Data Theft from Employees
Employees are undoubtedly the biggest asset for any organization. However, if employees are negligent about following the security measures set up to protect the company’s data, they could become its biggest liability. Unfortunately, although most companies secure their systems and network against attacks by hacking, virus programs and malware, many are sloppy about protecting important data from employees.
The Alarming Statistics
According to a Cisco commissioned study comprising 10 countries, 70 percent professionals believed that almost 50 percent of their company’s data theft occurred because of unauthorized programs used by employees on their systems. Furthermore, it was seen that 44 percent of employees shared the company networks with other devices without supervision. About 39 percent professionals who participated in the study said that they have had to deal with at least one employee who accessed company’s network without authorization.
The same study found that 46 percent of employees confessed to have transferred documents between their personal computer and company’s network. Such incidences are more frequent when employees work from home. More alarmingly, 18 percent of the employees said that they shared their passwords with co-workers.
Nearly 52 percent of employees said that they visited external websites on the company’s networks because they wanted to, regardless of whether their action breached company’s network security policies. 19 percent of employees believed that they could get away with the breach because no one would be able to find out that they did it.
Go-gulf.com also conducted a survey on this matter and found that over 250 million confidential documents were stolen and lost from companies in the last two years. The survey also showed that 39 percent of thefts occurred from company insiders. 59 percent of employees confessed that they had stolen confidential records from their previous employers. 53 percent employees believed that they stole files because it would help them in the future.
Considering these statistics, you cannot deny that implementing stringent security measures is crucial for every business, more so because one careless employees can cause millions of dollars worth of damage.
Some companies blame the lack of loyalty in today’s employee base for such alarming statistics. While the reasons for employees indulging in such breaches could be many, the bottom line is that companies need to be more careful than ever before with regard to their confidential data.
What can companies do to ensure data security?
The one thing that employers agree upon is that simply telling their employees to follow security measures does not help. A more stringent, organized and regulated system needs to be put into place for enhanced security.
A complete data security system consists of three stages. The first stage is the preventive stage. It is the stage where you take preventive measures such as restricting administrator access, installation of firewalls and encrypting data. The second stage is the monitoring stage where you take measures such as installing employee monitoring systems in the computers of your employees. The third stage is the corrective stage, which comes into picture after the theft occurs. In this stage, you identify the culprits and penalize them. You also need to take corrective measures to ensure that the theft does not do big damage to your business.
Write Down Policies
Policies that are only set orally do not have much value. It is important that all the policies be written down and made into a proper rule book. More importantly, you need to word the policies carefully and explicitly, complete with examples of what is prohibited and what is not. Spell it out clearly in simple language so that every employee understands it. Also mention the penalties that employees need have to pay if they breach the security policies. You need to make sure that every employee in your company has a copy of this handbook.
For comprehensive and enhanced protection, businesses require three types of security policies – a policy that states the criteria of acceptable usage, a policy that classifies data based on its importance and permissible access, and a policy that governs access to new and departing employees. In addition to setting up the procedures, explaining these company policies should be an important part of the training programs conducted for new employees.
The most effective way of setting up a guard is to restrict access to crucial data. You can start with storing data on NTFS-formatted drives. NTFS, short for New Technology File System, enables you to apply permissions for accessing files. This security measure works both on the data available on the company’s networks as well as the machines.
Setting up “privilege criteria” is another good idea. Employees should be categorized depending on their jobs and access should be limited to the level of privilege they enjoy in the company. For instance, the lowest privilege level should only have “Read Only” access to important files. Using the NTFS system, you can restrict the formatting and editing that employees can perform on the files. You can set anti-download and anti-copying measures as well.
Another effective measure that you can take is to remove employees from administrator groups so that they cannot edit, remove or add data from the systems or networks.
The most crucial and sensitive data of the company should always be stored in encrypted form. You can use one of the many encryption software applications available for the purpose. NTFS formatted drives also have encryption feature, such as the Encryption File System.
You can strengthen data security by using BitLocker full drive encryption. This system ensures security of the data even if the entire computer hardware is stolen. BitLocker is available in Windows Vista and Windows 7 Enterprise and Ultimate versions.
Install employee monitoring software
A comprehensive employee monitoring system that gives you a record of the all the activities that go on in employees’ computers can be the strongest protection for your data. A robust system eases your job of monitoring employees to a large extent.
Alter the Hardware
Some of the most common ways of stealing business data is to copy the files into pen-drives or other portable devices. You could consider removing USB ports and disabling CD drives. Although this security measure does work efficiently, it can lead to certain restraints because employees will not be able to view useful CDs. You need to consider the pros and cons of this security option before implementing it.
Regulate the Use of Handheld Devices
Smart phones, tablets, laptops and notebooks can be easily misused to steal data from the company’s systems and networks. Create a policy to regulate and restrict the use of these devices in the company premises. Some companies ban the use of smart phones and other such gadgets in their premises. You could think of something similar. Employees can be allowed to use their phones in the canteens, lounges and general recreation areas of the company.
Block Outbound Data
Firewalls can perform the dual function of blocking incoming content as well as restricting outbound movement of files and documents. You can set up the firewall to identify certain types of files based on some well-chosen keywords and restrict them from leaving your company’s networks. This can be a great way of protecting company documents.
Be Prepared and Alert Always
Despite all the measures you take, some bright employee might be able to find a way to steal data. To protect your company from such problems, you need to be alert all the time. Your IT team needs to be well trained to perform continuous surveillance and monitoring. The sooner you identify the culprit and his or her modus operandi, the better for your company.
Don’t Hesitate to Get the Authorities Involved
If and when you detect an employee stealing data, do not hesitate to involve the law enforcement agencies. Employees need to understand that they cannot get away with stealing in your company. They would definitely not want to be led out of their office by law enforcement officers. More importantly, they would not want a criminal record of fraud on their record. This understanding can discourage a lot of people from indulging in a wrongdoing.
Understand Legal Implications of Data Theft
The law protects the employers as well as the employees. For instance, an employer who benefits from the data that their new employees steal from their previous place of work might be slapped with fines of up to $5 million.
However, while employers can take measures to prevent data theft, they also need to be sensitive and guarded towards employee privacy issues. Every step taken by the employers should be within the legal framework and should ensure that employees’ privacy is not breached. You can take guidance from the Computer Fraud and Abuse Act (CFAA) to create a company policy that lists out penalties to employees who steal data. Also make sure that you use a robust electronic forensics investigation system in order to identify the culprits. Wrongly accusing an employee of stealing data can cause you untold troubles if the accused slaps a harassment and defamation case against you.
A well-structured and comprehensive data theft prevention system is the urgent need of the hour for every company that uses IT in their business.