In the last few months we have learned that national security agencies could be trawling through our most intimate conversations; that employees of a digital firm are upset because they have been banned from homeworking; and that the European Commission has apparently advised its officials visiting Greece to invent fake life stories, stand away from the windows and not to take sensitive documents out of the office.
These three very different stories have two things in common. Firstly, they were all documented in writing. Secondly, the resulting documents – one presentation and two internal memos in the case of the above – were deliberately made public.
Whether you consider the culprits whistleblowers or “disgruntled employees” out for revenge, the fact is that people’s emotions play a huge part in the decision to leak information they know to be confidential and potentially damaging to their current or former employer. Revealing sensitive company data is a high-risk strategy. The employee concerned risks derision, dismissal or even a prison sentence, while the employer faces a potential PR disaster, a breach of increasingly stringent data protection laws, or even criminal proceedings.
We recently undertook a research[1] study of office workers in Europe to find out what provokes employees to use information as a form of revenge. The results showed that employees may look to take data revenge when they perceive the way they are treated to be unfair. At the top of the list of employee grievances comes blame for something that is not the employees fault (21 per cent) followed closely by unkind treatment (19 per cent).
One in four (27 per cent) employees would content themselves with venting their feelings across the office. However, a further 24 per cent would let off steam with an email to friends and family – paving the way for further distribution, and a worrying 11 per cent would deliberately remove confidential or sensitive information from the office, regardless of whether or not it was related to the incident.
In other words, when it comes to employee behaviour with information, hearts generally win out over heads, and the personal over the professional.
Of course, not everyone has access to potentially harmful, media-friendly material – but that doesn’t mean that much of the information that office employees do have access to is not of critical business importance. Our research[2] shows that people leave jobs armed with valuable customer databases (45 per cent), presentations (39 per cent), strategic plans (13 per cent), company proposals (9 per cent) and product or service roadmaps (7 per cent). In the wrong hands, any of this could significantly harm a business’ competitive advantage, brand reputation and customer loyalty.
It is vitally important that employers realise that responsibility for information security is not just about robust guidelines and processes, but also about improved people management and understanding.
Companies need to ensure that employee performance issues are tackled early on, and fairly, and that staff concerns about potential malpractice or mistreatment are taken seriously and investigated.
It is about building a culture of information responsibility that includes trust and respect for employees and respect for the value of information that belongs to the employer. As the CIA discovered earlier this year, you can’t build a culture through internal directives. The organisation launched a confidential programme to cut down on number of confidential data leaks across its intelligence network. The memo was promptly leaked to the Associated Press. Organisations need to communicate carefully about the need for data protection and lead by example.
Christian Toon | Risk and Security at Iron Mountain | @christiantoon
Bio: Christian Toon, has a wealth of experience in the industry and ensures that governance, risk and compliance requirements are met within both new and existing contracts from across the continent. These contracts include some of the industry leaders in business today. He enjoys the challenge that comes with interpreting customer problems and solving them with a risk-based approach, with strong interests in the causes of data breaches, identity theft and bring your own device.
[1] Research by Opinion Matters for Iron Mountain. The survey was carried out between 15/04/2013 and 01/05/2013. Sample: 5021 employed adults in the UK, France, Spain Germany and the Netherlands.
[2] Opinion Matters for Iron Mountain, June 2012
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.