(22) A Little Downsizing Brings a Lot of Risk

More than half of departing employees will steal corporate data, according to a February 2009 survey report from Ponemon Institute:

  • 59% of employees who depart are stealing company data
  • 79% of these admit that taking the data was prohibited

The study reveals that companies are doing a very poor job at preventing former employees from stealing data. Other surprises:

  • 67% used their former company’s confidential, sensitive or proprietary information to leverage a new job
  • About 68% are planning to use such information as email lists, customer contact lists and employee records stolen from their employer

Not only is this putting customer and other confidential information at risk for a data breach but it could affect companies’ competitiveness and future revenues. Download and read this report (registration required).

Recently I spoke with one Silicon Valley executive whose company management realizes that security risk is part of the operational risk that managers must take into account when evaluating or planning changes to the company.

Smart Business and Smart Security

It will take more than a minute to read his comments below, but each sentence is worth reading very closely. This is a very good example of smart business thinking that has a critical security impact. It is also an example of a security policy that when followed adds significant value to the business.

“A voluntary or involuntary departure of any technical, sales or marketing staff is always of concern, given that the information they hold would be of very high value to our competitors. If a disgruntled employee is involved, the vulnerability can be serious, as the employee can feel “justified” in taking actions that harm the company. If a reduction in workforce is mandated, the information risks can skyrocket.

“Our company goes well beyond “enforcement” of employee contractual terms, which is a weak security stance. Of course IT actively monitors the use of USB drives and CD drives to identify copying policy violations, since blanket automatic restriction of copying for some positions conflicts with job requirements. But that doesn’t cover what the employees have in their heads.

“We are fortunate in that our senior executives are well known and highly thought of in our industry, and we have a company culture that results from the fact that our senior executives genuinely care about our people. That helps us bring valuable personnel into the company.

“We currently face a tough situation. We have recently hired some top talent away from other jobs, and we now have to let them go due to board mandates for workforce reduction. Personal admiration and trust is what brought these individuals to our company. It would be bad business ethics as well as bad public relations to simply turn them out onto the street, having cost them their previous employment positions. The senior executives who brought them in would lose their trust, something that has been built over the years. The trust and standing of our senior people in the local community, and in our industry, are part of our corporate value, and are assets to be protected.

“The challenge is to comply with the current board mandate in such as way that we not only protect those assets (trust and confidence, community standing), but retain the ability to rehire the employee when circumstances improve, which they will sooner or later. I’ll explain how we address this security challenge strategically.

“Our senior executives (marketing, engineering and sales) get on the telephone, and use their industry contacts to find new employment for our key people who will be let go. One security benefit is that by talking to the new employer, we can ensure that the new employer has terms in the employment contract that specifically cover not revealing information from our company. This is more proactive than most companies get, but that is a minor security measure. Helping the employees find a new job actually strengthens their trust and loyalty, and enhances our company reputation in spite of the negative circumstance. The strong loyalty engendered—person and company—is the best security measure we have, as it is hard to consider an act against the people and company that are helping you.

“Through this strategy to address the heightened risk, our security policy actually adds value to the company.”

Not every company is in this exact situation, but this example serves to illustrate that security is not a band-aid slapped on top of other business practices. The best security is embedded within company practices, and is part of the change planning and management process.

Doing Nothing

This downsizing risk is one where “doing nothing” means accepting the risk. Doing something—whatever can be done with existing resources—means reducing the risk.

I have sat in the kind of meeting that you will never want to sit in. A board member for a prospective client was outlining how she discovered that a key competitor had been hiring the company’s former employees, complete with proprietary material. She explained the competitor’s strategy that had already put another company like theirs out of business. This competitor was 70% of the way through executing that same strategy on my prospective client, as indicated by a severe drop in a business unit’s revenue—a unit whose revenue only drops when customers move away to another supplier. As the customer cycle was typically a 3-year cycle—that lost business (which had just start to reveal itself in the quarterly report) was unrecoverable for three years or more.

Simple no-cost business security measures could have prevented this from hapenning.Instead executives were spending most of their time trying to figure out how stop the bleeeding, and how to recover, and were not sleeping well at night.

The entire scenario had been enabled by a 10% reduction in workforce, with no strategy or thought applied as to the risk of information loss. The reduction in workforce took place two years earlier. The competitor had been working on their key accounts for well over a year. All this time they had been thinking that their own brilliant marketing had put a now-gone competitor out of buisiness. In actual fact it was a stealth business plan of another competitor —successfully implemented using the now-dead company’s propetary information and former employees—that had killed that company. That same competitor was now killing them.

Weak Position

If you don’t have sufficient security measures in place, the legal remedy options will be limited, according to court rulings. For example, in United States vs. Shiah*, the court found the employer’s considerable security efforts insufficient. Security measures included a Confidentiality Agreement signed by every employee, explaining the value placed on confidentiality and indicating the types of documents considered confidential. This agreement also prohibited employees from taking confidential information with them upon their departure. The company maintained high physical security as well as strong information systems security.

This wasn’t enough.

The court noted that the company had failed to thoroughly explain the Confidentiality Agreement to the employee before he signed it, and failed to give the employee a copy so that he could refer to it over the course of his employment. The court also found the following additional deficiencies:

  • The company did not give the employee training about what information is confidential and how to handle confidential information.
  • The employee agreement was overbroad in that it designated almost all information as confidential, so that it would be difficult for the employee to determine what information actually was confidential.
  • Ongoing training should have been provided to employees, which should have included methods for ensuring that information stayed protected.
  • The company also lacked a comprehensive system for designating which documents were or were not confidential.

Note that these deficiencies all refer to security measures that can be initiated at relatively low budgetary cost.

The case was not successfully prosecuted, despite the fact that the employee had put the information to use on the job for his next employer.

Time for Action

Don’t assume that sufficient protective measures are in place. If you haven’t already, do an information risk assessment now, specifically around departing employees, and follow up on the results.

It can be a dangerous situation. Are you in it?

Best regards,
Ray Bernard

*United States v. Shiah, 2008 U.S. Dist. LEXIS 11973 (C.D. Cal. Feb. 19, 2008). For specifics about this case and how to address the vulnerabilities identified, see the book Information Nation: Seven Keys to Information Management Compliance by Randolph Kahn and Barclay Blair.


Leave a Reply

Your email address will not be published. Required fields are marked *