They may have lost their jobs due to the current economic downturn. Or maybe they’re just looking for better opportunities. Whatever the reason, there are an awful lot of people leaving their current positions these days.
And when they do leave, more often than not they’re taking something besides their personal items and an office supply or two. Increasingly, these employees are walking away with sensitive and confidential information.
According to a Ponemon Institute study conducted in 2009, 59% of employees who left or were asked to leave took company data with them. Moreover, 79% of these respondents admitted that their former employer did not permit them to leave with that data.
All of which raises the question: Are you doing everything you can to prevent former employees from taking company data?
This Tech Brief considers the implications of the Ponemon study and then discusses the steps companies can take to prevent potential data loss from former employees.
The Ponemon study surveyed 945 adult-aged participants who were laid off, fired, or between jobs in the previous 12 months. Although respondents were spread across many different industries, the highest percentage of survey responses came from the financial services industry.
The study found that 67% of the respondents “used their former company’s confidential, sensitive or proprietary information to leverage a new job.” In addition, approximately 68% of the respondents planned to use such information as “email lists, customer contact lists, and employee records” that they took from their employer.
Among other key findings:
- Employees are more likely to take data when they don’t trust their employer.
- Employees are taking proprietary and confidential data that might affect their former company’s business competitiveness and could result in a data breach.
- The most susceptible documents to theft are email lists and hardcopy files.
- Employees leave their laptops but take CDs, USB memory sticks, and PDAs.
- Employees were able to access their former employer’s computer system or network after departure.
The implications, according to Ponemon, are unavoidable: “Not only is this putting customer and other confidential information at risk for a data breach, but it could affect companies’ competitiveness and future revenues.”
As troubling as the study findings may be, it’s important for organizations to understand that data loss during downsizing is preventable. Organizations can prevent employees from sending sensitive content to personal email accounts or downloading it onto USB drives. They can do so by implementing data loss prevention technologies that show them exactly where sensitive data resides and how it is being used, which in turn will enable them to prevent it from being copied, downloaded, or sent outside the company.
The study has five recommendations that organizations should implement immediately:
- Ensure that policies and procedures clearly state former employees will no longer have access to sensitive and confidential information they used in their jobs. This includes information on laptops, other data-bearing devices, and paper documents.
- As part of the exit interview, a supervisor and someone from IT security should conduct a thorough review and audit of the employee’s paper and electronic documents.
- Before the employee leaves, companies should monitor the employee’s access to the network to make sure sensitive and confidential data is not being downloaded.
- Ensure that the former employee is not able to access the network or system once he or she has been terminated.
- Extra precautions should be taken with former employees who have been asked to leave and/or are disgruntled.
The Ponemon study’s findings should serve as a wake-up call across all industries: Sensitive data is walking out the door along with laid off employees. Even if layoffs are not imminent, companies need to be more aware of who has access to sensitive business information.
As the study suggests, much data loss is preventable through the use of clear policies, better communication with employees, and adequate controls on data access. To learn more about protecting your confidential information, see Symantec Data Loss Prevention