employees know that taking confidential information is wrong. IP theft awareness should be integral to security awareness training.
- Enforce non-disclosure agreements (NDAs): Include stronger, more specific language in employment agreements and ensure exit interviews include conversations focused around employees’ continued responsibility to protect confidential information and return all company information and property (wherever it is stored). Make sure employees are aware that policy violations will be enforced and that theft of company information will have negative consequences to them and their future employer.
- Monitoring technology: Implement data loss prevention software that monitors inappropriate access and use of IP and automatically notifies managers and employees in real time when sensitive information is inappropriately sent, copied, or otherwise exposed, which increases security awareness and deters theft.
As for safeguarding valuable IP, companies cannot focus their defenses solely on external attackers and malicious insiders who plan to sell stolen IP for monetary gain. The everyday employee can be just as damaging to an organization. The lesson from this survey is clear: keep your enemies close and your frenemies closer.
For more information, we invite you to read the complete report What’s Yours Is Mine: How Employees are Putting Your Intellectual Property at Risk, available for download at: http://bit.ly/XFjYwQ.