While organisations have invested heavily in protecting their sensitive data, even the world’s most sophisticated companies often overlook a persistent risk when it comes to potential data theft: their own employees.
Most data theft is perpetrated by outside actors, including criminal syndicates, according to an analysis of 41,686 security incidents for the 2019 version of the Verizon Data Breach Investigations Report. But more than a third, or 34%, of worldwide data security incidents were perpetrated or aided by employees or contractors from within organisations, according to the Verizon report.
What’s the motivation behind data breaches? Overall, 71% were motivated by financial gain while 25% of incidents studied could be considered espionage or attempts to give a competitor an advantage, the Verizon analysis found.
Technology has improved to help organisations monitor employees and restrict access to key data, but, experts say, low-tech solutions and company culture can make just as big an impact.
Here are steps that those leading an organisation’s data protection practices should implement immediately to help prevent employee data theft:
Model best practice. Company leaders should be vigilant about data management while enforcing good data protection policies. Employees notice small gestures, like when an executive finds papers on a conference room table and removes them herself.
It also means placing public emphasis on data management, such as regular agenda items and other public statements in which executives discuss updates on fraud and data security measures, said Ed Griffin, director of HR consultancy and research at the UK-based Institute for Employment Studies.
That sends a signal that the company takes data protection seriously.
Executives “need to be talking about their role in protecting against fraud and data theft”, Griffin said.
Leadership from the top creates a mindset where all employees feel a responsibility for data security. “There is something about that mentality and that mindset that’s very important,” he said.
Implement a strong internal policy. Companies can take company-wide drastic measures if they think sensitive data is at risk of being distributed by employees, including disabling USB ports on computers that may contain particularly important data and limiting access to information to just those who need it, said Adam Feinberg, a New York-based executive vice-president at eDiscovery and compliance firm BIA.
But, in general, preventing the loss of key data should start on an employee’s first day on the job.
“Having people understand and sign that they understand what the lay of the land is, what’s owned by the company and what isn’t, laying all that out upfront is very important,” Feinberg said. “If there’s no process or no policy, they can say, ‘You didn’t say I couldn’t do that.’”
Consistent, required training around employee responsibilities when it comes to data means employees should be well aware of their responsibilities.
Having those trainings can be a deterrent in itself, said Julian Dalzell, a former human resources leader for Royal Dutch/Shell and now a senior lecturer at the University of South Carolina’s business school, in an email interview.
It’s a chance to remind employees that breaches of data management policies could open the employee up to “discipline, up to and including, dismissal”, Dalzell said.
Recognise red flags. Of course, there are other steps company leaders should take to prevent data breaches for exiting employees, including looking for red flags before they leave.
Feinberg encourages an investigation if there are suspicions of misuse by those who have access to key information, including employees sending emails to their personal email accounts with any proprietary information such as client contact list pricing matrices, or if large amounts of data have been downloaded or deleted recently.
Having an idea in advance, with proper monitoring of data access and usage in an ongoing process, if information is leaking out of the company allows companies to take proactive action.
“You don’t want to wait until their last day to find out that you have a problem,” he said.
Have an employee exit plan. As soon as an employee gives notice, finance and HR leaders should remind the employee that it is not up to them what they can keep.
Employees should be given clear instructions that their equipment and any data drives belonging to the company don’t go with them, and the company should confiscate them as soon as is practical, according to information security firm Netwrix.
If it’s a situation where the parting is not amicable, consider having human resource representatives develop protocols to escort people out of the building, and then go over a log of what equipment an individual had access to and ensure everything is back in the company’s hands.
Take action after employees leave. There are also steps that need to be taken to ensure that employees can’t undermine the company after terminations.
Netwrix has a list of best practice tips for reining in an individual’s access to corporate networks after they’ve been let go.
Suggestions include disabling an individual’s email, arranging to have their email forwarded to a supervisor to ensure no interruption in business, changing any passwords to shared applications the employee used, copying any needed local data from an individual’s company-owned workstation and giving that to a manager, and terminating virtual private network or remote access.
Thinking ahead of time about how to manage data, and what to do if there’s employee misuse, will go a long way in preventing problems.
— Jeremy Borden is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.