More than half of European office workers take sensitive company data with them when they’re fired or switch jobs, according to a recent survey from Iron Mountain. Workers in the U.K. are only slightly less likely to depart with their employers’ crown jewels: 44% of surveyed Brits said they wouldn’t think twice about nicking company data on their way out the door.
Private investigators are often consulted by corporations when their ex-employees sell, leak or divulge trade secrets and intellectual property. Employees who have been terminated may be much more likely to try to cash-in on their cache of confidential data: 31 percent of survey respondents said they would be willing to deliberately disclose sensitive data if they were fired.
Among ex-employees who do depart with data, 51% leave with customer data, 46% with presentations, 21% with company proposals, 18% with product/service roadmaps, and 18% with strategic plans.
Most former employees don’t intend to sell these materials to the highest bidder. Rather, workers believe they are entitled to retain copies of projects to which they contributed, and which could help them land a future job. Yet even relatively well-intentioned employees who walk off with sensitive data can represent a serious security and strategic risk for their former employers.
Enterprises that fail to monitor and mitigate such risks may be hemorrhaging valuable data on operations, customers, finances, strategy and competitive positioning. Once trade secrets and intellectual property are leaked, corporations typically rely on internal IT and security staff – as well as law enforcement and private investigators – to identify the culprit and staunch the flow of sensitive information.
The more proactive approach is to tighten security before employees are terminated, with a clear set of protocols and standardized plans for preventing data leakage. These steps may include exit interviews for departing personnel, pre-termination inventory of employees’ files, prompt resetting of security passwords, recovery of keycards, and review of company-issued desktop, laptop and smartphones by IT staff. Larger corporations may also need to consider more sophisticated network security and compliance systems that actively monitor outgoing email traffic for any unauthorized disclosure of confidential files.
“As businesses across Europe rush to tighten up their data protection policies in advance of new EU legislation, it is extremely worrying to see that employees are leaving jobs with highly sensitive information,” said Iron Mountain senior vice president Patrick Keddy in a statement. “Companies concerned about information security tend to focus on building a fortress around their digital data and then forget about the paper and the people.”
The standard corporate security model focuses on mitigating external threats, without addressing the probability that valuable documents and data will be carried out the front door by disgruntled, compromised or careless employees.