Just ran across this article on workers “stealing company data” on the BBC news web site. The story is based upon a recent Ponemon study (who else?) of former employees and the likelihood they will steal company information. It turns out that most of those polled will in fact take something with them. The Ponemon numbers are not surprising as this tracks closely with traditional forms of employee theft across most industries. What got me shaking my head was the sheer quantity of FUD being thrown out with the raw data.
A “surging wave” of activity? You bet there is! And it tightly corresponds to the number of layoffs. I am guessing when I say that the point Kevin Rowney of Vontu Symantec was trying to make is companies do very little to protect information from insiders, especially during layoffs. But the author make it sound as if insider theft is bringing about the collapse of western civilization.
What I don’t believe we can do here is try to justify security spending by saying “Look at these losses in revenue! They are staggering! Were getting killed by insider theft!” These companies are in trouble to begin with, which is why they are laying people off. Ex-employees may be taking information because their accounts are still active, or they may have left with it at the time they were fired. But just because the employee walked out with the information does not necessarily mean that the company suffered a loss. That data has to be used in some manner that affects the value of the company, or results in lost sales. And the capability for ex-employees to do this, especially in this economy, is probably going down, not up.
The employee who has backup tapes in their closet may dream about “sticking it” to their former employer, but odds are high that the information they employee has will never result in the company suffering damages. Heck, they would actually have to land a new job before that could happen. I know some HR reps who probably envision their ex-emplyees contacting their underground ‘connections’ to sell of backup tapes, but how many employees do you really think can carry this off? You think they are going to sell it on eBay? Call a competitor? We have seen how that turns out. No use, no loss.
There is also a huge double standard here, where most companies propagate the very activity they decry. When I worked at a brokerage, it was one of our biggest fears that an employee would steal one of our “books of business”, taking it to another brokerage, and when I first learned about the difficulties in protecting data from insiders and enforcing proper use. On the flip side, it was expected every broker that interviewed had their own “book of business”. If they didn’t, they were ‘losers’ or some other expletive right out of Glengarry Glenn Ross. Having existing relationships that could immediately bring in clients to the organization was on eof the top 5 considerations for employment. Most salesmen, attorneys, financiers and executives are considered not just for the skills they possess, but the relationships they have, and the knowledge they bring to the position. That knowledge is typically in their heads, rolodexes and their iPhone. I am not saying that they did not have paper or electronic backups as well, as 15% of the respondents admitted they did. My point is companies cry foul that they are the the victims of insider theft, but in reality they fired or laid off an employee, and that employee took a job with a competitor. I have trouble calling that an insider attack.