Data Leakage Protection

Employees Will Steal Your Data – Are You Protecting the Right Stuff?

We in the security industry talk a lot about the risks of data theft and/or loss, especially by an insider. A quick look through the recent entries into the Open Security Foundation’s DataLossDB makes that case more concrete, be it via an innocent mistake (like losing a laptop) or outright theft (like the Countrywide case, where an insider stole 20,000 records a week for a couple of years by downloading them onto a USB stick). And we’ve talked here before about how the insider risk seems to have increased in these recessionary times of late.

And so it is that a new survey of insider attitudes towards taking company data when leaving a company. In this online survey by Harris Interactive of about 1600 workers in the US and UK with access to their organizations’ IT network, we learn that:

  • 49% of US workers and 52% of UK workers admitted they would take some form of company property with them when leaving a position;
  • 29% (US) and 23% (UK) would take customer data, including contact information;
  • 23% (US) and 22% (UK) would take electronic files;
  • 15% (US) and 17% (UK) would take product information, including designs and plans; and
  • 13% (US) and 22% (UK) would take small office supplies.

I

n addition, we learn that if they were mistakenly given access to confidential information (e.g., salary or personal data, or pending merger plans), then:

  • 45% (US) and 57% (UK) would look at the file, while 36% (US) and 27% (UK) would not look but alert a manager to the mistake; and
  • 0.5% (US) and 1% (UK) would try to sell that confidential data, while 2% (US) and 3% (UK) would look at it and then tell others about what they learned.

Now, it’s important to realize that this survey is meant for informational purposes, not predictive purposes. After all, there are some obvious pitfalls when doing online surveys; for instance, are folks who are willing to spend time, most likely during work hours, answering a survey more prone to playing it loose and fast when it comes to their employers’ data? And since I don’t have the original report, I can’t analyze it for other tidbits; for instance, how did the responses pan out when looking at employment status (FT vs. PT vs. contractor)? Was one group pulling the data in one direction or the other?

But all that notwithstanding, it does jibe with other data we’ve seen. For instance, there was the Cyber-Ark study (PDF; reg. req’d) released in December 2008 which showed that a majority of folks in the US, UK and Holland would pre-emptively download company/competitive information if they thought their jobs were in danger. And then there’s the February 2009 study from the good folks at the Ponemon Institute (PDF), which reported that 59% of unemployed US workers admitted to stealing data from their former employer. Concentrating on US workers, we get the following:

Study Rel. Date Percentage
Harris Aug-2010 49%
Ponemon Feb-2009 59%
Cyber-Ark Dec-2008 58%

Overall, it seems that this rate of US workers are willing to steal data when leaving a company is holding steady over time (let’s call it in the 50% ~ 60% range). Indeed, one of the interesting aspects of the Harris study is that roughly half of the respondents (45% in the US, 57% in the UK) felt that this rate was not influenced by the recession, belying our long-held notion on causation.

And note that this pertains specifically to what we would call corporate IP, not the “toxic” consumer data that garners all the headlines and compliance regulations. But if your security focus is limited to complying with the letter of the law, it’s likely that you’re not focused on protecting these corporate secrets, and thus not paying attention to the sort of data theft—by malicious insiders—that we in the security industry often talk about. And since these secrets actually make up two-thirds of the value of organizations’ information portfolios (PDF), this issue probably deserves some attention. After all, how many companies could lose their next chip design worth over $1 billion (PDF) or R&D plans worth more than $600 million and survive?

I get the sense that most large enterprises are actually very focused on protecting corporate IP, as that’s how they make revenues—but I wonder how many small- to mid-sized businesses are? By understanding the value of all the data in their possession and leveraging various regulations and standards which pertain, they could make great strides without too much additional work or cost. If you’re wondering where to start, you might check out this video by my fellow blogger Paul Henry—and then perhaps study the “Quick Wins” recommended in the Critical Security Controls that we’ve discussed before.

But by all means, pay attention to that guy in the cubicle next you—he might the one siphoning off your precious corporate data!

Technology Bridge can implement solutions that prevent your precious data from growing feet.  Call today to speak with one of our professional consultants.