Staff steal data

By Leon Engelbrecht, ITWeb senior writer

Johannesburg, 05 Jul 2007

A new international study found that half of all employees begin their new jobs using competitive information taken from their old employers - and local security experts say there is no reason to believe it is any different in SA.

A recent Check Point survey on staff and data security shows almost half of the people polled admit they would take useful information and data with them to their next job. It is also unlikely that anyone would stop them, as 75% of companies, based on the survey, have no security in place to prevent information going out the door.

Eighty-five percent of employees admitted they could easily download competitive information and take it with them to their next job, in spite of 74% of these companies having a policy that specifically states company personnel are not allowed to take company information out of the office.

Two hundred senior European IT professionals were quizzed for the poll. The survey found British employees were not quite as trustworthy as their Scandinavian counterparts. Most Nordic employees admitted to downloading data from their current employer, but 32% said they would go on to use this information for competitive advantage in their next job.

Port Authority MD Guy Golan says there is no available comparable local study, although "our local experience with clients confirms the tendency, though we cannot quantify it for now".

Panda Software SA communications manager Alex Matthews says trust and loyalty is at issue.

Mobile office?

<B>Some</B> <B>simple advice on preventing data loss</B>

* Educate your staff so that they are aware of the security and legal implications of downloading sensitive or competitive information.

* Include the management of all mobile devices in your security policy.

* Specify that all staff members have to sign your security policy, to ensure that they will not download sensitive or competitive information, nor will they use this information to take to their next job and make sure you have the appropriate software to enforce the policy in place.

* If you have sensitive information you do not want downloaded, then block end-points on computers with efficient and cost effective software.

* Ensure that all USB sticks that are connected are encrypted.

* Use encryption software that does not impair the use of the device and make sure those employees cannot by-pass the encryption - it therefore needs to be transparent to the user, quick and easy to use.

* Remember security is a two way process - you need to have your staff on your side, so complement sensible, workable policies, with centrally controlled security technology combined with trust, education and understanding.

The Check Point survey found 81% of people take files from work to use at home, with the majority favouring USB sticks over laptops as the preferred data store, because they are more convenient, cheaper and easier. "Thirty-three percent store work data on their USB stick, versus 14% who now use a laptop," Check Point says.

USB sticks create a real security headache for most companies as it is difficult to keep tabs on them because they are small and can go unnoticed by managers and security personnel. They are also far easier to lose in transit - making them a likely target for opportunists.

Check Point spokesman Martin Allen says: "USB sticks are now more popular than ever, with everyone from children up to the CEO travelling around with data on their USB sticks. Many can now carry 16Gb around with them in their pockets, which is 640 reams of paper in your pocket. ...It's not surprising they can become a serious security risk.

"Companies spend millions on their security and just forget about the fact that millions of pounds worth of valuable data is 'going walkabout' on people's key rings, and a great deal are very happy to download information to take with them to their next job," Allen adds.

"Without being too draconian, our advice is to lock down computers with vital information and make sure you centrally control USB sticks by supplying them to your staff with mandatory encryption in place. That way, they can freely use them, keeping the data safe at all times."

Matthews says the easiest way to prevent data leakage via USB sticks is to ban them. "Many companies (TOSAS is one such an example in SA) have disenabled USB ports on computers on their network. Company policy also plays an important role: contractual agreements should state that employees leaving the company may not remove data," he says.

Matthews further warns that malware and other threats can enter a corporate network via USB sticks. Spyware and Trojans on the hunt for information have been known to enter the network through a USB stick. Firewalls then often don't help, Golan adds, as they are designed to keep hackers out, not information in.