Innocent espionage?

Article Index

There are many business issues that will keep a senior manager awake at night. But often, it is the unexpected that really takes the rug from under your feet. Research just completed by Iron Mountain looked at some of the information threats that can slip beneath the radar. The finding that as many as a third of employees have openly admitted to taking or forwarding confidential information out of the office will no doubt come as a shock to many of the more trusting business owners out there. 

The ‘leaking’ types

Rather than panicking about a need to apply extra security measures or instigating an internal investigation to identify potentially disloyal employees, it’s important for the HR department to understand the reasons behind why these leaks happen. A view of data leaks as the work of malicious and resentful workers out to harm the company is a common perception. More often than not, however, employees will not realise they are doing anything wrong. 

Security industry blog Securelist recently drew up a list of insider profiles to help companies recognise and understand the different kinds of employees who are likely to leak information - and explained the motivational forces behind why they would do it. Among the profiles the most common type is the ‘careless insider’, defined as a non-managerial employee who leaks information unintentionally, and alongside them is the ‘naïve insider’ – vulnerable to unscrupulous market research or some other confidence trick to glean valuable information. Of course there are malicious types as well, including the ‘saboteur’ – often a disgruntled employee who feels passed over, and the ‘disloyal insider’ – generally someone who is about to leave the company. 

Risk increases when employees leave

While some employees leak information – intentionally or otherwise – for years, the risk is greater when it comes to employees looking to leave the company. Perhaps unsurprisingly, the likelihood of an employee taking and sharing confidential information on their exit increases when they have been fired as opposed to resigning. Our research showed that 72% of those who had taken information when they left their company believed it would be helpful in their new job. The implication of this is that your company’s valuable information assets could be walking straight out of the door and into the hands of a direct competitor. 

Again, I must stress that many of these employees don’t actually feel like they’re doing anything wrong, and may often feel as though the information is theirs to take and use as they see fit. Around two-thirds of respondents said they had taken or would take information they had personally been involved in creating.

This sense of ownership often extends to confidential customer databases, irrespective of the fact that the removal of this type of data is illegal under data protection laws. Presentations, company proposals, strategic plans and product or service roadmaps are other favourites. Collectively, this represents highly sensitive and valuable information, much of which is critical to an organisation’s competitive advantage, brand reputation and customer relationships. This is where HR departments really have to step up to the plate and ensure that all employees have a thorough understanding of legislation and company information management policies. 

Some suggested actions

Aside from individual attitudes and moral codes, the sense of entitlement to and ownership of information seems reliant on the employers’ approach to how the movement of information is governed, and the effort invested in keeping staff informed on evolving information management policy and practice. 

One clear solution is for information management policies to be developed closely with Human Resources as part of a Corporate Information Responsibility programme that involves people across the organisation in a culture that respects the need to keep sensitive information secure. Firms of all sizes, across all business sectors, need to ensure that employee exit procedures are robust and compassionate, and that guidelines recognise that how people feel can influence their behaviour and actions.

Accept it - you simply can’t lock down everything on site, which means you would be advised to make your employees the first line of defence when it comes to protecting your information. If you have information that you need to keep out of the hands of employees, then you should be working with third party experts to get it off site.

If business leaders have recognised the internal threat and made information policies and processes operational, then they can sleep soundly, confident that they are doing their utmost to keep corporate information secure. Fail to do so and the careless or naïve employee is as likely to do harm as any malicious individual intent on damaging the business.

Add comment

Security code

Forgotten your password?

I'd like to subscribe
Subscribers only - te law will answer your employment law queries. Find out more about our email support

Now there's more ways to stay in touch

Join Us on Linked in Become our Fan on Facebook Follow us on Twitter