In-Depth

Survey Highlights Threats from Disgruntled Employees

Employees who believe they may be fired may steal proprietary information to blackmail management

• By Stephen Swoyer
• 12/09/2008

A new survey from security software specialist Cyber-Ark Software paints a discouraging picture of both information security and human nature.

Employees are prepared to go to great lengths to keep their jobs, Cyber-Ark says -- with many willing to make significant concessions, such as doubling their workloads (to 80 hours a week) or taking salary cuts to retain their positions.

However, employees are also prepared should they see staff cuts coming. More than half of survey respondents say they've already acquired "competitive corporate data" with the intention of using it as a hedge against losing their jobs, either as a negotiating tool to entice new employers or to use to blackmail their existing bosses.

Cyber-Ark says it surveyed "600 office workers" in three geographic locations -- New York, London, and Amsterdam. Given that Cyber-Ark's U.S. sample relied largely on responses from employees who work on Wall Street, you might reasonably expect that the percentage of workers who said they planned to steal competitive information would be greatest in the United States. You'd be wrong. According to Cyber-Ark, workers in Holland are the most likely to make off with confidential data. Nearly three-quarters (71 percent) of Dutch workers confessed to having already acquired information, compared with 58 percent in the United States and 40 percent in the United Kingdom.

The impetus to steal correlates strongly with a perceived likelihood of being fired: 71 percent of respondents acknowledged that they'd "definitely" steal proprietary company information if they knew they were going to be fired.

Not surprisingly, employees tend to steal data that's of notional competitive value: respondents cited resources such as customer and contact databases, as well as company plans or proposals, internal (proprietary) product data, or (when possible) access codes and other passwords. Employees seemed least inclined to steal HR records or legal documents.

In the current economic climate, naïveté is not an option, Cyber-Ark officials claim. "Employers have a right to expect loyalty from their workforce, however this works both ways and in these dark days everyone is jittery especially with layoffs at the top of most corporate agendas, the instinct is to look out for number one," said Adam Bosnian, vice president of products, strategy, and sales with Cyber-Ark, in a statement. "It would be unthinkable to leave money on a desk -- [it's] an obvious temptation to anyone passing[.]"

IT organizations need to take a similar approach, Bosnian argues, by proactively locking down proprietary or sensitive information. "If times get hard, and they invariably will, companies need to ensure that any cutbacks aren't deeper than expected when stolen data unexpectedly eradicates any chance of survival -- our advice is to only allow access to sensitive information to those that really need it, lock it away in a digital vault, and encrypt the really sensitive data."

In surveys past, Cyber-Ark has highlighted several eyebrow-raising trends -- such as its finding that many IT organizations still use Post-It notes to maintain crucial password lists (see http://esj.com/case_study/article.aspx?EditorialsID=3311). Cyber-Ark's latest survey doesn't disappoint in this regard, either. For example, officials note, 15 percent of U.S. respondents said they'd consider blackmailing their bosses to keep their jobs, and more than a quarter say they'd be "prepared to buy the next round of drinks for a year" if doing so would vouchsafe their job security.