Half of Ex-Employees Walk Off with Corporate Data: Symantec Survey Findings

A new survey from Symantec and the Ponemon Institute reveals that 56 percent of employees do not believe it is a crime to use a competitor's intellectual property.

Co-workers who left their jobs for one reason or another may have walked out with a lot more than their last paychecks or the clothes on their backs.

According to a new report by Symantec, half of the employees who left or lost their jobs in the last 12 months kept confidential corporate data, and about 40 percent plan to use it in their new jobs.

The figures come from a Symantec-commissioned survey conducted by the Ponemon Institute, which fielded answers from 3,317 individuals in the United States, France, China, Brazil, South Korea and the U.K.

The study found that companies often do not take steps to address data leakage. Only 47 percent of respondents said their organizations take action when employees leave with sensitive information in violation of company policy. In addition, 68 percent said their organization does not take steps to ensure employees do not use confidential competitive information from third parties.

Sometimes employees transfer files for legitimate business reasons, noted Robert Hamilton, director of product marketing at Symantec. The other problem is that the data they transfer sits on their laptops and mobile devices, and no one goes back to clean it up—exposing the organization to a potential "data spill waiting to happen."

"In terms of using potentially stolen data, companies should create policy around it and make employees aware that using information taken from a competitor is against that policy," he said. "Companies can also set up a process for how employees can report any potential violations or concerns to [the legal department].

"In terms of keeping their data from being stolen, this is part people problem and part technology problem," he said. "We have three key recommendations: (1) educate employees; (2) enforce NDAs [nondisclosure agreements]; and (3) implement DLP [data loss prevention] to detect data moving to places it shouldn't and changes in behavior that can be indicative of IP theft, such as transferring large amounts of IP in a short time frame."

Such policies don't have to interfere with productivity, said Hamilton, and there are safe ways to transfer documents for legitimate business purposes, such as encrypting it before delivery.

"We recommend a multipronged approach where policy educates employees on the risks of transferring work documents to unsecured areas (such as to a personal Gmail account or cloud file share), and DLP technology ensures that valuable IP is monitored and protected," he said.

Sixty-two percent of respondents said they consider it acceptable to transfer work documents to personal computers, tablets, smartphones or online file-sharing applications, with the majority never deleting the data they've moved because they see no harm in keeping it.

Even more problematic is that 44 percent of respondents believe a software developer who develops source code for a company has some ownership of his or her work and inventions.

Furthermore, 56 percent of employees do not believe it is a crime to use a competitor's intellectual property, and 42 percent do not think it is wrong to reuse the source code in projects for other companies without permission, the study found.

"When companies don't enforce their policy, people can rationalize what they may otherwise think is wrong," Hamilton said. "A previous study on insiders shows that in almost half of insider theft cases, the organization had IP agreements with the employee, which indicates the existence of a policy alone—without employee comprehension and effective enforcement—is ineffective."

With many employees unware that they're participating in any wrongdoing, the focus should be on educating them and reinforcing what it means to sign a nondisclosure agreement, he said.