Friday, 13 January 2012

Recent research by Iron Mountain reveals that 20 per cent of businesses across Europe view the risk of employee theft as the most serious threat to information security. They see the risk as greater to the business than IT failure, cybercrime or natural disaster. The research, undertaken for Iron Mountain, suggests a breakdown of employer confidence in staff intentions and a lack of faith in internal controls.

It seems that the level of concern may not be entirely misplaced. Global research published last month by network provider Verizon found that while just 17 per cent of data breaches implicated insiders, the potential impact of employee theft is greater than that of an external threat, with insiders three times more likely to steal intellectual property than outsiders.

“When it comes to information management, people are often the weakest link in the chain,” said Florian Kastl, international director of security, safety and business continuity at Iron Mountain. “Information is the lifeblood of a business, and it is vital that companies have strong controls in place to minimise, if not prevent, the risk of employee theft. This will protect employees, the business, its customers and its reputation.”

Florian Kastl recommends implementing the following practical steps to minimise the risk of employee theft:

• Know what you know. Identify and prioritise all the information held by your business – everything from incorporation and legal documents to intellectual property, financial data, sales projections and roadmaps, customer and HR records.
• Establish robust internal processes to reduce opportunities for theft – with the strongest controls for the most important or sensitive information. This should include an audit of when, where and how people come into contact with information as it travels through the business. This will help to identify points of potential vulnerability where access should be restricted. Make use of appropriate technology or secure off- or onsite storage to lock away and protect your information; and have a clear and visible policy for violations.
• Ensure HR processes support information-protection policies. Robust recruitment checks, the monitoring of changes in behaviour patterns and a formal exit strategy will help to minimise opportunities for theft. Employees leaving a company, particularly if moving to a competitor or if departing under a cloud have been known to take company information with them.
• Ensure your policies are sufficiently resilient to cope with business changes – such as an acquisition or merger – and are robust enough to meet increasingly stringent regulatory demands.