What s Yours Is Mine. Global Results. How Employees are Putting Your Intellectual Property at Risk. Embargo until Wednesday, Feb.

Transcription

1 What s Yours Is Mine How Employees are Putting Your Intellectual Property at Risk Global Results Embargo until Wednesday, Feb. 6

2 Methodology The Ponemon Institute surveyed 3,317 individuals in 6 countries across industries United States 788 UK 530 France 491 Brazil 565 China 440 Korea 503 What's Yours Is Mine - Embargo until Wednesday, Feb. 6

3 Key Findings Employees are moving IP outside the company in all directions, and it is never cleaned up Most do not believe using competitive data taken from a previous employer is wrong Employees attribute ownership of IP with the person who created it Organizations are failing to create a culture of security; employees don t think their organizations care What's Yours Is Mine - Embargo until Wednesday, Feb. 6

4 IP is moving outside companies and never cleaned up The majority of employees transfer work documents outside and don t understand that it s wrong Half regularly business documents using personal accounts (like Gmail) to their home computer where security is weaker One-third move work files to file sharing apps (like Dropbox) without permission 2 out of 5 download work files to their personally owned mobile devices (tablet or smartphone) The majority do not delete the data they ve moved Security protection in home networks is weaker* 20% of consumergrade endpoints compromised by malware Gartner, Top Technology Predictions for 2013 and Beyond, Nov What's Yours Is Mine - Embargo until Wednesday, Feb. 6

5 Employees think it s OK to take and use competitive IP Organizations are at risk as unwitting recipients of stolen IP 50% of employees who left/lost their jobs kept confidential information 40% plan to use it in their new job Employee leaves company & takes IP Employee starts new job, offers documents (stolen IP) to new coworker 60% say a coworker hired from a competing company has offered documents from the former employer for their use 56% of employees do not believe it is a crime to use a competitor s confidential business information Employee uses the competitor s confidential info Organization at risk from use of stolen IP 68% say their organization does not take steps to ensure employees do not use competitive info What's Yours Is Mine - Embargo until Wednesday, Feb. 6

6 Employees Believe That They Own the IP Employees don t get it they don t personally own IP, companies do 44% of employees believe a software developer who develops source code for a company has some ownership in his or her work and inventions 42% do not think it s a crime for this software developer to reuse the source code, without permission, in projects for other companies Employees are not concerned about employee agreements (IP, NDA s, etc.) 53% say no action is taken when employees take sensitive information that is against company policy What's Yours Is Mine - Embargo until Wednesday, Feb. 6

7 Failure to create culture of security Only 38% say manager views data protection as business priority Top Reasons: Employees think it s OK to take corporate data Sharing the business information does not negatively impact or harm the company Company has a policy that is not strictly enforced Business information is generally available and not secured Top Reasons: Employees do not delete info they take It takes too much time Management doesn t really care No one will know if this is done or not What's Yours Is Mine - Embargo until Wednesday, Feb. 6

8 Recommendations A multi-pronged approach 1. Employee education Organizations need to let their employees know that taking confidential information is wrong IP theft awareness needs to be integral to security awareness training 2. Enforce NDAs Stronger, more specific language in employment agreements Focused conversation during exit interviews Make employees aware that theft of company information will have negative consequences to them and their future employer 3. Monitoring technology Implement DLP technology to monitor inappropriate access and use of IP and automatically notifies employees of violations What's Yours Is Mine - Embargo until Wednesday, Feb. 6

9 Appendix Select questions included For full survey results, please contact 9

10 Q4a-e. How would you rate the following statements? (strongly agree and agree responses combined) My manager takes appropriate steps to protect sensitive or confidential business information 52% My organization takes action when employees take sensitive information that is against company policy. 47% My manager views data protection as a business priority My organization does not allow employees to access and use sensitive or confidential business information from remote locations 35% 38% Most employees in my organization are cautious in the use and handling of sensitive or confidential business information 43% 0% 10% 20% 30% 40% 50% 60%

11 Q5. What types of sensitive or confidential information do you have access to in the normal course of your job? Please check all that apply. Customer information including contact lists 45% lists 64% Employee records 33% Non-financial business information 38% Financial information 19% Source code 15% Other intellectual properties 28% Other (specify) 1% 0% 10% 20% 30% 40% 50% 60% 70%

12 Q6. Which one statement best describes your access privileges to sensitive or confidential business information within your organization? My access privileges are too limited and at times prevents me from doing my job 17% My access privileges appropriately match what I need to do my job 51% My access privileges allow me to do more than necessary to do my job 29% Unsure 3% 0% 10% 20% 30% 40% 50% 60%

13 Q10a. Do you believe there are times when is it acceptable to transfer work documents to your personal computer, tablet, smart phone or Internet files sharing tool? Yes 62% No 28% Unsure 10% 0% 10% 20% 30% 40% 50% 60% 70%

14 Q10b. If you answered yes, why do you think it is acceptable? Company does not have a data protection policy 19% Business information is generally available and not secured 44% Advance permission is obtained from a supervisor or manager 21% Computer or device retaining this information is secure Business informatation was authored or co-authored by the employee who shares it Sharing the business information does not negatively impact or harm the company Employee who shares this information does not receive any economic gain Company has a policy that is not strictly enforced 30% 30% 38% 51% 53% 0% 10% 20% 30% 40% 50% 60%

15 S4a. Employees download confidential documents to their personally owned mobile devices used in the workplace such as tablet or smartphone. Do you ever do this? Yes 41% No 59% 0% 10% 20% 30% 40% 50% 60% 70%

16 S4b. If yes, how frequently do you do this? Very frequently and frequently combined. At least once a week 41% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

17 S4c. If yes, do you remove, erase or delete business documents from your mobile device (tablet or smart phone) after using this information? Rarely and never combined. Rarely or never 62% 0% 10% 20% 30% 40% 50% 60% 70%

18 S4d. Do others in your organization do this? Yes 50% No 50% 0% 10% 20% 30% 40% 50% 60%

19 S4e. If yes, how frequently does this happen? Very frequently and frequently combined At least once a week 43% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

20 S4f. If yes, do others take steps to remove, erase or delete business documents from the mobile device after using this information? Rarely and never combined. Rarely or never 65% 0% 10% 20% 30% 40% 50% 60% 70%

21 S4g. If you said you do take steps to remove, erase or delete documents (choice = always or sometimes), why? To comply with data protection practices To protect the data from unauthorized parties 54% 57% The data is likely to be valuable 11% To avoid getting into trouble with management 51% It is the right thing to do 18% The mobile device is likely to be insecure 13% Other (specify) 0% 0% 10% 20% 30% 40% 50% 60%

22 S4h. If you said you do not take steps to remove, erase or delete documents (choice = rarely or never), why? It takes too much time 67% No one will know whether this is done or not 40% This data is not likely to be valuable to anyone 18% Management doesn't really care 43% There is no policy or requirement to do this 35% The mobile device drive is likely to be secure 10% Other (specify) 1% 0% 10% 20% 30% 40% 50% 60% 70% 80%

23 S4i. In addition to the above facts, assume that permission from management is not obtained. Do you view the transfer of business confidential information to your personally owned mobile device (tablet or smart phone) in the above scenario a crime? Yes 30% Yes, but only if the data is not removed, erased or deleted after use 25% No 46% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%