Are your former employees walking out the door with your intellectual property? And worse, is your new hire putting your organization at risk by bringing in IP stolen from a former employer? A new global survey by Symantec and The Ponemon Institute finds that half of employees who left or lost their jobs in the past 12 months kept confidential corporate data, and 40 percent say they plan to use the data in their new jobs.
In October and November of 2012, The Ponemon Institute surveyed 3,317 individuals in the U.S., U.K., France, Brazil, China and Korea. The median age of respondents was 35, and the average headcount of respondents' organizations was 7,000.
The Ponemon Institute reports that more than half of employees admit they email business documents from their workplace to their personal email accounts and 41 percent say they do it at least once a week. The same percentage says they download IP to their personal tablets or smartphones.
How Workers View IP and Company Documents
"The majority of employees who transfer work documents outside don't really understand that it's wrong," says Tim Matthews, senior director of the product marketing with the Data Loss Prevention (DLP) Group at Symantec. "A lot of people end up Gmailing stuff home to themselves so they can work on it from their home computer. And we know, for instance, that one-fifth of home computers are infected with malware."
One of the reasons for this issue, according to The Ponemon Group, is that most employees don't believe it's wrong to transfer corporate data to their personal devices or cloud-sharing apps.
"A third say it is OK as long as the employee does not personally receive economic gain, and about half justified their actions by saying it does not harm the company," the survey finds. "Others blamed the companies for not strictly enforcing policies and for not proactively securing the information. These findings suggest that employees do not recognize or acknowledge their role in securing confidential company data."
Moreover, many employees may have a cavalier attitude toward company-owned data because they attribute ownership of IP to the person who created it, according to the survey.
"When given the scenario of a software developer who re-uses source code that he or she may have created for another company, 42 percent do not believe it is wrong and that the person should have an ownership stake in his or her work and inventions," the survey reports. "They believe that the developer has the right to re-use the code even when that developer does not have permission from the company. These findings portray today's knowledge workers as unaware that intellectual property belongs to the organization."
Stolen IP Creates Potential for IP Contamination
Not only is that a problem for the organization that just lost the IP, it's also potentially a big problem for the organization that hires a worker that brings stolen IP to his or her new role.
"It creates the potential for IP contamination," Matthews says. "It's not just a security or business loss issue. Now you have a potential lawsuit on your hands."
Employees aren't solely responsible for the problem, Matthews notes. He says organizations are failing to create a culture of security. The Ponemon Institute finds that only 38 percent of employees say their manager views data protection as a business priority, and 51 percent believe it's acceptable to take corporate data because their company does not strictly enforce policies.
"Simply put, companies don't do anything," Matthews says. "And because there's no action taken—there's no policing—pretty soon people feel they can get away with it because companies don't care. Companies don't put any time into actually policing their intellectual property."
How to Deal With Insider IP Theft
Matthews offers three recommendations for dealing with the threat of insider IP theft:
- Educate your employees. Organizations need to educate their employees about IP security and help them understand that taking confidential information is wrong. IP theft awareness should be an integral part of security awareness training.
- Enforce nondisclosure agreements (NDAs). In nearly half of insider theft cases, the organization had IP agreements with the employee, according to Symantec, but those agreements either weren't understood by the employee or weren't enforced by the company. Organizations need to include stronger, more specific language in their employee agreements. Additionally, exit interviews should include focused conversations around the employee's continued responsibility to protect confidential information and return all company information and property. The employee needs to understand that policy violations will be enforced and could result in negative consequences to them and their future employer.
- Deploy monitoring technology. Implement a data protection policy that monitors inappropriate access and use of IP and automatically notifies employees of violations. This will increase security awareness and deter theft.
"When it comes to trade secret theft by mobile employees, an ounce of prevention is usually worth ten pounds of cure," says Dave Burt, founder of Mobility Legal P.C.
"We consistently see departing employees who don't understand their obligation to keep trade secrets secret, but are just as often faced with companies whose own procedures are sorely lacking when it comes to protecting valuable IP," Burt says. "But everybody loses when a mobile employee steals trade secrets—the company who invested in the IP, the employee who took it and the organization that receives it, even unknowingly, who most often is on the hook for defending the litigation that follows."
"Before employees exit," Burt adds, "dust off agreements they likely haven't looked at in years, figure out all of the places the employee has stored sensitive company information and get it back, and ensure that employees understand their continuing obligations not to use or disclose company trade secrets."
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at email@example.com