Susquehanna Bancshares Inc., a financial services holding company based in Lititz, Pa., with 230 branches throughout the mid-Atlantic region, typically gives employees two months’ notice before they are laid off so they can apply for internal openings. When giving notice, the company turns on software alerts that signal network administrators if an employee is engaging in any unusual data download activity.
At SimplexGrinnell LP, a security devices manufacturer in Boca Raton, Fla., each hire must sign an agreement to take no proprietary information when leaving the company. If that day comes, voluntarily or involuntarily, a manager or an HR staff member chaperones the employee through an exit procedure that includes reviewing the agreement and signing a statement that he or she is not taking information. As the exit procedure unfolds, information technologists decommission the worker’s access to networks, computers, doors and parking lots.
Those procedures are among many that the companies use to reduce the risk of data theft during terminations. On paper, many other companies have similar protocols, but evidence is mounting that few enterprises are doing enough to reduce the growing threat of data theft by departing insiders.
The environment for insider data theft has been ripened by layoffs and fear of layoffs, populist anger about bailouts and executive compensation, the belief held by some workers—accurate or not—that many companies game the system, and general deterioration of ethics.
"We had problems with theft by insiders even before layoffs. Now, there’s a lot of evidence that insider risk is escalating," says Carol Baroudi, research director for information technology security at the Aberdeen Group, a Boston-based IT research and consulting firm. Company officials "need to change the locks—and get locks if they don’t have them. HR needs to work hand in hand with IT on this."
Experts are abuzz about findings from a January survey of 945 U.S. residents who voluntarily or involuntarily left jobs in 2008. Sixty-three percent said their previous jobs required them to use customer data, contact lists, employee records, financial reports, software tools or other proprietary information. Fifty-nine percent of this group said they kept or took information when they left; 79 percent of these admitted that company policies did not allow them to take the information.
The survey, whose findings appear in the survey report Data Loss Risks During Downsizing, was conducted by the Ponemon Institute LLC, a private research group in Traverse City, Mich., that focuses on data privacy and security management. Symantec Corp., a security software developer in Cupertino, Calif., sponsored the survey.
Commenting on the survey, Rob Douglas, an information security consultant in Steamboat Springs, Colo., and editor of www.IdentityTheft.info, says, "Frankly, the [percentages are] higher than I would have thought. I am surprised. They are alarming."
Douglas adds, "An unhappy employee is a threat, and at time of termination, breaches are more likely than at others. We know this anecdotally. The study puts hard numbers to those beliefs."
Ed Balderston, Susquehanna’s executive vice president and chief administrative officer, whose duties include HR and corporate ethics, finds the results disturbing but not surprising, given what he sees as a decades-long deterioration in ethics.
"Many workers don’t have any benchmark for right or wrong," Balderston says. "We’re doing more ethics training than ever, but if you had told me 15 years ago that we had to do ethics training in banking, I would not have believed it. When we talk to people about things they do wrong, the most incredible thing is their disconnect. Not that they didn’t know what they were doing was wrong and did it anyway, but that they just don’t have a clue that what they were doing was wrong."
Researchers found the survey results jarring: "I was disappointed at what the survey findings say," notes Michael Spinney, senior privacy analyst at Ponemon.
Among other results:
Sixty-one percent of respondents who were negative about their companies took data, while 26 percent of those with favorable views took data.
Sixty-one percent of those who admitted taking data took paper documents or hard files, 53 percent transferred data onto a CD or a DVD, 42 percent transferred data onto a USB memory stick, and 38 percent sent documents as attachments to personal e-mail accounts.
Only 15 percent of all survey respondents said their companies conducted reviews or audits of their paper and electronic documents before they departed. Eight-nine percent said their companies did not scan devices they carried out the door, such as USB memory sticks.
Twenty-four percent said they could still access the networks for a while after they left.
Adopting best practices serves as an organization’s first protection from data theft. Don Harris, president of HR Privacy Solutions in Delhi, N.Y., offers the following suggestions:
Recognize the seriousness of the threat.
Devote additional security resources to meeting the increased threat.
Identify, prioritize and protect the information assets of greatest importance.
Tighten or restrict access to such assets before layoff decisions.
Remove access to systems and files as soon as workers are told they will be let go. This is called de-provisioning.
Review and strengthen language concerning information assets in separation agreements.
Ponemon Institute researchers urge that policies "clearly state that former employees will no longer have access to sensitive and confidential information they used in their jobs. This includes information on laptops, other data-bearing devices and paper documents. The policy should outline what information is considered sensitive and proprietary."
Another aspect of data protection centers on social networking web sites. Too few policies state what former employees can and cannot say on such sites, says Tim Rhodes, chief executive officer of WebArgos Inc., a security consulting firm in Boise, Idaho. These sites have become virtual resumes for job seekers. Some disclose proprietary details when touting their roles in strategic plans, marketing strategies and results. Rhodes cautions that these sites are a source for analysts in the competitive intelligence industry who find information about clients’ rivals.
"Eighty-five percent of large companies do not have a policy for these social sites," he says. "The policy needs to state what you can and cannot post about your former job."
However thorough, a policy is likely to be ineffectivewithout consequences. "If you are not enforcing your policies, it won’t be long before people are aware that you are not," Spinney says. "People need to know that violations are detected and the consequences are enforced." Employees are less likely to break rules if they know it will cost them, including a possible lawsuit, he says.
Susquehanna and SimplexGrinnell understand this. On rare occasions when former employees give confidential information to new employers, neither company shies from legal action against the ex-employees and the new employers.
"We once found out through a common customer about a breach and had to issue a cease-and-desist order for the former employee and his new employer," says Ulysses Shields, former director of corporate HR for SimplexGrinnell, who recently left the company in a downsizing.
The Exit Interview as Antidote
Onboarding procedures should require hires to read policies and sign confidentiality agreements, but agreements matter little if they’re ignored on layoff day, experts say. "Nothing replaces the one-on-one exit interview," Douglas insists.
Rhodes cites a 2006 study finding that companies conducting exit interviews suffer 40 percent less loss of confidential data. The survey of 1,000 former employees also found that companies giving departing workers a summary sheet of the kinds of information they could and could not take had 75 percent less loss than others, and companies showing the workers the confidentiality agreements they originally signed had almost no data theft.
Too often, exit interviews are skipped during mass layoffs, Rhodes says. "You must enable your managers to do this job. Train them to do exit interviews, and do not rely just on HR," he says. Some companies substitute group webinars for one-on-one interviews, he adds. There’s no hard evidence yet on the effectiveness of that approach, but he hears promising anecdotes.
Shields suspects that if every company had carefully orchestrated exit procedures, the results of the Ponemon survey would have been different. SimplexGrinnell, a subsidiary of Tyco International Ltd. of Pembroke, Bermuda, and Princeton, N.J., was formed by combining two companies several years ago. Since then, the company has gone through significant downsizings and rigorously conducted exit interviews.
Technology represents another key to reducing risk. Baroudi argues that the only acceptable practice is "one-button" de-provisioning of all access points, including passwords to networks, computers, specific applications, locks on doors and parking lots. The technology for doing this is fully mature.
Some laid-off employees may have access to 20 or 30 programs, and if de-provisioning is not automated, as many as 20 or 30 administrators will have to remove access, Baroudi says. "So, this is the case for automating it. It should be so simple that HR or a manager can push that button."
Many companies place too much faith in the people responsible for their networks and computers, says Adam Bosnian, vice president of product strategy and sales at Cyber-Ark Software Inc. in Newton, Mass., a software developer for one-button de-provisioning. Cyber-Ark surveys strongly suggest that administrators should not be trusted any more than the general population—and perhaps even less, given their access to so much data, Bosnian says. Bosnian argues that if company officials are forced to choose priorities, they should address the risk from internal computer experts first. "You need to treat these users very carefully," he advises.
Douglas sees many business leaders emphasizing the threats to data from outside hackers at the expense of internal threats. Studies by various organizations show the bigger threat is from the inside, and officials should adjust budget priorities and security emphasis accordingly.
In part because banking is heavily regulated on privacy matters and audited closely for data security, Susquehanna hasn’t cut back spending for these programs, Balderston says. "What we’re trying to do is attack this through technology, through education, and through having our employees experience it from a personal perspective."
In addition to annual ethics training emphasizing data privacy issues, the bank uses the latest technology, including some applications that employees don’t even know exist, to monitor and track suspicious activity by employees.
The bank subsidizes employee subscriptions in an identity protection service to underscore the importance it places on data privacy, Balderston says.
The Paper Trail
With all the emphasis on electronic data theft by insiders, enterprises must not forget the old-fashioned way information goes out the door wrongfully: in briefcases. Experts urge that any exit procedure needs to include a physical search of material departing employees plan to take out the door.
Douglas recalls a security audit he once conducted at the headquarters of a northeastern regional bank. He went through every room in the five-story building, including the bank’s double-locked, highly secure primary data center. No problem there. But there was a problem across the hall, in a room with a plain wooden door that could be breached easily.
"Inside this room," Douglas says, "were thousands and thousands of hard-copy files, piled up since the beginning of time, that anyone—an employee or a custodian—could have gotten their hands on."
The author is the magazine’s contributing editor for technology.
Survey report: Data Loss Risks During Downsizing (Ponemon Institute)