The enemy within: Who's stealing your company's secrets?

Nearly a third of workers would take information to a new job if they were fired, according to a new study.

STORY HIGHLIGHTS

• Study: One in seven European workers have taken confidential information to new job
• Employees are most inclined to take documents they've worked on
• Almost a third confessed they would deliberately take files if they were sacked

London (CNN) -- When considering risks to their business, employers tend to worry about hackers or burglars, but the biggest threat to security might come from within.

According to a study conducted by information management company Iron Mountain, a third of 2,031 European office workers surveyed admitted that they had taken or forwarded confidential information out of the office, and one in seven had taken confidential information with them to a new job.

Another 31% said they would deliberately remove and share confidential information if they were fired.

Data breach is a common concern for businesses, but Peter Eglinton, Iron Mountain's Senior Vice President for UK, Ireland & Norway, says they tend to focus too much on monitoring for attacks from outside, while "the people side of the organization and the hard copy are forgotten about."

You can see who's hacking in and taking information, but people don't leave a trail.
Peter Eglinton, Iron Mountain

"You can see who's hacking in and taking information, but people don't leave a trail," he says. "Therefore, if you don't have good policies in place, it's very difficult to work out what has happened with information."

Although we may not always consider the data we work with day in and day out to be particularly exciting, Eglinton says that in any given business there are several functions that might use or create information that's commercially valuable or subject to privacy laws.

"HR or finance will have an awful lot of access to very sensitive information," Eglinton says. "Sales and marketing will have access to customer data, and some of the service organizations will have a lot of information about their patients or their customers."

See also: Work skills you'll need to survive the 'conceptual age'

Of the workers who admitted to taking confidential information to a new job, half said they believed they had a right to take information, and most said they took information because they had been involved in its creation.

Although pervasive, this sense of ownership is misguided, says Eglinton. "The information you create in your daily work doesn't belong to you because you created it," he says, "it belongs to the organization that's paying you to do that job."

The study also revealed that most of those who had taken information when they left a job had relieved their employers of customer databases.

See also: Have you got the career X-factor?

This, according to Chris Pounder of UK data protection training organization Amberhawk, is "a dangerous thing to do." Privacy laws vary from country to country, but in the EU, for example, any processing of information that relates to a living person is a breach of the Data Protection Directive.

Although some consultants and lawyers might be able to negotiate permission to transfer clients with them when they leave a company, Pounder says: "If an employee took a database of customers without the consent of their employer, they are risking a criminal offense.

"And if they did it to set up their own business, they're also vulnerable for someone taking a civil case for damages."

The information you create in your daily work doesn't belong to you because you created it.
Peter Eglinton, Iron Mountain

Besides, making a gift of illegally obtained information is unlikely to ingratiate you to a new boss. Pounder points out that a new employer who knowingly receives personal data obtained in breach of data protection laws could also be liable for damages caused.

So, what can businesses do to protect their data?

Information management companies offer solutions ranging from encryption software to systems that allow organizations to track the whereabouts of files across multiple sites. But Eglinton thinks simply communicating policies regarding information ownership is a good first step towards alleviating the problem.

"I don't think you need to have security guards on the door every day, but reminding people of the policy, and auditing those processes, would go a long way towards managing information more securely," he says.

Regardless of how information leaves a company -- whether due to malice, professional pride or as more businesses allow telecommuting -- Eglinton believes there is always cause for concern.

Even those who take documents home for entirely legitimate reasons and with their employer's consent might be endangering security. "How do you manage information created on the train on the way into work?" he asks. "And how do you manage that information thereafter? If people are taking information out of the office, how do you know that information comes back or is securely destroyed?"

Eglinton predicts that, as the volume of information created grows, executives need to consider "not just the value you get from information, but how you protect it, because it's a hugely valuable asset, but often nobody has responsibility for it."