AMD is accusing a ring of former employees of this kind of act>. But that kind of employee is the outlier, says Robert Hamilton, director of product marketing for Symantec.
[How can cloud activity increase insider risks? See Cloud's Privileged Identity Gap Intensifies Insider Threats.]
"There's a substantial number of people that just don't realize that what they're doing is committing theft," he says. "Their employers would consider it theft. And the company that they're going to would also consider what they brought with them to be contraband. So what is it about these individuals that causes them to believe that what they're doing isn't wrong?"
A big part of it, Hamilton surmises, is that the pride in their work leads them to believe that it belongs to them.
"They feel they have some ownership rights because they've invested a lot of their intellectual equity into it," he says. "Nobody is going to argue that you don't have ownership rights to everything that's in your head -- the issue is taking stuff in electronic form, putting it in unauthorized locations, and intending to use it on a job at a new employer."
In addition to that deeply seated belief in ownership rights, rationalization and an apparent lack of consequences can make a dangerous combination in the minds of those who may consider it a gray area of morality that they're willing to overlook.
"Some people might think that it may not be completely appropriate, but they're not seeing their companies or their organizations taking steps to do anything about it," Hamilton says. "There's this sense of, 'I'm going to get away with it because I've never seen anybody get in trouble for taking stuff that they shouldn't.'"
The Human Element Trumps All
Whether it's due to ignorance or fearlessness of reprisal, theft by otherwise honest departing employees has its roots at the human level, says Scott Crawford, research director for Enterprise Management Associates.
"Dealing better with people, recognizing what employees both need and want, and just plain being conscientious and ethical will go a long way toward mitigating these risks," Crawford says.
Employees who feel they've been dealt with fairly are a whole lot less likely to justify their actions in a disgruntled huff. Of course, corporate culture actions are a systemic issue that go far beyond the mien of IT executives. But where IT has the opportunity to make a big difference is through cooperation with the business to develop clear data use policies and constantly communicate them.
"Organizations have a responsibility to clarify their policies on this," Crawford says. "They should also encourage dialogue with their personnel."
Without policies, not only are employees unclear as to their ethical responsibility to leave data behind, but the organization may lack legal recourse when information walks out the door, says Damon Petraglia, director of forensic and information security services for Chartstone.
"Every company needs an acceptable use policy. If the acceptable use policy says you are not allowed to download something, and you signed that, you know you broke the rule," he says. "Then organizations can start to establish some [illegal] intent there."
Using Monitoring To Target Communication
But measures shouldn't stop at an acceptable use policy and one-time signature. The reminders about those policies should be frequent. This starts first with broad-based communication across the board. For example, a system that issues a warning at log-in can act as a constant reminder of policies around data and also a warning of monitoring.
"So when you log onto your network or any resource from the company, a warning will come up that says you're accessing company information systems, including the computer, the network, anything attached to it," says Petraglia who recommends that all of his customers push out such a message. "It shows that the machine is for authorized use only, and if you're not authorized, improper use will result in disciplinary as well as civil and criminal penalty."
But beyond the everyday reminders, organizations should be looking for targeted ways to educate users, says Hamilton, who says that the kind of education he's talking about is not the generic security awareness training we usually associate with security guidance. The kind of education he recommends comes in concert with monitoring user behavior to flag activities such as transferring source code for a valuable product to a USB drive and sending up a message that warns the user of dire consequences.
"Let's use the analogy that you're going down the street, and there's one of those flashing lights telling you that you're exceeding the speed limit," he says. "I would argue that that's education."
This kind of educational warning grows in importance during those final weeks at the job. CERT recommends a heightened level of monitoring and analysis of user behavior during those critical final 60 days should the employer have that kind of warning. And the exit interview could provide an excellent opportunity to give an employee the chance to do the right thing without incurring reprisals, says Hamilton, who believes that simply arming an HR interviewer with a report detailing suspicious activities over the employee's last days can effectively nip bad behavior in the bud.
"No lawsuit has been filed at this point, no money spent on attorneys, but that individual that gets that counseling upon departure will think twice about bringing that confidential data and using it at their new job," he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.