Theft of confidential company information by employees is rampant; fortunately, there are steps employers can take to mitigate the risk of employee data theft. The Wall Street Journal recently reported the results of a survey conducted by the Ponemon Institute and Symantec Corp., which found that half of the employees surveyed said they had taken sensitive business documents with them when they changed jobs, in an article titled, “Departing Employees Are Security Horror.” This issue is more common and serious than ever because of the proliferation of email, online storage and departing employees using their own flash drives and handheld devices to carry and transfer data – all it takes is a few clicks. Employee data theft poses serious risk to company profits and sustainability.
The nature of the confidential information stolen by departing employees varies and ranges from specific intellectual property, such as source code, to client information and contact lists. Typical stolen items include:
- Client lists and “Rolodex” information
- Trade secrets or the “special sauce”
- Price lists and costing information
- Future opportunity data (project proposals, future contracts, etc.)
- Employee records and personnel information
- Investment, accounting (stock, profit/loss) and credit data
There are many signs that corporate data may be at risk. Some are obvious after the fact, and some can only be found using Digital Forensic techniques. Common indicators that data theft may have occurred or that data is at risk include:
- Employee mass printing or copying of specific documents
- Unusual timing of employee data access (i.e., after typical business hours or while on leave)
- Employee copying to USB drives or the cloud
- Unusual employee email patterns
- Accessing personal email from company devices, particularly email with attachments
- Communication with competitors or potential employers
- Communication with clients with intent to steal them
- Communication with other employees with intent to steal them
- Accessing competitors webpages and social media accounts
- Destruction or modification of data
- Multiple employee departures (particularly from same department) within a short period of time
Typically, these suspicious employee actions take place in the weeks, days and hours immediately preceding the employee’s resignation or departure.
Few employers invest the time, effort or money to assess and implement policies and procedures to address the risks posed by departing employees before risks develop. As a result, employers are left scrambling to put out fires after employees leave and take confidential company information with them. Because it is easier and less expensive and time consuming to prevent the problem of employee data theft than to fix it after the problem arises, employers with sensitive or confidential information should include members of the management team, human resources and information technology professionals to develop and implement an effective confidential information security plan. The plan should include several elements:
- Initial internal risk assessment of threat to confidential information by employees and others
- Identify and prioritize the need for protection of each type of confidential information
- Know who has access to what, where and how
- Develop policies and documents to protect the confidentiality of information
- Internal markings designed to clearly illustrate what is confidential
- Internal physical and electronic access restrictions for those on a need-to-know basis
- Incorporate clear confidentiality provisions in employment contracts, handbooks, policy statements and other written agreements with employees, vendors, etc.
- Adopt appropriate email/computer use and mobile device policies to permit monitoring, deter misbehavior and eliminate employee expectations of privacy in electronic communications
- Develop computer and handheld device policies for personnel to minimize risk of data traveling to unauthorized places
- Establish effective monitoring and auditing of all policies (Having a policy that states employees are prohibited from copying data to personal devices or clouds is not sufficient or effective because there is no way to know when it happens)
- Conduct employee and vendor training on policies
- Conduct employee exit interviews that address physical and electronic access to information including devices used by or issued to the departing employee, ask questions about future plans/employment and conduct audit/analysis of employee data use depending on potential risk
- Disable all departing employee accounts, email, remote access, key cards, etc.
- Maintain internal access to departed employee accounts for possible future investigation or audit
- Safeguard employee electronic devices after departure (forensic image and storage of data) or “wipe” personal devices used for work as permitted/required by company policies
- Conduct risk analysis of employee activity during the weeks/months prior to employee departure
Unfortunately, no matter how diligent the effort, no data protection policies or systems can prevent all risk of employee information theft. Therefore, when theft is suspected:
- Determine the nature and possible magnitude of risk posed by the disclosure or misuse of the information that was stolen
- Contact your legal department or attorneys
- Preserve all involved devices, including departed employee devices, network shares, email stores and cell phones
- Contact a digital forensic company experienced in risk analysis and mitigation
Departing employee data theft is a very real threat to businesses big and small in today’s high-tech media age. But, by taking a preventative, preemptive approach to the problem, businesses hold the power to protect their bottom lines, security and reputations.
Co-author Michael Miguelez is the CEO of OPTiMO Information Technology LLC and OPTiMO Digital Forensics. He can be reached at 877-564-8552 x 701.
Co-author Jacob Sitman is an Attorney at Fitzpatrick Lentz & Bubba He can be reached at 610-797-9000, ext. 383.
This article was published in the March 10, 2014, edition of Lehigh Valley Business.