I’m not sure how this relates directly to Project Management. It really doesn’t, I guess, other than the fact that when employees exit many times they’re actively working on one of our projects and the same findings you read about below can affect your customers on the projects you manage in addition to the company you work for.
Dr. Larry Ponemon put together this document back in February on “Data Loss Risks During Downsizing”. I’m only including a portion of it here that outlines some of the key findings of national study performed by the Ponemon Institute and sponsored by Symantec.
The bottom line is that 59% of employees who leave or are asked to leave are stealing company data. And 79% admit that their former employer did not permit them to leave with the company data. The lack of care some companies take in ensuring that they’re protected when employees leave still amazes me.
Key Findings
Following are the most salient findings of this survey research. Please note that most of the results are displayed in bar chart format. The actual data utilized in each figure and referenced in the paper can be found in the percentage frequency tables attached as the Appendix to this paper.
Employees are stealing data and are more likely to do so when they don’t trust their employer
According to 63% of respondents, their previous job required them to access and use proprietary information such as customer data, contact lists, employee records, financial reports, confidential business documents, software tools or other intellectual properties. More than 59% report that they kept company data after leaving their employer. It is very interesting to note that employees who do not trust their former employer to act with integrity and fairness are more likely to take the data. Sixty-one percent of respondents who were negative about the company took data while only 26% of those with a favorable view took data.
Employees are stealing proprietary and confidential data that might affect their former company’s business competitiveness and could result in a data breach
Sixty-five percent of those respondents who admit they took data left with email lists followed by 45% who took non-financial business information and 39% took customer information, including contact lists.
The most susceptible documents to theft are email lists and hardcopy files
Sixty-four percent of respondents took email history and hardcopy files (62%). Of least interest to employees are PDF files (9%), access database files (8%) and source code (3%).
Employees are stealing data in different ways
It is interesting that most employees (61%) who stole valuable customer and other business information are taking it in the form of paper documents or hard files. The next most popular means of transferring data is by downloading information onto a CD or DVD (53%) or onto a USB memory stick (42%) followed by sending documents as attachments to a personal email account (38%).
Employees who take company data are defying company rules
Of those employees who admit to stealing company information, 79% report they do not have permission to do so and 5% are unsure. The top reasons given for stealing data include: “everyone else is doing it, the information may be useful to me in the future, I was instrumental in creating this information, the company can’t trace the information back to me and the company does not deserve to keep this information."
Only 16% say they were permitted to keep sensitive, confidential or proprietary information. However, their reasons are suspect. Specifically, the top two reasons for their belief that it was acceptable are “other laid-off employees kept this information when they left the company (54%) and no one checked their belongings when they left the company (50%).” Only 11% report that their former supervisor said it was permissible to keep this information.
Companies are failing to take proper steps to stop data theft
While a small number (4%) of employees told their employers that they were taking data, only 15% of companies conducted a review or performed an audit of the paper and/or electronic documents that employees were taken. If they did, respondents report that it was not complete (45%), or worse, superficial (29%). Approximately 41% of respondents say the review was conducted by their direct supervisor or manager followed by the human resources personnel. Approximately 89% report that their company did not do an electronic scan of devices such a portable data-bearing equipment or USB memory sticks.
Employees leave their laptops but take CDs, USB memory sticks and PDAs
Ninety-two percent of employees took CDs/DVDs followed by USB memory sticks (73%) and PDAs (17%). Only 9% kept their Blackberry and 3% kept their laptops.
Employees were able to access their former employer’s computer system or network after departure
According to 24% of respondents, their ability to access data continued after they left the company creating a data security risk. Of these respondents, 32% say that they accessed the system and their credentials worked and 38% say their co-workers told them that their access rights continued. In the case of 35% of the respondents, access to the system continued one week or longer.
While only 4% report that they gained access using a co-worker’s authentication credentials after departure from the company, 51% said their supervisor told them they would have access to the company’s system, email or network for a specified period of time. More than 44% continued to receive email on their company’s account.
Employees’ reasons for leaving are mixed
Approximately 37% were asked to leave, 38% found a new job and 21% moved on because they are anticipating a layoff. Immediately after leaving their former company, 61% took paper documents or hard files, 53% downloaded information onto a CD or DVD and 42% downloaded information onto a USB memory stick.
Implications and recommendations for companies
All companies share the potential risk of having a data breach because of the actions of former employees. In addition, they have allowed competitive information about customers, business partners, and other intellectual property to walk out the door putting them at a competitive disadvantage. We recommend that companies immediately assess the potential data loss from former employees who had access to sensitive and confidential data as part of their job.