Naivety and misplaced trust are a dangerous combination in business. Nowhere is this more clearly seen than when it comes to managing information risk. This year’s Risk Maturity Index with Iron Mountain and PwC reveals that 87% of companies across Europe do not believe that their employees take information with them when they leave. For 81% this confidence stems from the introduction of robust measures that include asking employees to sign non-disclosure agreements, blocking access to company IT networks upon departure, ensuring data cannot be copied onto discs or USB keys, and escorting those in high risk positions from the building the moment they hand in their resignation. Well that’s all right then.
Except, three quarters of those surveyed never bother to check whether any of these measures actually prevent information being removed, and a different study–one that asked employees what they really do with information when they leave – paints a very different picture. Employees, it revealed, happily take highly confidential or sensitive documents and databases with them, and many believe they’re doing nothing wrong.
Two thirds said they had taken or would take information they had been involved in creating, and 72% said they believed the information they took would be helpful in their new job.
European office workers are also walking out the door with presentations (46% of those who took information), company proposals (21%), strategic plans (18%) and product/service roadmaps (18%). More worryingly, half (51 per cent) are helping themselves to confidential customer databases, despite data protection laws forbidding them to do so. If measures to block access to information kick in as soon as employees resign, then the chances are this material is disappearing just before they do so.
All this makes the confidence among employers look worryingly out of touch. Especially when you consider the value that information holds for the sectors covered by the research: financial services, legal, insurance, pharmaceuticals and manufacturing and engineering.
It is vitally important that employers understand this. Employers need to realise that managing the information risk of departing employees is not just about having an impressive process in place. It’s about making sure that it achieves its purpose.
In other words, locking an employee out of your company IT network on the day he or she resigns is well-intentioned but meaningless if the employee spent the previous week quietly printing off sensitive papers or emailing customer databases to their personal email account.
It’s not all bad news. Two thirds (67%) of employers appreciate that employees leaving for a new role represent a risk to information security. Most just feel they have done enough to address it. So what more can or should they be doing?
The answer lies in employee communication and education. It is important that employees understand what constitutes confidential information and what the legal and/or reputational implications of removing data might be.
The 2012 study discovered a direct correlation between employee behaviour and the existence and communication of corporate guidelines. For example, 80 % of respondents from Germany understood what information could or could not be removed from the office, compared to a European average of 57%– and just a third had taken documents they had created with them when they left, against a European average of 56%). In other words, if employees know what is expected and why, they will act accordingly.
For the most sensitive and confidential data, additional IT-enabled security measures can be implemented, such as preventing employees from saving such data locally on their PCs. Centrally stored data, such as patient records or research statistics can be made available on a read-only basis following a formal request. This is a practice already widely adopted in healthcare.
The message is clear. To keep data secure at all times and not just at the point of exit, employers need to build a culture of accountability, respect and trust for information – both on paper and digital – underpinned by strong security safeguards.