Businesses ignore data theft threat posed by own employees

Published on 14 Dec 2006

Research from Prefix IT shows that lax management attitudes have allowed a culture of data theft to flourish in the British workplace.

The research also suggests that while most organisations spend time and money to protect against external data theft threats, many are failing to address the thriving data theft culture of their own workforce.

With 60% of workers admitting to theft of confidential documents, customer databases, business contacts and sales leads Prefix suggests that poor processes, policy creation and communication mean that management practices are out of step with today’s office morals.

However, only 7% of managers believe the issue of data theft has affected their companies and 29% of managers say the topic is not recognised at board level. This climbs to 50% in SMEs.

Seventy-three percent of workers are unaware of any special security measures to prevent workplace theft, and 44% of employees are unaware of any policy explaining what can and cannot be taken home. A further 63% say there are no restrictions on using personal portable devices e.g. USB memory sticks in the workplace.

Graeme Pitts-Drake, CEO of Prefix IT, said:

"Whilst trust in staff is laudable, it is professionally negligent not to protect company assets appropriately through policy and technical means. Failing to communicate with staff about un-acceptable activities is tantamount to endorsing theft."

To prevent employee data theft businesses should have strict policies in place that cover issues such as what information belongs to the company; what can and can't be taken home by employees; and restrictions on use of portable memory devices. As well as having a policy employers should ensure that they have active security measures in place to prevent or trace workplace theft; for example, having audit trails means if data is stolen or leaked the source of the leak can be traced. Employees should be made aware of the consequences if they don't follow the policy or breach the security measures.

Employers should also ensure that employees have signed properly drafted employment contracts containing confidentiality clauses. Employees should be reminded periodically of their responsibilities and these contractual obligations. If needs be this will give a legal basis to claim an employee has breached company confidence. Secondly, it will act as a form of deterrent, ensuring that employees know that there are certain legal obligations which they have signed up to. In addition, employers can retain the right within their employment contracts to monitor employees' use of office IT facilities and carry out investigations without the need to inform the employee.