Data Privacy and Security

Data Revenge: Is Data Walking Out of your Business?

We’ve all heard stories and examples of people leaking company or government data, either intentionally or mistakenly. Memos made public to the press, documents sent to personal emails or high-profile whistleblowing – all are examples of employees making their own judgements as to what information can be shared. Businesses concentrate on keeping information contained within the organisation by shoring up the IT systems but often forget about the risks so often posed by employees, whether malicious or unintentional.

Securelist has drawn up a list of ‘insider’ profiles to help companies recognise and understand the high-risk groups. This list includes: “the careless insider” – the most common type, defined as a non-managerial employee who leaks information unintentionally; “the naïve insider” – vulnerable to unscrupulous ‘market research’ or other confidence trick activity; and those who leak information maliciously, “the saboteur” – often a disgruntled employee who feels passed over, and “the disloyal insider” – generally someone about to leave the company. 

There are some interesting statistics about each ‘insider’ group that leaks business information and much of it is based on an emotional relationship with the company. Research by Iron Mountain found that a third of employees have taken or forwarded confidential information out of the office on more than one occasion and that when people change jobs, sensitive information is especially vulnerable[1]. The Ponemon Institute found that 61% of employees that disliked their former employer took information compared to only 26% of those who had happy memories of their previous role; employees don’t always take information out of malice. Our research found that they do so because they feel a sense of ownership over the information or believe it will be useful to them in their next role.

Information is more at risk when employees change jobs, but what about the employees who remain in employment, yet seek to take revenge on their employer? Additional research[2] has shown that employees who have other workplace grievances, such as being blamed for something that wasn’t their fault or being treated unkindly, are also motivated to take ‘data revenge’.

While many employees are content to vent their feelings across the office, a further 24% would let off steam in an email to friends and family – paving the way for further distribution. Eleven per cent, however, would forward confidential information out of the office, regardless of whether or not it was related to the incident.

For whichever reasons an employee has leaked information, the consequences for both business and employee could be far more devastating than either may first imagine. The employee concerned risks derision, dismissal or even a prison sentence, while the employer faces a potential PR disaster, a breach of increasingly stringent data protection laws, or criminal proceedings.

Whether it’s a disgruntled employee leaking information to the press or simply an exiting employee forwarding themselves a database for future use, employers need to realise that responsibility for information security is not just about robust guidelines and processes, but also about improved people management and understanding.

Companies need to ensure that employee performance issues are tackled early on, and fairly, and that staff concerns about potential malpractice or mistreatment are taken seriously and investigated. It’s also important for them to ensure that employee-exit procedures are robust and compassionate, and that guidelines recognise that how people feel directly influences their behaviour and actions.

It is about building a culture of information responsibility that includes trust and respect for employees and respect for the value of information that belongs to the employer. As the CIA discovered earlier this year, you can’t built a culture though internal directives. The organisation launched a confidential programme to cut down on a number of confidential data leaks across its intelligence network. The memo was promptly leaked to the Associated Press. Organisations need to communicate carefully about the need for data protection and lead by example.

Christian Toon, Risk and Security at Iron Mountain

[1] Iron Mountain and Opinion Matters, June 2012

[2] Research by Opinion Matters for Iron Mountain.  The survey was carried out between 15/04/2013 and 01/05/2013.  Sample: 5021 employed adults in the UK, France, Spain Germany and the Netherlands.



« Even a Supercomputer Won't Fix Italy's Tax Problems


News Roundup: Abusive Tech Terms, Smart Bras and Windows XP Ignorance »
Christian Toon

Head of Information Risk at Iron Mountain

  • Mail


Do you think your smartphone is making you a workaholic?