Data breaches may conjure images of malicious hackers and global cyber gangs, but often the worst breaches come at the hands of a company’s own employees. Whether these workers are well-meaning but careless, or soon to be ex-employees en route to a competitor, a company’s staff can pose a serious threat to its security.
The headlines are rife with stories of companies that have been burned – intentionally or accidentally – by its own employees. As just one example, DuPont faced this problem a few years ago when it discovered that one of its research scientists had stolen more than 600 files by copying them to a portable hard drive, prompting DuPont to file a lawsuit against this scientist for breach of contract and misappropriation of trade secrets. Previously, another DuPont research scientist was sentenced to 18 months in prison for stealing proprietary company information valued at $400 million.
While internal breaches as spectacular as this may not be the norm, most companies will be impacted – at the very least – by garden variety breaches at the hands of departing employees. A Ponemon Institute study on this topic found that many employees on their way out the door feel entitled to company information or work product, with nearly 60 percent of employees who quit a job or are asked to leave stealing some kind of data.
Seventy-nine percent of those who admitted to taking data said they did so despite knowing that this wasn’t permitted, with e-mail lists as the most popular stolen data, followed by non-financial business information, customer contact lists, employee records and financial information. Almost one quarter of the study’s respondents said they still had access to their employer’s computer network even after they left, demonstrating how easy it can be for ex-employees to cause harmful data breaches to companies. If an organization hasn’t properly trained its employees or protected itself, the company can face both financial liabilities to customers whose data was stolen by employees as well as Federal prosecution.
So what steps should organizations take to bolster their security from current or former staff?
- Make sure your company has clear policies and procedures in place which address data security.
- Train your employees how to protect information. Make sure staff members are aware that they should never share passwords, and enforce a regular schedule for changing passwords and the physical security of these passwords (don’t publicly post them). Remind employees to never leave files open and to destroy confidential documents that are no longer needed.
- Assign a privacy officer to stay on top of these issues. Whether it’s a full-fledged position or an added responsibility for a designated employee, a privacy officer will help keep your company in compliance with identity theft laws.
- Offer your employees an identity protection program. This will serve to both protect your employees and help enforce some of your privacy procedures.
- Install monitoring systems, whether automated or outsourced to a third party. For example, watch out for procedures that could raise red flags, such as employees logging in and accessing multiple files late at night, or data that is transferred to mobile or external devices.
Develop a culture of privacy awareness. Keep the topic of security front and center in the communication and activities with your staff.