Sensitive data often follows former employees out the door

Almost 70% of employees take data on their way out. Here's how to stop itThere is an old cliché that says a company's most valuable assets walk out the door at the end of the day. However, according to a recent security report, some other valuable assets are walking out the door as well, and they're not coming back.

In a survey from Osterman Research, 69% of organizations polled say that they have suffered significant data or knowledge loss resulting from employees who took information resources with them when they left the business.

Any form of data loss is a threat to a business, but the report notes that problems can arise both from employees actually taking data with them when they leave, and when departing employees have parked corporate information in locations like cloud storage services that are unknown or inaccessible to their former employer.

Worries over data loss arise from employees leaving for a new job or knowing that staff cuts are coming, owing to laws requiring 60 days of notice of an impending layoff. They may not know if they are on the cut list, but they know the layoffs are coming, which could compel some personnel to take company data.

The motivations for taking the data "are all over the map," says Michael Osterman, president of Osterman Research. "Sometimes it's employees who are leaving for a competitor and want some competitive edge with contacts or IP. Some are upset and have a beef with management and want to do a slash and burn on the way out," he says.

"People think this is their data and take it with them from place to place," says Greg Kelley, CTO with Vestige Digital Investigations, which conducts technology forensic investigations. "Quite often it's contact lists, pricing info or marketing materials. They don't think they are being malicious, just that it's theirs and they own it. Whether they know they are in violation of non-compete clause or the law, I can't say."

No malicious intent

Employees often want to take information with them because they believe it will be useful in their new job. A sales person may want to take a list of customers and prospects, for instance. Others might take professional contacts.

"It's stuff you are not necessarily doing maliciously, but want to hit the ground running in the new job, rather than recreating the wheel," Osterman says.

In some cases, even though there was no malicious intent, the company can be hurt. If an employee leaves for a competitor and takes customer lists, that amounts to the transfer of a proprietary asset from one company to another. It takes time, effort and cost to develop lists of customers or prospects, and handing that information over to a rival firm can cause serious harm, especially if high-value trade secrets are in play.

Sometime the data loss is inadvertent. In the BYOD era, people might leave their company without even realizing that they are taking information with them in the form of cloud or mobile apps.

Then there are those who do it maliciously, who might actually want to harm their employer or get a leg up in their new job with a competitor. But Osterman says that this is a relatively small group, amounting to about 5 percent to 10 percent of the total incidents of data loss.

Still another group takes data knowingly, but not thinking they are doing anything wrong. That could include salespeople, for instance, who feel entitled to take the contacts they worked so hard to develop, an asset they might feel that they own.