When staff leave, so does your data
When people leave jobs, they always take a few things with them which, strictly speaking, belong to the company, but how many of them take confidential data files?
A survey by Sailpoint of 1,065 UK workers found that 52% of them would take employer's property with them when they left the company. That's not really surprising and few companies would complain about losing the odd stapler, some envelopes or a couple of ring binders in this way. I think most people would view it quite differently if people were taking high-value items such as a laptop computer or their office chair, but for small value items like pens and paper clips, would you consider that "stealing"?
Of more concern is that 22% of the people surveyed said they would consider taking electronic data with them, and CDs, memory sticks and email make it is easier than ever to smuggle data out of the building. I think this highlights a perception problem. In some companies, the databases and customer contact files may be one of their biggest assets, the result of years of research and development, and hugely valuable if not priceless. Customer files may contain confidential information supposedly protected under the Data Protection Act. Yet the person taking the copy may well think they are not stealing anything at all except, perhaps, the blank DVD they used to make the copy. They are not depriving the company of any data, only copying it, and as they will surely have been involved in creating that data during their employment they may even feel they partly own such data and are entitled to take it with them.
Sailpoint's founder, Jackie Gilbert, acknowledges this poses a challenge and advises "Companies need to clearly define policies in this area and educate workers about treatment of confidential data. Step two is to strictly limit and control what applications and data are accessible and to put automated systems in place to promptly remove access when an employee transfers roles or leaves the company. As a step three, companies should conduct quarterly access reviews to ensure that employees truly need the access privileges they have, especially for highly sensitive systems. Companies may also need to monitor the activity of employees who access highly confidential data in order to prevent incidences of fraud or data breaches."
24th August 2010
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.