Data theft by employees

As early as 2004, the US Secret Service and Carnegie Mellon University published the first of series reports on threats of data leakage from inside the enterprise. The report examined corporate data thefts and identified that 84% of data thefts are the result of insiders sending confidential information outside the company. Recently, Lending Tree informed its customers of a potential compromise of their financial information by former employees. Though the news per se is alarming, the event of data theft by employees is not necessarily rare. It can and must be happening to every company in some form or the other. Before contemplating on how to address it some thoughts on why it happens in the first place:

1) Employees have a sense of “ownership” on the content generated by them, and thus keep personal copies. This is most common in "creative" businesses like advertising, architecture etc. where individuals create works on behalf of the enterprise.
2) Employees seek financial gain by leaking information. This borders on corporate espionage and typically happens when employees are in the process of leaving the organization.
3) Information is shared accidentally with unintended recipients
4) Devices on which data is stored are stolen / left unsupervised (pen drives, Laptops, portable hard disks, CDs etc)

Manifestation of the above is facilitated with some shortcomings / negligence by company data security policies:

1) Broadly, the most common data protection adopted is “access” control based. People either have access or not. But once access is provided, the recipient is generally free to copy, print, forward the information to others.
2) Most of the security measures deployed are perimeter centric. In other words, the data is secured as long as it is within some physical boundaries like applications, networks, devices etc. But as soon as the data leaves the boundary, there is no control
3) Business relations are dynamic, but security of information is not. Information once shared with partners, employees, customers, analysts, media etc is almost shared always. It is not possible to revoke access or re-call the documents once the recipient has already accessed it once.

A fundamental shift in the way information security policies are defined and technology is implemented is required. From a perspective of internal data thefts the thin line between "use" and "misuse" has to be defined and clearly marked.

For example, Richard, the sales director, viewing and forwarding sales data on 7th June might qualify as "use" but it would surely be "misuse" on 8th June when he has resigned from the company! Present information security technologies do not normally take care of such situations.

Information rights management technologies like Seclore FileSecure help define this fine line and ensure that Richard the sales director can "use" the information but will not be able to "misuse" it. This is provided by enabling Usage control, which helps to embed more granular restrictions on usage of information than just access control. Also, this control is dynamic and can be revoked or expanded on demand.