Hiring new staff is a difficult stage of the employment process. Even more challenging is knowing how to protect your data when employees and freelancers transition out of the organization. Digital marketing, design, and MarTech talent often have access to critical systems and valuable user data.
Keeping data safe doesn’t just happen at the end of employment; employers must plan to keep information from employee misuse even before they even consider hiring someone new. If they don’t, the cost can be significant. The global average cost of a data breach was $3.62 million in 2017, according to the 12th annual Cost of Data Breach Study, the independently conducted by Ponemon Institute.
Find out what you need to know about why employees steal data and how to protect your data in every step of the employee journey.
How Big Is the Problem?
Your business probably invests a sizeable amount of money preventing hackers and other cyber-criminals from accessing your systems. One of the hardest threats to defend against is employee theft. An Insurance Journal survey talked to 208 business owners and found 69 percent either experienced or acted in time to prevent data theft from internal sources. In contrast, 57 percent said they faced attacks from outside.
Biscom, a communications security provider that has offered cybersecurity to hospitals and financial institutions for more than 30 years, has long gathered research on data theft for all size companies. They released some of the following statistics:
- 85 percent of employees polled said they took company documents and presentations they had created for outside use.
- 30 percent of staff said they stole documents they didn’t create.
- When it comes to intellectual property, 25 percent of employees say they stole source code and patent filings.
- Your contact list is at risk, with 35 percent admitting they stole customer names, numbers, and email addresses.
- If employees were fired, 20 percent said they were more likely to steal data in retribution and share it with the competition.
Why Do They Do It?
Data theft is more frequent in small businesses because the organizations often have less to invest in security and the employees have more opportunity. With fewer staff members, each one has a broader range of responsibilities and wider systems access. Small businesses tend to be less likely to report data theft to the authorities, so employees feel they won’t get caught.
The top motive for data theft is financial gain. Information and stolen intellectual property are worth money. Employees might also steal data to use for advancing their own career.
Many employees simply misuse data because they don’t believe it’s wrong. Employees move intellectual property to personal computers or outside devices and don’t delete the data after they’ve used it, then they reuse it later when they’re working for a competitor. According to a Symantec global study, 56 percent of former employees don’t think it impacts their previous employer when they use competitive data.
When it comes to software development, employees who work on a project think it partially belongs to them. They may not feel it’s a crime to recycle source code when creating programs for competitors.
Sometimes, a data breach happens accidentally. Employees may not realize they’re sharing sensitive or confidential information when they transfer it to an outside source.
Internal Data Breach Examples
In the last few years, these major organizations have reported employee-related data theft:
- EnerVest. When an employee learned he was about to be fired from this energy provider in West Virginia, he reset servers to factory settings and prevented remote backups. The energy provider shut down for a month and incurred costs of over $1 million, and the offending ex-employee received a four-year prison sentence.
- Waymo. When Anthony Lewandowski left Waymo, he allegedly stole 14,000 blueprints, design downloads, and other technical files, and used it for his self-driving car startup. Uber later acquired his company, and was ordered to pay a settlement of approximately $244 million.
- Sage. An employee was arrested for allegedly stealing data with the intent of fraud from this payroll software provider. The 32-year-old stole bank account and salary information for Sage employees.
How Does It Cost Your Organization?
Keeping data safe is expensive, but losing it is even more so. Several factors determine what a data breach might cost. If employees pass intellectual property on to a competitor, your organization loses your investment in its development and your innovative advantage. If employees steal contact information, the data breach involves losing customers through eroded trust and loyalty.
The cost of dealing with a breach depends on what employees take, and the nature of your industry. If the thief used disruptive technology, your organization will have to pay to return systems to normal functioning. Breach investigation, auditing, crisis management, and communication with parties whose information was leaked also adds to your organization’s expenses.
Prevention Begins with Hiring
Make sure all employees know your organization takes data theft seriously from the day they accept a position. Write policies into the employee handbook and individual contracts that specify what data is protected and how your organization will respond if it suspects attempted theft.
Write language into employee agreements that explains security policy for intellectual property, client records, email lists, and other data. Clarify when and how employees should share files and what tools are acceptable. Create strict rules for file transfer to personal devices.
Educate current employees so they know what belongs to the company and what is intellectual property. Most people don’t intentionally steal, so clarify what belongs to your organization and that taking data is theft – even if employees contributed to a project.
Only Allow What’s Necessary
When everyone has access to data, it’s more likely to be considered community property. Treat sensitive data like the asset it is by only authorizing users who need it for their job. Assign permissions to specific data sets and folders. Assign Read Only permission to files when employees only need to access information, so they can’t alter or transfer them.
With so much data migrating to the cloud, businesses sometimes forget who has access to which systems. Create an organized list of each employee’s permissions and access information so you can cancel accounts when you have to terminate employment. Know which data is sensitive and where it’s kept, and continually review user actions around key data.
Always follow up if you suspect a breach. Enforce non-disclosure agreements for every policy violation, not just ones that cost the company money.
Restrict Email Attachments
Keep employees from sending sensitive files to an outside source by being proactive. Invest in software that monitors and inspects attachments according to set transport rules and requires permission before users can send content. Regularly audit attachments above a certain size, and set your system to automatically notify management if email transfers look suspicious.
Prevent USB Transfer
Employees can insert a thumb drive or plug their smartphone into any computer’s USB port and download large amounts of unrestricted information. Protect your data by updating your systems, investing in software, and disable specific USB ports to high-risk computers and printers. After installation, only trusted USB devices are allowed.
Many allow you to create a log of all USB connections and the files they access and receive notifications when unauthorized devices connect. Completely restrict access or install the program and run invisibly to see who’s accessing files without permission.
Before and During Termination
Part of the employee termination process should be about protecting data. Even if you think the employee would never do anything to harm your company, take the same precautions you would with someone whose behavior is suspect.
Check your backups before you meet with the employee to let them go. Some employees don’t just steal data – they delete your copy and leave you with empty file folders. Monitor employee files the day they are to be fired in case they hear what’s about to happen, and download or transfer information ahead of your appointment.
Before termination, notify your IT department so they can block access while you meet with the employee. Create procedures for your technology department to follow to revoke access and secure records. Immediately remove all network and data privileges and disable remote access. Centralized authentication creates an audit trail that helps systems administrators view and disable what someone might try to misuse.
Require the employee return tablets, laptops, and any files containing client information. Check access to external sites and make sure financial institutions know employees no longer act as a representative of your organization. Evaluate website analytics, stock photo files, and company social media pages to which your employee has access. Staff members also may log into external vendor sites using your corporate account.
Don’t forget to evaluate permissions when an employee is changing positions, too. Revoke unnecessary authorizations at the same time you add new ones, and include in-training education on what is protected in their new role. Regularly review files to permanently delete ones that have been disabled. With proliferation of data, companies of all sizes must take greater care to preserve its integrity, especially during times of transition.