Employees 'don't think twice' about stealing corporate data

56% of employees in a recent survey say that they do not believe it is a crime to use competitive data taken from a previous employer
56% of employees in a recent survey say that they do not believe it is a crime to use competitive data taken from a previous employer

Most workers are unconcerned about the privacy of corporate information: More than half (56%) of employees in a recent survey say that they do not believe it is a crime to use competitive data taken from a previous employer.

Half of employees who left or lost their jobs in the last 12 months kept confidential corporate data, according to a global survey from Symantec and, worse, 40% plan to use it in their new jobs.

“Companies cannot focus their defenses solely on external attackers and malicious insiders who plan to sell stolen IP for monetary gain,” said Lawrence Bruhmuller, vice president of engineering and product management at Symantec, discussing this 'frenemy' phenomenon. “The everyday employee, who takes confidential corporate data without a second thought because he/she doesn’t understand it’s wrong, can be just as damaging to an organization.”

The results clearly show that everyday employees’ attitudes and beliefs about intellectual property (IP) theft are at odds with the vast majority of company policies.

It’s not just that the average employee doesn’t consider this information-leakage theft – they also believe that their companies don’t mind. About 68% say their organizations do not take steps to prevent employees from using confidential competitive information from third-parties. Only 47% say their organization takes action when employees take sensitive information contrary to company policy, and 51% think it is acceptable to take corporate data because their company does not strictly enforce policies.

Only 38% of employees say their manager views data protection as a business priority.

“Organizations are failing to create an environment and culture that promotes employees’ responsibility and accountability in protecting IP,” the report authors noted.

In a testament to the rise of mobility and the security challenges that it presents, employees were also found to move IP outside the company in all directions, and never clean it up. About 62% say it is acceptable to transfer work documents to personal computers, tablets, smartphones or via online file-sharing applications. The majority never delete the data they’ve moved, because they do not see any harm in keeping it.

“Everybody loses when a mobile employee steals trade secrets – the company who invested in the IP, the employee who took it, and the organization that receives it, even unknowingly, who most often is on the hook for defending the litigation that follows,” said Dave Burtt, founder of Mobility Legal PC. “Before employees exit, dust off agreements they likely haven’t looked at in years, figure out all of the places the employee has stored sensitive company information and get it back, and ensure that employees understand their continuing obligations not to use or disclose company trade secrets.”

The survey also found that employees attribute ownership of IP with the person who created it. A little less than half (44%) of employees believe a software developer who develops source code for a company has some ownership in his or her work and inventions, and 42% do not think it’s a crime to reuse the source code, without permission, in projects for other companies.

Employee education is the key mitigation strategy for the issue, the report recommends. “Organizations need to let their employees know that taking confidential information is wrong,” researchers said. “IP theft awareness should be integral to security awareness training.”

Companies also should enforce non-disclosure agreements (NDAs): In almost half of insider theft cases, the organization had IP agreements with the employee, which indicates the existence of a policy alone – without employee comprehension and effective enforcement – is ineffective. Include stronger, more specific language in employment agreements and ensure exit interviews include focused conversations around employees’ continued responsibility to protect confidential information and return all company information and property (wherever stored), Symantec recommends.

Monitoring technology is helpful, too: companies can implement a data protection policy that monitors inappropriate access and use of IP and automatically notifies employees of violations, which increases security awareness and deters theft.

“When it comes to trade secret theft by mobile employees, an ounce of prevention is usually worth ten pounds of cure,” said Burtt. “We consistently see departing employees who don’t understand their obligation to keep trade secrets secret, but are just as often faced with companies whose own procedures are sorely lacking when it comes to protecting valuable IP.”

What’s hot on Infosecurity Magazine?