Are employers doing enough to address the employee information threat?

By: In: Information Security On: Sep 25, 2014
Are employers doing enough to address the employee information threat?


Are employers doing enough to address the employee information threat?
Our recent study[i] undertaken with PwC (download the findings here) shows that two thirds (67%) of employers understand that an employee who leaves the business to take up a new role represents an information security risk. Most, however, are confident that they have done enough to ameliorate the threat ‒ 87% of companies across Europe do not believe that their employees take information out of the business with them when they leave.

So why the overwhelming confidence? The majority (81%) are confident because of measures they have put in place, such as:

  • Asking employees to sign non-disclosure agreements
  • Ensuring data cannot be copied onto discs or USB sticks
  • Blocking access to company IT networks when an employee leaves
  • Escorting employees in high-risk positions out of the building the moment they resign.

Insight into Information ownership

Three quarters of the organisations we surveyed had never bothered to check whether any of these measures had actually prevented information being removed. Furthermore, a study[ii] of office workers we carried out in 2012 painted a very different picture. The 2012 study suggested employees held a proprietorial attitude to information they had created or helped create. Many were comfortable taking highly confidential or sensitive information out of the business and, in fact, many didn’t believe it was wrong. The figures are highlighted in the infographic accompanying this piece.

Many employees who take information (72%) do so because they believe it will be helpful in their next role – and that includes sensitive customer information.

If measures to block access to information only come into effect when an employee resigns, the chances are that information was being moved out of the business in the period before they did so.

What more can employers do to protect information?

As is so often the case, employee communication and education are key. It is critical that employees understand what constitutes confidential information and what the legal and/or reputational implications of removing that information might be.

For the most sensitive and confidential data, additional IT-enabled security measures can be implemented. Businesses would be advised to keep data secure at all times and not just at the point of employee exit. As advocated elsewhere on this blog (link), companies should build a culture of accountability, respect and trust for information, underpinned by strong security safeguards. Naivety and misplaced trust are too dangerous a combination in business.

Download the PwC/Iron Mountain research reports here.

[i] Beyond Good Intentions: The need to move from intention to action to manage information risk, PwC for Iron Mountain, June 2014.  PwC surveyed senior managers in Germany, Hungary, the Netherlands, Spain, UK, the United States and Canada, with 250 or more employees, in the legal, financial services, pharmaceutical, insurance and manufacturing & engineering sectors.

[ii] Opinion Matters for Iron Mountain, June 2012

← Bridging the commitment-action gap Are businesses evolving to keep pace with information management? The people perspective →

Leave A Comment

About the author

Jeroen Strik

Jeroen Strik is Managing Director of Iron Mountain Netherlands, a position he has held since 2006. Together with his team of fifteen professionals, he is responsible for the development and implementation of innovative information management solutions with over 18,000 customers and the acquisition of new clients. The mission of the commercial team is to establish longstanding relationships as a basis to support customers proactively in the field of physical and digital information management. Of key importance here are the migration to digital working, cost reduction and compliance with laws and regulations. Before joining Iron Mountain, Jeroen worked for twelve years with Getronics PinkRoccade in a number of roles, including Business Unit Manager Infrastructure, Commercial Director Financial Sector and Solution Director Migrations Services. Jeroen graduated in Telecommunications from the InHolland college.