In the last few months we have learned that national security agencies could be trawling through our most intimate conversations, that employees of a digital firm are upset because they have been banned from homeworking, and that the European Commission has apparently advised its officials visiting Greece to invent fake life stories, stand away from the windows and not to take sensitive documents out of the office. These three different stories have two things in common. Firstly, they were all documented in writing. Secondly, the resulting documents – one presentation and two internal memos – were deliberately made public. Whether you consider the culprits whistleblowers or “disgruntled employees” out for revenge, the fact is that people’s emotions play a huge part in the decision to leak information they know to be confidential and potentially damaging to their current or former employer. Revealing sensitive company data is a high-risk strategy. The employee concerned risks derision, dismissal or even a prison sentence, while the employer faces a potential PR disaster, a breach of increasingly stringent data protection laws, or even criminal proceedings. We recently undertook a research study of office workers in Europe to find out what provokes employees to use information as a form of revenge. The results showed that employees may look to take data revenge when they perceive the way they are
unfairly treated. At the top of the list of employee grievances comes blame for something that is not the employees fault, followed closely by unkind treatment. One in four employees would content themselves with venting their feelings across the office. However, a further 24 per cent would let off steam with an email to friends and family – paving the way for further distribution, and a worrying 11 per cent would deliberately remove confidential or sensitive information from the office, regardless of whether or not it was related to the incident. In other words, when it comes to employee behaviour with information, hearts generally win out over heads, and the personal over the professional. Of course, not everyone has access to potentially harmful, media-friendly material – but that doesn’t mean that much of the information that office employees do have access to is not of critical business importance. Our research shows that people leave jobs armed with valuable customer databases, presentations, strategic plans, company proposals and product or service roadmaps. In the wrong hands, any of this could significantly harm a business’ competitive advantage, brand reputation and customer loyalty. It is vitally important that employers realise that responsibility for information security is not just about robust guidelines and processes, but also about improved people management and understanding. Companies need to ensure that employee performance issues are tackled early on – fairly – and that staff concerns about potential malpractice or mistreatment are taken seriously and investigated. It is about building a culture of information responsibility that includes trust and respect for employees and respect for the value of information that belongs to the employer. As the CIA discovered earlier this year, you can’t build a culture through internal directives. The organisation launched a confidential programme to cut down the number of confidential data leaks across its intelligence network. The memo was promptly leaked to the Associated Press. Organisations need to communicate carefully about the need for data protection and lead by example.
Christian Toon is the head of information risk and security at Iron Mountain. Image SourceShare this story
