Claims that a quarter of departing employees would steal data highlight a less visible, but not a less difficult threat.
Amichai Shulman, CTO of Imperva, pointed to a recent survey which found that more than half (52 per cent) of UK workers would take some form of company property with them when leaving a position, with a quarter (23 per cent) saying that they would take customer data. Electronic files would be taken by 22 per cent.
Shulman said: “More than anything, this highlights something we've been saying for some time, namely that with insider threats, IT managers are fighting a less visible, but not less difficult threat in addition to the well publicised external threats. Staff are precisely the people who have access to data that needs to be secured and carefully controlled.
“In addition, this shows that the insider threat is not always the potentially rogue employee for whom a background check has been completed - staff also need to be monitored during their employment, as the information may not necessarily be ‘maliciously' downloaded after the termination notice, but rather information was rightfully obtained and collected by the employee over time and actually should have been removed upon termination by the IT team.”
The survey, conducted by SailPoint, asked workers what they would do if they were inadvertently granted access to a confidential file (such as one containing salary information, personal data, or plans for a pending merger) – 57 per cent said they would look at the file, while 27 per cent said they would not look, but would alert a manager to the mistake.
Only one per cent stated that they would attempt to sell confidential data found in improperly secured files, although three per cent said that they would look and tell others about the information they saw.
Shulman pointed to an incident, highlighted by SC Magazine US in 2007, where a scientist at DuPont wrongfully claimed ownership of the formulas he discovered and it was part of his work portfolio to be presented at his next company, despite the fact they were allegedly worth $400 million.
He said that there should be a line drawn between what is company intellectual property, and what are employee skills that have been established over the years.
“There should be a clear distinction between an employee's claim regarding the ownership of certain knowledge and the ownership of any materialised form of that knowledge. In the case of a contact list, there is probably much truth in the fact that these relationships are the employee's ‘core competence' (much like a programmer's coding skills obtained during his employment period). However, retrieving the list of contacts from a company database and storing them to a file should be considered illegal,” he said.
With regard to the finding that 57 per cent would look at the file, Shulman said: “This figure is surprising as I would have thought that 99 per cent of people accidentally stumbling into such information in the web would have read the file. The fact that the percentage among employees is lower is an indication of loyalty.
“However, employers still need to be cautious, as this shows how existing employees can be considered a snooping risk. The moral here is that you must secure all your company data and only allow authenticated plus logged access on a carefully controlled access basis.”