Embed Size (px)
DESCRIPTION
Half of employees who left or lost their jobs in the last 12 months kept confidential corporate data, according to a global survey from Symantec, and 40 percent plan to use it in their new jobs. The results show that everyday employees’ attitudes and beliefs about intellectual property (IP) theft are at odds with the vast majority of company policies.
Citation preview
What’s Yours Is Mine How Employees are Putting Your Intellectual Property at Risk
Global Results
February 6, 2013
MethodologyThe Ponemon Institute surveyed
3,317 individuals in 6 countries across industries
What's Yours Is Mine - February 6, 2013
United States 788
UK 530
France 491
Brazil 565
China 440
Korea 503
2
Key Findings
• Employees are moving IP outside the company in all directions, and it is never cleaned up
• Most do not believe using competitive data taken from a previous employer is wrong
• Employees attribute ownership of IP with the person who created it
• Organizations are failing to create a culture of security; employees don’t think their organizations care
What's Yours Is Mine - February 6, 2013 3
IP is moving outside companies and never cleaned up
• The majority of employees transfer work documents outside and don’t understand that it’s wrong
– Half regularly email business documents using personal accounts (like Gmail) to their home computer where security is weaker
– One-third move work files to file sharing apps (like Dropbox) without permission
– 2 out of 5 download work files to their personally owned mobile devices (tablet or smartphone)
• The majority do not delete the data they’ve moved
Security protection in home networks is weaker*
• 20% of consumer-grade endpoints compromised by malware
•Gartner, Top Technology Predictions for 2013 and Beyond, Nov. 2012
What's Yours Is Mine - February 6, 2013 4
Employees think it’s OK to take and use competitive IPOrganizations are at risk as unwitting recipients of stolen IP
• 50% of employees who left/lost their jobs kept confidential information
• 40% plan to use it in their new job
Employee leaves company & takes IP
• 60% say a coworker hired from a competing company has offered documents from the former employer for their use
Employee starts new job, offers documents (stolen
IP) to new coworker • 56% of employees do not believe it is a crime to use a competitor’s confidential business information
Employee uses the competitor’s confidential
info
• 68% say their organization does not take steps to ensure employees do not use competitive info
Organization at risk from use of stolen IP
What's Yours Is Mine - February 6, 2013 5
Employees Believe That They Own the IP
• Employees don’t get it – they don’t personally own IP, companies do
– 44% of employees believe a software developer who develops source code for a company has some ownership in his or her work and inventions
– 42% do not think it’s a crime for this software developer to reuse the source code, without permission, in projects for other companies
• Employees are not concerned about employee agreements (IP, NDA’s, etc.)
– 53% say no action is taken when employees take sensitive information that is against company policy
What's Yours Is Mine - February 6, 2013 6
Failure to create culture of securityOnly 38% say manager views data protection as business priority
Top Reasons: Employees think it’s OK to take corporate data
• Sharing the business information does not negatively impact or harm the company
• Company has a policy that is not strictly enforced
• Business information is generally available and not secured
Top Reasons: Employees do not delete info they take
• It takes too much time
• Management doesn’t really care
• No one will know if this is done or not
What's Yours Is Mine - February 6, 2013 7
Recommendations
1. Employee education
• Organizations need to let their employees know that taking confidential information is wrong
• IP theft awareness needs to be integral to security awareness training
2. Enforce NDAs
• Stronger, more specific language in employment agreements
• Focused conversation during exit interviews
• Make employees aware that theft of company information will have negative consequences to them and their future employer
3. Monitoring technology
• Implement DLP technology to monitor inappropriate access and use of IP and automatically notifies employees of violations
A multi-pronged approach
What's Yours Is Mine - February 6, 2013 8
9
AppendixSelect questions included
For full survey results, please contact [email protected]
What's Yours Is Mine - February 6, 2013
52%
47%
38%
35%
43%
0% 10% 20% 30% 40% 50% 60%
My manager takes appropriate steps to protect sensitive or confidential business information
My organization takes action when employees take sensitive information that is against company policy.
My manager views data protection as a business priority
My organization does not allow employees to access and use sensitive or confidential business information from remote
locations
Most employees in my organization are cautious in the use and handling of sensitive or confidential business information
Q4a-e. How would you rate the following statements? (strongly agree and agree responses combined)
10What's Yours Is Mine - February 6, 2013
45%
64%
33%
38%
19%
15%
28%
1%
0% 10% 20% 30% 40% 50% 60% 70%
Customer information including contact lists
Email lists
Employee records
Non-financial business information
Financial information
Source code
Other intellectual properties
Other (specify)
Q5. What types of sensitive or confidential information do you have access to in the normal course of your job?
Please check all that apply.
11What's Yours Is Mine - February 6, 2013
17%
51%
29%
3%
0% 10% 20% 30% 40% 50% 60%
My access privileges are too limited and at times prevents me fromdoing my job
My access privileges appropriately match what I need to do my job
My access privileges allow me to do more than necessary to do my job
Unsure
Q6. Which one statement best describes your access privileges to sensitive or confidential business information within your
organization?
12What's Yours Is Mine - February 6, 2013
62%
28%
10%
0% 10% 20% 30% 40% 50% 60% 70%
Yes
No
Unsure
Q10a. Do you believe there are times when is it acceptable to transfer work documents to your personal computer, tablet, smart
phone or Internet files sharing tool?
13What's Yours Is Mine - February 6, 2013
19%
44%
21%
30%
30%
53%
38%
51%
0% 10% 20% 30% 40% 50% 60%
Company does not have a data protection policy
Business information is generally available and not secured
Advance permission is obtained from a supervisor or manager
Computer or device retaining this information is secure
Business informatation was authored or co-authored by the employee who shares it
Sharing the business information does not negatively impact or harm the company
Employee who shares this information does not receive any economic gain
Company has a policy that is not strictly enforced
Q10b. If you answered yes, why do you think it is acceptable?
14What's Yours Is Mine - February 6, 2013
41%
59%
0% 10% 20% 30% 40% 50% 60% 70%
Yes
No
S4a. Employees download confidential documents to their personally owned mobile devices used in the workplace such as
tablet or smartphone. Do you ever do this?
15What's Yours Is Mine - February 6, 2013
41%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
At least once a week
S4b. If yes, how frequently do you do this? Very frequently and frequently combined.
16What's Yours Is Mine - February 6, 2013
62%
0% 10% 20% 30% 40% 50% 60% 70%
Rarely or never
S4c. If yes, do you remove, erase or delete business documents from your mobile device (tablet or smart phone) after using this
information? Rarely and never combined.
17What's Yours Is Mine - February 6, 2013
50%
50%
0% 10% 20% 30% 40% 50% 60%
Yes
No
S4d. Do others in your organization do this?
18What's Yours Is Mine - February 6, 2013
43%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
At least once a week
S4e. If yes, how frequently does this happen? Very frequently and frequently combined
19What's Yours Is Mine - February 6, 2013
65%
0% 10% 20% 30% 40% 50% 60% 70%
Rarely or never
S4f. If yes, do others take steps to remove, erase or delete business documents from the mobile device after using this
information? Rarely and never combined.
20What's Yours Is Mine - February 6, 2013
54%
57%
11%
51%
18%
13%
0%
0% 10% 20% 30% 40% 50% 60%
To comply with data protection practices
To protect the data from unauthorized parties
The data is likely to be valuable
To avoid getting into trouble with management
It is the right thing to do
The mobile device is likely to be insecure
Other (specify)
S4g. If you said you do take steps to remove, erase or deletedocuments (choice = always or sometimes), why?
21What's Yours Is Mine - February 6, 2013
67%
40%
18%
43%
35%
10%
1%
0% 10% 20% 30% 40% 50% 60% 70% 80%
It takes too much time
No one will know whether this is done or not
This data is not likely to be valuable to anyone
Management doesn't really care
There is no policy or requirement to do this
The mobile device drive is likely to be secure
Other (specify)
S4h. If you said you do not take steps to remove, erase or deletedocuments (choice = rarely or never), why?
22What's Yours Is Mine - February 6, 2013
30%
25%
46%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Yes
Yes, but only if the data is not removed, erased or deleted after use
No
S4i. In addition to the above facts, assume that permission frommanagement is not obtained. Do you view the transfer of
business confidential information to your personally owned mobile device (tablet or smart phone) in the above scenario a
crime?
23What's Yours Is Mine - February 6, 2013
