The paper reviews the way employees perceive corporate data and their mindset and motivations for copying data and Intellectual Property
- Employees are moving IP outside the company in all directions
- When employees change jobs, sensitive business documents often travel with them
- Employees are not aware they are putting themselves and their companies at risk
- They attribute ownership of IP to the person who created it
- Organizations are failing to create a culture of security
Impact on Organizations
According to Ponemon Institute, employees are moving IP outside the company in all directions
- Over half admit to emailing business documents from their workplace to their personal email accounts
- 41% say they do it at least once a week
- 44% also say they download IP to their personally owned tablets or smartphones, leaving confidential information even more vulnerable as it leaves corporate-owned devices
The data loss continues through employees sharing confidential information in the cloud
- 37% use file-sharing apps (such as Dropbox or Google Docs) without permission from their employer
- Worse, the sensitive data is rarely cleaned up; the majority of employees put these files at further risk because they don’t take steps to delete the data after transferring it.
When employees change jobs, sensitive business documents often travel with them. In most cases, the employee is not a malicious insider, but merely negligent or careless about securing IP. However, the consequences remain. The IP theft occurs when an employee takes any confidential information from a former employer
- Half of the survey respondents say they have taken information
- 40% say they will use it in their new jobs
This means precious intelligence is also falling into the hands of competitors, causing damage to the losing company and adding risk to the unwitting receiving company.
Understanding Employee Attitudes about IP Theft
The attitudes that emerged from the survey suggest that employees are not aware that they are putting themselves and their employers at risk when they freely share information across multiple media. Most employees do not believe that transferring corporate data to their personal computers, tablets, smartphones, and cloud file-sharing apps is wrong. A third say it is OK as long as the employee does not personally receive economic gain, and about half justified their actions by saying it does not harm the company. Others blamed the companies for not strictly enforcing policies and for not proactively securing the information. These findings suggest that employees do not recognize or acknowledge their role in securing confidential company data.
To shed further insight, over half do not believe that using competitive data taken from a previous employer is a crime. Employees attribute ownership of IP to the person who created it. When given the scenario of a software developer who re-uses source code that he or she created for another company, 42% do not believe it is wrong and that the a person should have ownership stake in his or her work and inventions. They believe that the developer has the right to re-use the code even when that developer does not have permission from the company. These findings portray today’s knowledge workers as unaware that intellectual property belongs to the organization.
Recommendations from the paper
Given these findings, what can companies do to minimize risk? We suggest that companies take a multi-pronged approach:
- Educate employees. Organizations need to let their employees know that taking confidential information is wrong. Employee training and awareness is critical, companies should take steps to ensure that IP theft awareness is a regular and integral part of security awareness training. Create and enforce policies that provide the do’s and don’ts of information use in the workplace and when working remotely. Help employees understand that sensitive information should remain on corporate-owned devices and databases. Make it clear that new employees are not to bring IP from a former employee to your company.
- Enforce non-disclosure agreements (NDAs). Review existing employment agreements to ensure that it uses strong and specific language regarding company IP. Conduct focused conversations during exit interviews with departing employees and have them review the original IP agreement. Include and describe, in checklist form, an overt description of information that may and may not transfer with a departing employee. Make sure all employees are aware that any policy violations will be strictly managed and will affect their jobs. Employment agreements should contain specific language about the employee’s responsibility to safeguard sensitive and confidential information.
- Implement monitoring technology. Support education and policy initiatives by using monitoring technology to gain insight into where IP is going and how it’s leaving. Deploy data loss prevention software to notify managers and employees in real-time when sensitive information is inappropriately sent, copied, or otherwise inappropriately exposed. Implement a data protection policy that monitors inappropriate access/use of IP and notifies employees of violations, which increases security awareness and deters theft. Leverage technology to learn what IP is leaving your organization and how to prevent it from escaping your network.