Desperate times lead to desperate acts, including theft of valuable intellectual property. Protecting this information is challenging, but not impossible. Companies can prevent losses with the right combination of technology and detailed policies and procedures.
For companies struggling to weather today’s economic storm, the operative word is “downsizing.” Although layoffs generate cost savings, they also put companies at risk as vital information can walk out the door with frustrated employees. To insulate businesses from potentially massive losses, company officials must work closely with their IT and security resources to implement effective controls and fortify hiring and exiting procedures.
The costly reality
Consider some findings from a recent study conducted by computer security firm McAfee, Inc., which surveyed 800 companies worldwide. In the report titled Unsecured Economies: Protecting Vital Information, companies reported average losses of $4.6 million in intellectual property in 2008. What did they cite as the major cause? Their own employees.
When you combine today’s layoff-laden climate with the relative ease of transmitting information, the result is a virtual invitation to steal. Individuals motivated by fear of an uncertain future have easy access to flash drives, e-mail, and other back door avenues that enable them to penetrate vital areas to take, sell, or change intellectual property.
Imagine, for example, that a company has employed a mathematician for several years. The employee brought a unique outlook to the firm and made some significant contributions. But when the time comes to let that employee go, he feels resentment and a sense of ownership in the work he has done. He may then decide to “punish” the company by taking his work with him, despite the fact that he was paid a fair salary for his contributions.
Go back to basics
The first step in remedying situations like these is to return to the beginning -- revisiting your hiring policies. From day one, the rules must be spelled out so employees clearly understand their obligations about protecting intellectual property and the ramifications involved. Although it may be time-consuming, it is well worth the effort to make sure these policies are in place. An often overlooked option is in a well-formed employment agreement. If you don’t have one and do not have general counsel to help create one, seek advice from a law firm.
It is also important to understand each employee’s roles and responsibilities. Think through what you will allow people to do and set up their security passwords and system rights accordingly. Those rights should be individually based as well as role-based, taking system integrity and support into consideration. Also consider increasing separation of duties of individuals who work on various applications and technologies.
For example, you may hire a great developer, but that person would not need access to the company’s financials unless they are specifically working on them. The key is being precise -- the more open the policies, the wider the employee access.
Exit with care
Just as you developed careful hiring procedures and policies, create a detailed checklist of exit procedures that are unique to your company. When layoffs occur, implement this checklist very quickly, particularly if employees had access to vital information.
As you refine your exiting policies, consider how your layoff procedures will affect your culture and the level of trust between management and employees. A particularly hard clamp-down before an employee departure may be good business, but it may also be perceived negatively by employees. When trust is compromised, people may react negatively, e-mailing or downloading files well in advance.
Employ the right tools
Beyond a physical check of materials carried by departing employees, a variety of technological tools are available to prevent and detect data theft. First, make sure your firewalls are up to speed. Immediately shut off a separated employee’s passwords and all other access points they have been granted. Also shut off the individual’s internal connections and company email.
When checking computers and e-mail, review where the employee sent files in the days preceding and following their departure. Consider how the separation occurred; there is a greater chance of information being transmitted if the employee was given several days warning. Pay special attention to e-mail sent with attachments and utilize tracking software to look for unusual activity, particularly files that have been downloaded to external drives.
Losing employees has never been easy, but it is an increasingly common aspect of daily business. Compared with the cost of losing valuable information, the cost of setting up good policies, procedures and checklists is relatively small. Precise implementation of controls and tools can mean the difference between a sad departure and a serious hit to your bottom line.
Mike Gorsage is a Partner and Technology Practice Leader for Tatum LLC. Tatum is the nation’s largest executive services firm, providing financial and technology leadership nationwide.