Employees enjoy access to a whole lot of confidential information as part of their day-to-day jobs. What happens to that information when an employee leaves a company?
According to a new global survey sponsored by Symantec, 40 percent of employees will take confidential information with them when they leave a job. Robert Hamilton, director of Product Marketing at Symantec, explained to eSecurity Planet that confidential data takes a number of forms.
"Types of sensitive data that employees are taking include contact and email lists, employee records, business plans and even source code," Hamilton said. "We don't see people trying to take confidential financial information; it's all things that are job related and things that will help them with their next job."
BYOD Makes It Easy
It's easy for employees to take confidential information with them because so much of it now resides on personal devices. The study found that 62 percent of respondents thought it was OK to transfer work information to personal devices.
Relatively few organizations appear to be actively trying to stop the flow of information. Forty-seven percent of respondents said their companies took any action if an employee took sensitive information contrary to company policy.
Adding insult to injury, 56 percent of respondents do not see it as a crime to use information taken from their former employers to benefit the competition. "So those people said they would take competitive data and they will use it to help them do their jobs," Hamilton said. "It's a dog eat dog world. That's what I got from the survey."
Symantec believes enterprises can and should do more to educate employees about confidential information. "You don't hear a lot about companies going after lower-level ex-employees that routinely take confidential information," Hamilton said. "We believe that companies can do more to stop this practice."
From a legal perspective, patents can be used to protect innovation -- though patents are only a small part of the confidential information mix. Hamilton explained that virtually anything a company takes some measures to produce and that has some value can be considered a trade secret. While some trade secrets can be patented, there is a lot of material that is not.
"Just because something is not patented, doesn't mean it's not a trade secret," Hamilton said. "People are not taught that confidential information does not belong to them."
Going beyond education, Symantec suggests that companies conduct focused exit interviews with employees when they leave a company.
"Wouldn't it be great if the HR organization could have a report of all the files the ex-employee had been downloading during the last two weeks prior to resignation?" Hamilton said. "They could have a conversation about how that information needs to be returned to the company and not used in another job."
From a technology perspective, the use of monitoring technology and some form of data protection policy is also a suggested best practice. "We have a heavy equipment manufacturer customer for example that has a zero-tolerance policy for employees sending CAD drawings to a home email address," Hamilton said.