Information Theft

During the current recessionary climate, many employees feel stressed and uncertain about their futures. Every week fresh announcements are made of job losses across industries. Financial pressures continue to mount for individuals, and there are many reasons: the stagnant housing market, savings rates that are running at historic lows and uncertainties over pensions and stock markets.

So it is unsurprising, perhaps, that some employees are likely to be tempted, in these uncertain times, to act against the interests of their employer as they try to shore-up their own financial position. There is a danger that they will see an opportunity to exploit the valuable and potentially sensitive data that your business holds - either by selling it or taking it to your competitors, or else using it to set themselves up in a rival business.

Are you vulnerable?

Have you considered how vulnerable you are as an organization to such misconduct, and are you actively and effectively fighting potential information theft?

In a recent paper, KPMG in the UK and a law firm, Mishcon de Reya, analyzed more than 100 employee-related data theft cases on which they have acted over the past three years.

Such thefts have a number of features in common, as our analysis shows. Cases of data theft have risen year on year (more than doubling between 2006 and 2008), culminating in 46 cases last year in which forensic investigation and legal redress were sought by the employer to protect its business interests. In the current economic climate, the number of such incidents is almost certain to increase further.

The perpetrators

While most thefts were carried out by individuals, in about 10 percent of cases, the perpetrators were teams of employees working against their employer. Their aim was either to set up on their own or to join an existing competitor. In one case, up to 15 employees conspired to defraud their employer by stealing proprietary information.

Alarmingly, the study shows that in the overwhelming majority of cases (93 percent), employees had already left their employer before the thefts were discovered. This is clear evidence that companies are not doing enough to detect and prevent information theft in a timely fashion.

Information theft to secure the next move

Further, our research showed that in 23 percent of cases, data was stolen in order to establish a competing business. In most cases, though - 70 percent - the perpetrator(s) moved to a rival company. That raises serious questions about how much a new employer needs to know about the nature, and source, of information a new employee brings with them.

In only 6 percent of cases were the data thieves' intentions unknown, the thefts having been discovered before it was clear what they planned to do. In such cases, the person stealing the data may have taken it as 'insurance', in case its potential value could be exploited in the future.

So, what sort of information is being stolen? By far the most common data - 75 percent - was customer or client-related (dealing with customer relationships, levels of trading, pricing information, profit levels and so on) or customer lists. Just 14 percent of the thefts consisted of financial information (such as internal accounts, business plans, projections and forecasts).

Rationalization - "I did it because..."

Many bright careers are now on hold while organizations assess the effects of the credit crisis and economic downturn. The so-called 'Generation Y' (often defined as those born between the mid-70s and 2001, but also referred to as the 'net generation') have grown up in a booming world economy. Generation Y employees are sometimes seen as being loyal, first and foremost, to themselves. With careers stalled or stalling, some may regard the theft of sensitive data - whether they take it to rivals or use it to start up their own venture - as the most effective short-cut to restarting their own professional and financial progression.

The analysis shows that those who were caught stealing data justified their actions either by claiming that the information was already in the possession of the competitor (60 percent) or in the public domain (30 percent). This latter statistic highlights the challenge of defining exactly what data within your business can legitimately be considered 'proprietary', and which should be accepted as public information.

In only 10 percent of cases was no defence offered by the perpetrator after the theft had been discovered.

How they get away with it

The most common method of transfer of stolen proprietary data by disloyal employees was via email (46 percent of cases examined); 22 percent of cases were through taking hard copy print outs. Surprisingly, perhaps, USB memory sticks, data CDs or DVDs were used in only 9 percent of cases, despite their low cost, relative ease of use, and (especially in the case of USB sticks) conveniently small size. This may be an indication that data thieves are relatively unsophisticated, or that they simply do not believe they will be caught.

The misuse of newer technologies is likely to become more prevalent from now on since data can also easily be stolen using smart phones, MP3 players, digital cameras and other types of digital media. Social networking websites have also provided data thieves (in at least one case) with a way to remove data. Generation Y is, of course, very familiar and comfortable with such technology.

Such data leakage, and the ease with which data can be stolen, is therefore clear evidence that too many companies are not doing enough to detect and prevent information theft in a timely fashion.

Responding to data theft

Don't be complacent. Even if you have introduced sophisticated data security controls, you could still be caught out.

Where data theft is discovered or suspected, an immediate and decisive response is essential. For example, you may well be able to minimize potential loss by taking legal action against perpetrators to recover stolen data before its release can cause you damage.

Of the 100-plus incidents handled by Mishcon de Reya, the average elapsed time from instruction to legal relief, whether in the form of restraining injunction, undertakings, damages or apologies, was just over two and a half weeks. In more than 55 percent of cases, specialist forensic technology or forensic investigation services were required to image computers, retrieve emails or quantify the financial impact from the theft of the proprietary data.

In many situations, where a competing business is being set up, specialist corporate intelligence researchers may provide you with evidence of the timing behind such actions, the names and addresses of those involved, and even identify others in your business who may continue to pose a risk. Such research
can be a key part of building an effective legal
case against rogue employees.

In summary

Data theft by employees is a genuine threat to organizations, particularly in the current economic climate.

In the future, there is likely to be an everrising trend among employees attempting to steal confidential data for their personal benefit when leaving their current employment. It is possible for businesses to take effective action against such fraud, both in response to actual and attempted thefts of data, and to minimize the likelihood of data being stolen in the first place.

Effective data protection policies, and the creation of a climate in which everyone recognises the value of, and need for, integrity in the handling of sensitive commercial data, is vital if such thefts are to be prevented.