In 2013, we have learned that national security agencies could be trawling through our most intimate conversations; that employees of a digital firm are upset because they have been banned from homeworking; and that the European Commission apparently advised officials visiting Greece to invent fake life stories, stand away from the windows and not to take sensitive documents out of the office.
These three very different stories have two things in common. Firstly, they were all documented in writing. Secondly, the resulting documents were deliberately made public.
Whether you consider the culprits whistleblowers or "disgruntled employees" out for revenge, the fact is that people’s emotions play a huge part in the decision to leak information they know to be confidential and potentially damaging to their current or former employer. Revealing sensitive company data is a high-risk strategy.
The employee concerned risks derision, dismissal or even a prison sentence, while the employer faces a potential PR disaster, a breach of increasingly stringent data protection laws, or even criminal proceedings.
We recently undertook a research study of office workers in Europe to find out what provokes employees to use information as a form of revenge. At the top of the list of grievances comes blame for something that is not the employee’s fault (21 per cent) followed closely by unkind treatment (19 per cent).
One in four (27 per cent) employees would content themselves with venting their feelings across the office. However, a further 24 per cent would let off steam with an email to friends and family – paving the way for further distribution, and a worrying 11 per cent would deliberately remove confidential or sensitive information from the office, regardless of whether or not it was related to the incident.
It does not have to be potentially harmful, media-friendly material – people can leave jobs with customer databases, presentations, or even potential strategic plans. In the wrong hands, any of this could significantly harm a business’ competitive advantage, brand reputation and customer loyalty.
When it comes to employee behaviour with information, it appears hearts generally win out over heads. Therefore, it is vitally important that employers realise that responsibility for information security is not just about robust guidelines and processes, but also about improved people management and understanding.
It is about building a culture of information responsibility that includes trust and respect for employees and respect for the value of information that belongs to the employer. As the CIA discovered earlier this year, you can’t build a culture through internal directives.
The organisation launched a confidential programme to cut down on number of data leaks across its intelligence network. The memo was promptly leaked to the Associated Press. Organisations need to communicate carefully about the need for data protection and lead by example.
- Christian Toon is a knowledgeable advisor on all aspects of information security, frequently commenting to online and print media on the latest information threats and how consumers can best protect their sensitive information.