2010 Market Pulse Survey: Moral Grey Area Exposes Companies to Data Theft

SailPoint recently announced the results of our 2010 Market Pulse Survey focused on employees’ attitudes toward company data. We got some pretty startling results from the more than 1,500 workers polled in the U.S. and Great Britain:

  • Half of the respondents said they would take company data with them when leaving a job. A full 27% admitted they would take customer contact information, 23% would take electronic files, and 16% admitted they would take product designs and plans.
  • Interestingly, only 16% said they would take office supplies with them.
  • 49% of those surveyed said they would look at information if they were mistakenly given access to a file containing confidential data, such as salary information. 6% said they would also tell someone else about the file’s contents.
  • Only 13% of workers think the current recession has made their coworkers more likely to steal data from a company.

For me, the biggest takeaway from the survey’s results is that many employees don’t consider taking electronic data with them when they leave to be “stealing.” I’d guess that many believe they own the customer data or product plans if they worked on them. There is clearly a bit of moral ambiguity about ownership of company data that companies need to address here.

So what is the right way to address this issue? Unfortunately, there’s no silver bullet solution – companies need a layered approach that includes awareness/education, and preventive and detective controls. First and foremost, companies need to be explicit about their policies in this area and clearly define what is considered “illegal” usage of proprietary data.

At the same time, companies need to proactively monitor and manage workers’ access privileges, with the goal of limiting access to only what is required to perform a given job. Identity governance solutions, like SailPoint’s IdentityIQ, play a major role in helping companies ensure that workers’ access privileges are appropriate and conform to policy. IdentityIQ also makes sure that access privileges are promptly de-provisioned when an employee changes roles or leaves the company, and also provides detective controls by automating periodic access reviews and monitoring worker activities on high-risk applications.

What makes this area such a challenge is finding the right balance between limiting security risk and opening up access to sensitive applications and data. Fortunately, identity governance is helping companies successfully mitigate the risks highlighted by the survey. Regardless of where you are with your IAM strategy, given the survey results, I think every company should take a second (or third) look at the policies and controls they have in place. And SailPoint has several resources available to help you, such as our on-demand webinars (including ones on “Five Identity Risks You Need to Know About” and “Managing What Matters: Taking a Risk-based Approach to Identity Governance”) and the 2nd edition of our Identity Governance Buyer’s Guide.