Our recent study[i] undertaken with PwC (download the findings here) shows that two thirds (67%) of employers understand that an employee who leaves the business to take up a new role represents an information security risk. Most, however, are confident that they have done enough to ameliorate the threat ‒ 87% of companies across Europe do not believe that their employees take information out of the business with them when they leave.
So why the overwhelming confidence? The majority (81%) are confident because of measures they have put in place, such as:
- Asking employees to sign non-disclosure agreements
- Ensuring data cannot be copied onto discs or USB sticks
- Blocking access to company IT networks when an employee leaves
- Escorting employees in high-risk positions out of the building the moment they resign.
Insight into Information ownership
Three quarters of the organisations we surveyed had never bothered to check whether any of these measures had actually prevented information being removed. Furthermore, a study[ii] of office workers we carried out in 2012 painted a very different picture. The 2012 study suggested employees held a proprietorial attitude to information they had created or helped create. Many were comfortable taking highly confidential or sensitive information out of the business and, in fact, many didn’t believe it was wrong. The figures are highlighted in the infographic accompanying this piece.
Many employees who take information (72%) do so because they believe it will be helpful in their next role – and that includes sensitive customer information.
If measures to block access to information only come into effect when an employee resigns, the chances are that information was being moved out of the business in the period before they did so.
What more can employers do to protect information?
As is so often the case, employee communication and education are key. It is critical that employees understand what constitutes confidential information and what the legal and/or reputational implications of removing that information might be.
For the most sensitive and confidential data, additional IT-enabled security measures can be implemented. Businesses would be advised to keep data secure at all times and not just at the point of employee exit. As advocated elsewhere on this blog (link), companies should build a culture of accountability, respect and trust for information, underpinned by strong security safeguards. Naivety and misplaced trust are too dangerous a combination in business.