Customer data most popular stolen item for departing workers, claims industry survey

Out-Law News | 19 Aug 2010 | 4:03 pm | 1 min. read

Customer data is the most likely item to be stolen from a company by departing employees and contractors, according to a survey by an IT security company. Over half of the UK workers it talked to said they would take company property on leaving a job.

Identity management technology firm SailPoint found that 52% of the 1,065 UK workers it talked to would take a former employee's property. It found that 23% of those interviewed would take customer data and contact details.

It found that 22% of the workers would take electronic files with them when they left, while the same number would take stationery. Product information and designs would only be taken by 17% of the workers.

SailPoint's software controls and monitors employees' access to applications and data. Company founder Jackie Gilbert said that its survey results indicate that employees, and companies, do not yet treat information as a valuable enough asset. In the context of the frequency with which people change companies this is a problem, she said.

"Many employees may not believe that taking company data is equivalent to stealing," said Gilbert. "[This] highlights what I call a 'moral grey area' around ownership of electronic data. We see this in the fact that there are more workers who are comfortable taking various forms of company data, such as customer contact information, than workers who would take a stapler."

The survey also uncovered evidence suggesting that employees are not keen to profit from information that is not theirs. The survey asked the 1,000 UK workers and 2,500 US workers what they would do if they were given access to a confidential file by mistake.

While 57% of the UK workers said they would look at the file, only 1% said that they would attempt to sell the information.

Gilbert said that the readiness of workers to take a company's data, which can be valuable in itself or can cause huge damage to an organisation, poses a challenge to firms. They must balance security needs with the need of workers to have access to the information they need in order to do their job.

"Companies need to clearly define policies in this area and educate workers about treatment of confidential data," she said. "Step two is to strictly limit and control what applications and data are accessible and to put automated systems in place to promptly remove access when an employee transfers roles or leaves the company."

"As a step three, companies should conduct quarterly access reviews to ensure that employees truly need the access privileges they have - especially for highly sensitive systems. Companies may also need to monitor the activity of employees who access highly confidential data in order to prevent incidences of fraud or data breaches," she said.