News

The corporate addiction to mobile devices cuts both ways. USB memory sticks, BlackBerrys and iPods are portable and have prodigious storage capability. But they have also become tools of destruction in the hands of newly dismissed employees during these hard times.

Disgruntled employees typically walk away with confidential and sensitive data — client lists, employee records and product information — stored on the first portable device they get their hands on.

"In some cases, people cleaned out their desk and simply took a USB memory stick and downloaded all the files and filled it right to the brim — as well as paper files they felt they were entitled to — and walked out the door," said Larry Ponemon, chairman and founder of the Ponemon Institute LLC, a Michigan-based privacy and information-management research firm.

Data theft can put companies at a competitive disadvantage if the information is leaked to a competitor, for example, or at risk of violating privacy laws if the data is distributed without authorization.

Why is the problem suddenly so important, even though many companies have an exit interview, and security procedures to smooth the dismissal process?

"Because of the massive scale of layoffs, especially in the [U.S.] financial services industry, a lot of companies that normally pay attention to the details did not have the human resources to do it," said Dr. Ponemon, adding that Canadian companies have been more successful at protecting data and privacy than their American counterparts. "That was a pervasive problem."

A survey of 945 laid-off workers in the U.S. conducted by the Ponemon Institute and Symantec Corp. found that 59 per cent admitted to stealing confidential company information.

It also found that 53 per cent downloaded information onto a CD or DVD, while 42 per cent used a USB drive. Strikingly, 24 per cent of respondents said they had access to their em ployer's computer system or network after their departure from the company.

McAfee Inc., based in Santa Clara, Calif., estimates the global cost in intellectual property loss due to data theft and cyber-crime is more than $1-trillion (U.S.) in 2008.

While the financial services industry is the most vulnerable to data loss, the pharmaceutical and technology sectors are not far behind, Dr. Ponemon said. Those least likely to have problems were the retail and manufacturing sectors, because employees tend to have relatively poor access to sensitive data.

Significantly, departing employees do not perceive electronic theft as stealing but are instead driven by a sense of entitlement, Dr. Ponemon said. Those who spend many hours on a project, for example, feel the information belongs to them or that they are sharing it with the company.

"The company will disagree profusely, saying that information was created on its payroll," he added. "But employees will feel strongly, too, saying it's their information as much as the company's."

What can companies do to prevent data loss? They can use software to monitor the use of e-mail and portable devices.

But they also have to rely on the human element.

"A large swath of these problems is easily treatable, with current capabilities," said Kevin Rowney, the San Francisco-based founder of the data loss prevention unit at Symantec. "There are adjustments in the tradecraft of security, through education and appropriate procedures, that combine with new technologies to make many of these risks manageable."

Symantec markets data loss prevention (DLP) systems that monitor all data moving in and out of company servers and identify potential risks.

Rather than guard the perimeter of a computer network with a firewall, the Symantec DLP system sifts through company data looking for the use and abuse of key bits of data, such as information about groundbreaking new products.

"Of course, there is a huge flow of data, either by well-meaning insiders or malicious ones," Mr. Rowney said. "But these new algorithms help you see with greater clarity what's happening on the network."

Indeed, more problems are caused by well-meaning insiders than dismissed angry workers, he said. He points to employees who use credit card data to identify customers in dispute-resolution cases. "There is a huge proliferation of this very sensitive data in Excel spreadsheets, or e-mails going back and forth, for example." In short, the data may end up in the wrong hands.

Companies should install controls, including hiring agreements that outline the extent of each employee's access to company data, said Claudiu Popa, president and chief executive officer at Informatica Security Corp., a Toronto information-security and risk-management consulting firm.

Mr. Popa is an advocate of so-called role-based access control, which limits the type of data an employee can see.

"You're containing the potential impact of a breach," he said. "If someone in the marketing department causes problems and erases all his files, for example, then the damage will be limited to his own work."

Upon termination, he adds, employees are responsible for any unauthorized disclosure.

"The legal part is important because the employee will establish relationships with different parties," Mr. Popa said. "They have to be reminded that there are legal reasons for them not to go through with potentially damaging activities."

Second, companies can introduce technical measures that limit access to data. "Contact-centre employees, for example, can only be privy to one contact at a time, and can't do mass searches and copy the entire client database all at once. Organizations can reduce access and the potential impact through technical controls."

Companies also can include clauses in hiring agreements that say the management reserves the right to monitor its employees' activity, Mr. Popa said. By auditing access to folders, "you can always tell if an employee has looked at a folder, or modified or deleted it."

If a breach occurs, Mr. Popa recommends that companies have adequate backup systems to restore any lost data.

For his part, Dr. Ponemon warns companies to avoid complacency and anticipate problems that could arise from a layoff.

"When people are laid off they are vulnerable and likely to do something that in hindsight looks silly, but was driven by emotions," he said. "Companies can be pro-active and significantly reduce the risks. My advice: Stay ahead of the problem."

"Everyone prefers to prevent, rather than correct, security issues," Mr. Popa said. "Once the information gets out, it is gone."

---

STEMMING THE TIDE

Three simple steps can help companies minimize the chance of data loss or theft during employee layoffs:

1. Catalogue who is exposed to which confidential data before a layoff. The large scale of the data on many networks makes manual cataloguing largely unfeasible, so it's best to implement an automated solution in the form of data loss prevention software, says Kevin Rowney of Symantec Corp. "Data loss prevention solutions don't just do the blocking; they also do the cataloguing of potential exposures of intellectual property," he said.
2. Put technical solutions in place that will block the flight of data. While some companies shut down their communications network entirely to prevent data losses, Symantec keeps the network operating and uses special software filters that block sensitive data from leaving the company's servers.
3. After a layoff, re-examine all levels of employee access to data. Make sure that remaining employees have the appropriate access rights, Mr. Rowney said.

Special to The Globe and Mail