With Data Theft By Employees on the Rise, Don't Look at Cybersecurity as a Mission Impossible
One of my first jobs as a young adult was as a salesperson in the men's clothing section of a major department store. As I moved up through the ranks, I garnered more responsibility and trust from management -- as well as an impressive $5.25 an hour! Over time, I was even entrusted to watch and report suspicious shopper activity to the security team.
I took this responsibility seriously, especially when the security manager, Joe (he was known only by his first name), would leave me with the department walkie-talkie when he went to lunch. "Call me if you see anything unusual," is what he would tell me as he scanned the department one last time.
For me, it was Mission Impossible -- minus the self-destructing message.
After a few months of sleuthing, Joe confided in me that his biggest concern was not with shoplifters, but rather with employees. Apparently, the store had a big issue with internal theft, sometimes with employees running complicated and well-organized operations.
This completely blew my mind.
In reality, employee theft has and continues to plague companies, with employees finding ingenious ways to rip off their employers. Today, the threat of theft goes far beyond stealing a few pairs of Guess jeans. It involves digital breaches and the loss of important company data.
Cybersecurity is a growing concern for companies. In fact, it is not a matter of “if” but rather “when” your company gets hacked. For this reason, enterprise security is a multi-billion dollar industry with nearly all big corporations investing big bucks in software, services and employee training. Small companies, unfortunately, are the most prone to attacks, with over 60 percent of all online attacks in 2013 targeted at small to midsize businesses.
Cybersecurity is complicated, however, with many different means for your data to become compromised. And one of the biggest and most surprising reasons for data breaches? Employees.
Recently, one company examined the data loss associated with employee-related cybersecurity breaches. Biscom, a provider of secure communications tools for regulated industries like healthcare and financial services, has more than 30 years of experience in cybersecurity and has witnessed firsthand many of the modern-day data data breaches that affect companies, big and small.
Biscom's recent research discovered that, across all size companies, employees admitted to taking important company data and information when they left. More specifically:
- 85 percent of employees admitted to taking company documents and information they had created.
- 30 percent of employees admitted to taking company documents and information they had not personally created.
The research was particularly concerning for startups that retain and manage intellectual property and sensitive customer data closely. The study found that:
- 25 percent of employees reported taking source code and patent filings.
- 35 percent of employees took customer data, including names, phone numbers and email addresses.
85 percent admitted to taking company strategy documents and presentations.
Moreover, if an employee was terminated under bad circumstances (laid off or fired), 20 percent indicated they would be more likely to take data out of anger and would be more likely to pass it to a competitor.
Finally, 90 percent of respondents indicated that the primary reason for the data theft upon departure was due to the fact that their employer did not have a policy or technology in place to prevent them from doing it.
Unfortunately, startups were more prone to vulnerabilities. In the past, a company document or customer list walking out your door with a departing employee might not be cause to panic. In early stage companies, however, these documents are the foundation of the business and, more than likely, a primary competitive advantage. A competitor obtaining sales prospects or a company's "secret sauce" can put more than a little wrinkle in the path to success (or world domination, depending on the company’s vision).
Also, data loss was found to be disproportionately more significant to startups because of the typical high employee-turnover rate inside high growth companies. Whether it was pivoting the company strategy or simply outgrowing the current company talent, startup entrepreneurs often quickly find themselves dealing with employees who leave their business. And while employee departure is inevitable, startups typically are more focused on building their product and gaining market share than on closing every security gap.
Is there an easy way to reduce this risk? Bill Ho, CEO of Biscom, says yes. With over 20 years of experience developing document and messaging solutions that enable firms to share and store documents securely, Ho suggests:
1. Create thorough employee policies.
"The fact that so many respondents claimed there were no policies stopping them from taking data is troubling," Ho points out. To fight this problem, create an employee handbook that is clear and specific about all data and information, including intellectual property, trade secrets, email lists, customer records, financial statements and work created by the employee but property of the company.
2. Enact and enforce compelling employee agreements.
To get employee buy-in, include language in employee agreements that clearly define the boundaries and outline ramifications for breaches in privacy and security of all proprietary data and information. Agreements should also clearly outline policies for using personal devices for company duties, or BYOD.
3. Define and communicate clear data policies.
Business owners should be wary of consumer versions of EFSS or file sharing tools such as Dropbox and Google Docs. Because they are difficult to police and track, employees using these tools to collaborate on work will most likely continue to have access to files after they leave. Instead, employers should look for apps that are designed for use in enterprises and have better user controls and role-based permissions.
4. Track employee access.
Because so many business services are moving to the cloud, is easy to forget who has access to which services. To keep track, maintain a spreadsheet or checklist of each employee's set of tools, apps and permissions, which can be used to easily and quickly cancel accounts and access upon an employee departure.
5. Monitor employees.
While it is difficult to monitor the actions of all employees -- not to mention sensitive -- it is important to watch for anomalous behavior. For instance, watch for employees who suddenly transfer large amounts of data at odd hours. Collaboration and file sharing tools with audit trails and embedded analytics can alert you to suspicious activity.
Entrepreneurs cannot eliminate employee theft altogether, especially when it comes to digital information. With proper consideration and planning, however, and clearly defined and communicated policies, they can certainly minimize it.
Worse case scenario -- find the least-qualified employee, give him or her a walkie-talkie and the Mission Impossible task to watch for unusual behavior. It worked for my old company.