That almost sounds like the title to a bad movie, almost. In reality it’s a real problem today, since most of the important information inside any business is digital information. In the past, if you wanted to keep your secrets safe, you locked your filing cabinets or stored paper documents in a safe. Today, information is all over the place and in many forms. Someone leaving your company could walk out the door with the keys to the kingdom.
Much of our important information is either sitting in databases or documents. These may be on premise or in the cloud. Most of us think that if it’s in a database, we have it secured, but a lot of people run reports that export the data into regular spreadsheets or word processing documents.
But it’s not just what we think of as traditional documents. It’s also in presentations, videos, photographs, image and audio files. Just think about how damaging the tapes of conversations from the Nixon White House were during the Watergate scandal. It’s also email messages in your inbox and on email servers. Voicemails on your cellphone. Or it could be source code to your software product.
Granted that a lot of this information is pretty innocuous, but clearly your company’s livelihood exists in many documents. Your customer lists, financial information, manufacturing processes, product designs and even software source code are all written down somewhere. All of this information is very valuable to your competitors and in some cases could invite legal action. Think back to Enron, Goldman Sachs and of course the theft of sensitive diplomatic information from the US government that wound up on WikiLeaks.
Is it really that common to have a departing employee steal valuable information? According to studies by the Ponemon Institute, 65% of people admitted to taking email lists, 45% admitted to taking non-financial business information, and 39% said they took customer information.
In a study by Symantec last year, two forensic psychologists examined corporate data theft trends from existing employees and other insiders. The research showed that in about half of intellectual property (IP) theft cases the employee stole trade secrets, followed by business information such as billing information or price lists. Employees also took source code, proprietary software, customer information and business plans. In 75% of cases the person had authorized access to the information they stole. That makes it a lot harder to solve this problem by strengthening perimeter based security, like firewalls and intrusion detection systems.
Why do people do it? In some cases a competitor will pay a lot of money for corporate secrets. In many, it’s so the employee can have an advantage in their next job.
So what can you do to prevent theft of your important information? As with anything complex, it’s a combination of people, process and technology. I’ll start with people, since that’s the most difficult. When you hire someone, you should let them know about your information policies. What is the company’s and what is theirs. This needs to be reasonable. Many companies still say anything created on company time or with a company device belongs to the company. In today’s world with work and personal time blurred so much, this needs to be reasonable and spelled out.
Another important point is that your company needs to show employees their value. If an employee is engaged, feels part of a team, enjoys their work and feels that the company values them, there is less likelihood of data theft. The Ponemon Institute survey I cited earlier said that 61% of people who took information had a negative view of their company, while only 26% had a positive view. I feel like I am an important and valued part of a company, stealing from the company feels like stealing from myself. If I am unhappy, it’s easy to justify stealing.
On the technology front, many organizations spend a lot of money on perimeter security. Much of that is intended to keep out the bad guys. That does nothing for the trusted insider. Since most of the IP in a company is in documents, the best way to protect yourself is by encrypting the files with a persistent security policy that controls access to the file no matter where it is. If you suspect sensitive information was taken, you can remove the access to that document. This renders the information inside useless. It doesn’t matter if it’s a Microsoft Word document or a jpg.
Stopping information theft by employees is not an easy problem to solve. Your first goal should be determining the value of your information. Then you can decide who should access it and how to protect it. Creating a company of trusted, loyal, engaged employees is part of the answer. The other is putting in technology that controls access to the documents that houses that information. This protects malicious and accidental leaks.
Two way trust goes a long way. But an added layer of security is there, just in case.
Photo credit mac_filko