Naivety and misplaced trust are a dangerous combination in business. Nowhere is this more clearly seen than when it comes to managing information risk. A recent study[i] reveals that 87 per cent of companies across Europe do not believe that their employees take information with them when they leave. For 81 per cent this confidence stems from the introduction of robust measures that include asking employees to sign non-disclosure agreements, blocking access to company IT networks upon departure, ensuring data cannot be copied onto discs or USB keys, and escorting those in high risk positions from the building the moment they hand in their resignation. Well that’s all right then.
Except, three quarters of those surveyed never bother to check whether any of these measures actually prevent information being removed, and a different study[ii] – one that asked employees what they really do with information when they leave – paints a very different picture. Employees, it revealed, happily take highly confidential or sensitive documents and databases with them, and many believe they’re doing nothing wrong.
Two thirds said they had taken or would take information they had been involved in creating, and 72 per cent said they believed the information they took would be helpful in their new job.
European office workers are also walking out the door with presentations (46 per cent of those who took information), company proposals (21 per cent), strategic plans (18 per cent) and product/service roadmaps (18 per cent). More worryingly, half (51 per cent) are helping themselves to confidential customer databases, despite data protection laws forbidding them to do so. If measures to block access to information kick in as soon as employees resign, then the chances are this material is disappearing just before they do so.
All this makes the confidence among employers look worryingly out of touch. Especially when you consider the value that information holds for the sectors covered by the research: financial services, legal, insurance, pharmaceuticals and manufacturing and engineering.
It is vitally important that employers understand this. Employers need to realise that managing the information risk of departing employees is not just about having an impressive process in place. It’s about making sure that it achieves its purpose.
In other words, locking an employee out of your company IT network on the day he or she resigns is well-intentioned but meaningless if the employee spent the previous week quietly printing off sensitive papers or emailing customer databases to their personal email account.
It’s not all bad news. Two thirds (67 per cent) of employers appreciate that employees leaving for a new role represent a risk to information security. Most just feel they have done enough to address it. So what more can or should they be doing?
The answer lies in employee communication and education. It is important that employees understand what constitutes confidential information and what the legal and/or reputational implications of removing data might be.
The 2012 study discovered a direct correlation between employee behaviour and the existence and communication of corporate guidelines. For example, 80 per cent of respondents from Germany understood what information could or could not be removed from the office, compared to a European average of 57 per cent – and just a third had taken documents they had created with them when they left, against a European average of 56 per cent). In other words, if employees know what is expected and why, they will act accordingly.
For the most sensitive and confidential data, additional IT-enabled security measures can be implemented, such as preventing employees from saving such data locally on their PCs. Centrally stored data, such as patient records or research statistics can be made available on a read-only basis following a formal request. This is a practice already widely adopted in healthcare.
The message is clear. To keep data secure at all times and not just at the point of exit, employers need to build a culture of accountability, respect and trust for information – both on paper and digital – underpinned by strong security safeguards.
Christian Toon, Head of Information Risk, Europe, Iron Mountain
About Iron Mountain:
i Beyond Good Intentions: The need to move from intention to action to manage information risk, PwC for Iron Mountain, June 2014. PwC surveyed senior managers in Germany, Hungary, the Netherlands, Spain, UK, the United States and Canada, with 250 or more employees, in the legal, financial services, pharmaceutical, insurance and manufacturing & engineering sectors.
ii Opinion Matters for Iron Mountain, June 2012
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.