Employee turnover is not just a human resources issue at most corporations. Using today’s technology, many employees create, produce and store communications and work product not just electronically, but in virtual environments. The gadgets and communication methods at our disposal result in corporate proprietary information – even confidential data – routing through e-mails, voice mails, and instant messages. And all of this data is no longer stored on corporate networks, rather, it is found on laptops and cell phones that may or may not belong to the employer. But all of this data belongs to the organization for which the individual is employed, so what does this mean for corporate IT departments when employees leave the company?
The importance of protecting confidential Information is amplified by the competitive marketplace and faltering economy. Organizations need readily accessible solutions to reduce loss and theft of confidential information by departing employees.
How to stop losing money through the theft of proprietary information
Protecting intellectual property and confidential information is critical in protecting & growing market share. According to December 2007 study by the American Bar Association, US Businesses are estimated to lose $59 Billion due to intellectual property theft each year. The number one risk factor associated with theft of confidential information is people in a trust relationship with an organization, namely current and former employees.
Too few companies focus on creating and implementing controls before it’s too late, thus risking substantial costs in both lost information as well as the costs associated with detecting theft of proprietary information and the additional cost of reactive measures to address the damage therefrom.
PROTECTING CONFIDENTIAL INFORMATION
Four key areas have been identified as likely targets for loss of proprietary information :
1) Research & development data
2) Customer lists and related data
3) Financial data
4) Strategic plans & road maps
The average loss for different industries was estimated to be between $332K and $404K per incident* (*Sources: US Chamber of Commerce, ASIS & PWC Survey Runzheimer’s Int’l Mobility Report 2007)
MOBILE EMPLOYEES
Increasing employee mobility has a significant adverse impact on the ability to protect confidential information. Mobile employees are defined as spending at least 50% of the time away from the office. It is estimated that as much as 45% of the US workforce is considered “mobile”, meaning that they spend more than 50% of the time working away from a branch or office of their organization. Whether traveling for work, telecommuting, or even just typical salespeople that work apart from an organization’s fixed office locations, this trend towards increasing employee mobility means organizations and managers have less control over the activities of their workers.
More people are working on laptops, meaning that workers are able to physically transport data outside the four walls of an organization, creating security challenges around the privacy of organizational information.
Organization cannot monitor activity outside the office or when employees’ computers and devices are not connected to the company network. This creates a number of security challenges, including questions about what websites people are visiting and what data is being transferred to flash drive or home computer? Are people engaging in illegal activity or downloads? All of these issues create monitoring and oversight challenges for the IT department as well as the overall integrity of organizational data.
Some of the issues that organizations are facing around mobile employees are the need for additional security protocols, password protections, and virtual private networks (VPN) for people to access proprietary company information to limit potential loss of valuable information. By requiring additional password protection or VPN connections when working remotely, organizations can more closely monitor who is accessing company information, when they access it, and if confidential or proprietary information is traveling outside of company protected channels. If an employee has to use a VPN to access company lists, he/she will be much less likely to potentially copy these lists to portable USB drives or email the information to third party email accounts because an IT administrator can track the data trail back to that individual’s password-encrypted log-in via VPN.
WHAT LEADING COMPANIES ARE DOING
One of the easiest steps for organizations to ensure the protection of proprietary information is to create an internal committee to specify policies for managing confidential data and information. Many organizations are developing policies specifically addressing the challenges of having mobile employees in the organization. Companies are developing policies mandating secured connections (aka VPN) that allows the organizations to capture all activity mobile employees engage in. Other measures include limiting access to certain systems for mobile employees, requiring special passwords, as well as email monitoring to control the flow of information in and out of the organization.
A second methodology used by organizations is to use the exit interview process to reiterate non-compete agreements in contracts and remind departing employees of their confidentiality obligations that extend even beyond their term of employment with the host organization. This provides individuals with legal notice of their obligations and establishes the basis for pursuing individuals who may intentionally or unintentionally retain proprietary information that could be used outside of the organization after employment
Another key step organizations are engaging in is preserving the contents of computer hard drives, as well as laptops for mobile employees and high risk departures. By doing this, organizations are able to capture information on what websites employees have visited, what information they have created, any transfer of information outside the company (flash drives, external hard drives, private web-based email accounts, etc?), and any covert steps employees may have taken to cover up their actions by encoding or deleting information.
One important key in the preservation of equipment and information is that these collections must preserve legal chain of custody to ensure that the information is potentially available in a legal proceeding. Chain of custody is a legal term that essentially provides assurance that information that is collected is authentic and unaltered from the time that it is captured to the point where it is presented in a court of law. Chain of custody refers to both a process for capturing information as well as the means by which the captured information is stored and protected from outside influence. Once information is collected from the drives, or devices of departing employees, the equipment can be re-deployed instead of being kept in a vault indefinitely. This makes for a more cost-effective and efficient use of company resources.
REDUCE RISK AND IMPACT THE BOTTOM LINE- Activities that can be fleshed out
Several benefits can accrue from developing specific programs around departing employees, and these programs can go a long way towards isolating specific information and activities that are risk factors when individuals separate from organizations. Some of the key elements that can be discovered through formal departing employee programs include identifying any improper activity by departed employees such as: removing or deleting files, find out whether data was copied off of a computer, which Internet sites were visited and what content may have been downloaded, and the use of company resources for personal reasons.
Additionally, a formal program of this sort will help organizations defend against compliance inquiries and wrongful termination suits by providing information that will demonstrate what activities did and did not take place.
Developing a formal policy to address departing employees can help organizations defend against a litany of compliance, civil litigation, and wrongful termination suits, as well as maintaining compliance, and protecting against termination-relate lawsuits.
SUMMARY
Organizations need to be proactive and develop policies to ensure that information does not leak outside of the organization when employees leave or are terminated. Intellectual property theft causes businesses to lose huge amounts of money each year and departing employees are the number one risk factor associated with theft of confidential information.
More and more, employees are working remotely, traveling outside of the firm or office branches, with little to no checks in place on what information is passing through their laptops, PDA’s, and thumb drives. Every company should develop policies and security protocols to protect confidential information and monitor activities of mobile employees, whether through increased usage of password protection or even requiring VPN access for any workers not physically connecting to the organization’s internal network.
Companies should use exit interviews for anyone leaving the organization and reiterate ongoing obligations around confidentiality, non-disclosure, and ownership of information created or used during the period of employment. Taking proactive steps to create and archive forensic images of departing employees drives and digital devices can also significantly reduce risk and save money. As a whole, legal, IT, and human resources should consult together and maintain continued vigilance in order to reduce risk, limit exposure, ensure compliance, and avoid surprises through intelligent management of data from departing employees and executives.
Recent Comments