CEOs and Boards routinely assess risks to the business enterprise. This typically involves identifying events or circumstances that affect the business’s bottom line, how likely it is to happen, how big of an impact it might have, and a strategy for how to respond. The focus tends to be on external threats (e.g., potential labor disputes, plant closures, supply line disruptions, or cyber-attacks), financial compliance, legal issues, or property and liability insurance. There is an acknowledgement that employees are a potential risk, but it is generally viewed from a fraud investigation perspective. Few companies look closely at trusted insiders (employees, trusted business partners, third party vendors, and contractors) when considering business risks -- and fewer still develop strategies or implement measures to manage it.
High profile lessons
Recent high-profile cases illustrate the importance of effective insider risk management programs and why organizations need to do more than pay lip service to it. In one case, a disgruntled employee who fatally shot five people and wounded five officers began shooting after he was told he was being fired. While it is unknown whether he knew he was about to be fired, a company official said he had been going through a discipline procedure and had been written up previously. Unfortunately, workplace violence has become a much too common occurrence, and all seem to have a common thread – a disgruntled employee.
There are countless cases in recent years of employers filing lawsuits against former employees for the theft of intellectual property and trade secrets. Most are discovered after the employee has resigned or been terminated. For example, a transportation company filed a complaint against two former employees alleging that they misappropriated trade secrets. Unusually secretive behavior by one of the employees initiated a review of his work email account where they found that he had “sent several confidential documents to his personal email account without authorization; he then deleted the sent messages and emptied his trash folder.” The company asserted that the individuals had disclosed and planned to continue to disclose the trade secrets to creditors in order to disadvantage the company in its ongoing negotiations related to their debt restructuring. Numerous companies over the last few years have filed breach of contract lawsuits against former employees for stealing confidential information and trade secrets.
In a company that had an insider risk management program, a resignation notice sparked a routine review of the employee’s computer activity. The review revealed that the employee had accessed hundreds of files, including research reports and plans to market a product in China, and downloaded restricted files to a thumb drive. The subsequent FBI investigation and arrest for theft of trade secrets revealed additional thumb drives in his home containing company information and evidence that the employee had accepted a job with a Chinese competitor almost three months before the resignation notice. The signed offer letter stated the competitor would pay the individual approximately $50,000, for "talent" that he had brought to the company, plus his salary. In this case, the company had a risk management program in place and the discovery was made before the employee resigned.
The cases are just a few examples of why companies and organizations need to manage risks posed by its greatest strength and most valuable asset – people.
Whether from termination or resignation, an employee’s pending departure from an organization increases the chance that data leaks will occur that could impact critical infrastructure operations, lead to the loss of competitive advantage, affect shareholder value, or result in embarrassment and devaluation of an organization’s image and brand. Studies have shown a staggering number of employees who leave a job take company data with them, with many planning to use it at their next job. The reasons for taking the information vary. For some, it is unintentional, made more confusing by mobile work environments, use of personal devices, and cloud storage. Many seem to believe information they created belongs to them and take presentations, documents, or client lists. A smaller number who take data have malicious intent.
Bottom line - Cost to industry
Whether intentional or unintentional, the resulting costs from lost business, damaged reputations, and time spent on recovery are in the millions of dollars. Insider related data breaches already cost companies millions of dollars a year. Companies with insider risk programs have reported recovering documents from departing employees worth billions in potential business losses. That, alone, should make company execs wake up and take notice. Employees are a critical asset for any business, and ignoring the risks posed by trusted insiders is tantamount to putting your head in the sand.