You just fired Mario, who was struggling to make his quota. You kept his company-issued laptop, de-provisioned him from your company’s cloud services, intranet, and online databases. Shut down his corporate email account. “Phew. Glad that’s over!” Every box on your HR department’s Exit Procedure Form, ticked. Time to head out for sushi!
While you’re deciding between Uramaki or Makizushi, you have a queasy feeling about Mario. During his tenure, Mario received price lists, proposal templates, discount schedules, engineering updates, and new product announcements. He had internal memos about product defects, and patches—or workarounds—for service issues.
He had the sales team’s compensation and incentive plan down to the tiniest details, PowerPoints loaded with opportunity heat maps and sales performance pie charts. You’re not sure if he saw the specs for your upcoming software release, marketing’s five-year strategic plan, and HR’s recruiting strategies and tactics, but IT just told you that he had unrestricted access.
Where, oh where is that stuff now? Who might be reviewing your files and documents and forwarding them on? Hard to say. Mario’s not answering his cell phone or responding to email. You loosen your tie and order a drink, because your wasabi just got a little hotter.
To competitors, Mario is a walking, talking, sharing goldmine of company intelligence—a not-insignificant risk. In fact, in the 2013 State of Cybercrime Survey, when US public and private-sector executives were asked “with respect to your organization, what is the most adverse consequence that has ever occurred from a security event caused by an insider?,” their top response was “loss of confidential or proprietary information.”
How can companies protect themselves?
Prepare. “Companies should focus their security efforts by identifying the data and systems most in need of protection, then act to limit access,” according to a recent article in The Wall Street Journal, Stop Information Theft by Employees. Proper preparation also includes planning for the end at the beginning. Before hiring a new salesperson, require a signed non-disclosure agreement (NDA), and when appropriate, make sure company communications conform to designations such as proprietary or confidential.
Prevent. Data Loss Prevention software such as Migrate2.com “can help to protect data from any number of sources, such as portals, applications, personal employee information, e-mail communications and documents,” according to the company’s website. In addition, by regularly updating price lists, commission plans, and other company-confidential documents, you can reduce their usefulness if they fall into the wrong hands.
Detect. An employee who intends to obtain confidential information can be exposed through tracking new activity in keyword searches, or from the employee’s requests to access databases that might be outside of his or her normal business needs. Some software applications like IBM’s InfoSphere Guardium Data Activity Monitor can issue alerts when risk conditions are met.
Respond. While forensics tools, such as EnCase, help organizations discover after-the-fact extent of information theft, companies respond poorly to information breaches for a major reason: no one likes to publicize or even talk about them. “Yeah, as of today, Mario’s not on the team. Heaven knows what he did with our customer contact lists . . .” Instead,
• At the employee’s exit interview, retrieve the file copy of the signed NDA—assuming you have it—especially if it was completed more than a year ago. Remind the employee about what’s enforceable, and underscore the company’s intention to maintain the terms of the agreement.
• Don’t sweep the situation under the rug. Let your sales team and others in the company know right away what happened, which information was compromised, which risks are most concerning, and why.
• Let anyone with skin in the game—including employees, customers, and resellers—know how you will respond, and provide guidance for actions they need to take.
• If breached information might compromise a customer relationship, make sure you take steps to manage the problem before your customer learns about it.
Salespeople possess a rare blend of corporate information—one that’s useful to many outside the organization. With Mario, at least there’s a consolation: a year from now, his pirated information probably won’t be any fresher than your sushi.