Laid off workers likely to steal company data, survey warns

By Erin Kelly, Contributor 24 Feb 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Employees who leave their companies -- whether voluntarily or by force -- are now more likely to steal confidential company information on their way out, especially if they don't trust their employer, according to a recent survey.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The report, "Jobs at Risk = Data at Risk," is based on a Symantec Corp. and Ponemon Institute survey of 945 participants located in the U.S. who have been laid off, fired or changed jobs in the last 12 months. It found 59% of employees who leave or are asked to leave are stealing company data, such as contact lists, employee records and other business documents.

Rob Greer, senior director of product management at Symantec, said often times when company security policies are unclear, some employees feel they are entitled to take data with them when they leave as parting gifts because they helped build or create the data. However, there are also instances where malicious insiders may take being laid off or let go personally and try to inflict harm on the company.

Economic doldrums: PCI costs slow compliance projects in down economy: PCI projects at some firms face scrutiny and funding shortfalls due to the economy. Security spending continues despite shaky economy, Forrester finds: An uncertain economy is causing many companies to do some budget tightening, but the continued barrage of data breach news has helped keep data security a priority in most companies. Four ways to prioritize security programs in bad economy: While IT pros should evaluate their ongoing security processes and technologies, security vendors also need to make an assessment of their overall value and adjust the business. Report offers security strategy tips to overcome funding problems: The economy is forcing companies to accept more risk, but a new report offers tips to showcase the value of the security team.

The report found that 61% of respondents who had negative feelings about their company took data, while only 26% of those with a favorable view of their company took data. Employers should focus on communicating with their employees to prevent negative sentiments that may result in malicious activity and stolen information after a layoff, Greer said.

The financial crisis has sent the economy spiraling, resulting in increased layoffs in many industries. The U.S. unemployment rate is at 7.6%, the highest in more than 16 years. Banks and other financial institutions have been especially hard hit with layoffs and could face the greatest risk of data leakage from insiders. The highest percentage of survey responses came from the financial services industry, Symantec said.

"Generally speaking when thinking about companies that are dealing with this economy and laying people off, if [employers] focus more on communicating and being more open as to what's going on within the company as much as they can, the likelihood of having employees take data would be less likely as [employees] are not constantly wondering about the status of their job," Greer said.

Companies are failing to take proper measures to stop employee data theft. Eighty-eight percent of respondents reported their company did not do an electronic scan of devices such as portable data-bearing equipment or USB memory sticks before they left.

Greer advised companies to be proactive in managing their data and to form a comprehensive prevention strategy to prevent data loss.

"Know where your data is, how it is being used, and the best way to prevent its loss and do that across all three threat vectors -- endpoint, network, and storage -- and lastly, be consistent with the policy," Greer said.

Employee education is also instrumental in preventing data loss, Greer said.

SearchSecurity radio:

"Employees should know what the company's polices are and be aware of their actions and what actions might be used against them in the future," Greer said.

Another way to prevent employees from stealing data is implementing a solution that monitors end users, Greer said.

"If people know they're being monitored, they'll be less likely to do foolish things if they end up getting laid off."

While employees are taking information without permission, the majority are not looking to ruin the entire company, he said.

"You may have some employees that are very upset and more focused on damaging the employer, but the majority [of employees], based on the information in the survey, are more focused on utilizing that information in the future [for another job]," Greer said.

Tags: Security Awareness Training and Internal Threats,  Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Awareness Training and Internal Threats Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Software security threats and employee awareness training Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary