A recent study by the Ponemon Institute revealed that employees are causing company’s to lose intellectual property (IP) with startling frequency.  Perhaps the most troubling aspect of this behavior is the lack of knowledge of the companies that their IP is at risk.

The study results, based on survey responses of 3,317 people in the United States and other countries, contain several key findings:

Employees are moving IP outside the company in all directions – Over 50% of the employees surveyed admitted to emailing business documents from their work place to their personal email accounts.  IP was downloaded to personally owned tablets or smart phones by 41% of employees.  The problem this creates is that confidential information becomes more vulnerable when it leaves corporate owned devices.  Many of these downloads are done without permission from the employer.  The danger is compounded by the fact that the majority of employees do not delete the confidential information after it has been transferred.  The longer the data is available on outside devices, the longer the vulnerability exists.

Employees changing jobs often bring sensitive business documents with them – This includes employees who take IP maliciously, as well as negligently or carelessly.  Over half of the employees surveyed stated they have taken IP with them to a new employer.  The result is that confidential information is often falling into the hands of the competition.

Employees are not aware they are putting themselves and their employer at risk – Most of the employees surveyed did not believe that transferring corporate data to their personal devices was wrong.  Justification for this behavior ranged from stating it is okay as long as the employee does not personally receive economic benefit, the practice does not harm the company, or it is the company’s fault for not strictly enforcing policies and proactively protecting the IP.

Employees attribute ownership of IP to themselves – Many employees believe that they have an ownership stake in IP they create, such as a software developer who creates source code.  In the United States, 59% of the employees surveyed believe a software developer should have the right to reuse source code he developed for a prior employer, even when the employee does not have permission from the prior employer.  They believe that an employee should have an ownership stake in his or her work and inventions.

The Ponemon study had three recommendations, based upon these findings:

1) Educate employees to let them know that taking confidential information is wrong.

2) Enforce non-disclosure agreements.

3) Implement monitoring technology to track when confidential information is inappropriately sent, copied, or inappropriately exposed.

This study demonstrates that while breaches by outside hackers often get the headlines, data loss often occurs because of the people the company trusts the most, its employees.  The good news is that a company can dramatically reduce its risk with some relatively inexpensive steps.

An overall analysis to identify the confidential information at risk, its location, availability to employees, and protective measures currently in use, is a good first step.  This should be followed by patching any holes discovered during the assessment, instituting polices and procedures for employee conduct, and having the appropriate employee agreements in place to legally address employee violations.  Taking steps to reduce risk will be much less painful and costly than addressing the loss of confidential information after it has occurred.

Leave a comment