• No results found

What s Yours Is Mine. Global Results. How Employees are Putting Your Intellectual Property at Risk. Embargo until Wednesday, Feb.

N/A
N/A
Protected

Academic year: 2021

Share "What s Yours Is Mine. Global Results. How Employees are Putting Your Intellectual Property at Risk. Embargo until Wednesday, Feb."

Copied!
23
0
0

Loading.... (view fulltext now)

Full text

(1)

What’s Yours Is Mine

How Employees are Putting Your Intellectual Property at Risk

Global Results

(2)

Methodology

The Ponemon Institute surveyed

3,317 individuals

in

6 countries

across industries

What's Yours Is Mine - Embargo until Wednesday, Feb. 6

United States

788

UK

530

France

491

Brazil

565

China

440

Korea

503

(3)

Key Findings

• Employees are moving IP outside the company in all directions, and it is

never cleaned up

• Most do not believe using competitive data taken from a previous employer

is wrong

• Employees attribute ownership of IP with the person who created it

• Organizations are failing to create a culture of security; employees don’t

think their organizations care

(4)

IP is moving outside companies and never cleaned up

• The majority of employees transfer work documents

outside and don’t understand that it’s wrong

– Half regularly email business documents using personal

accounts (like Gmail) to their home computer where

security is weaker

– One-third move work files to file sharing apps (like

Dropbox) without permission

– 2 out of 5 download work files to their personally

owned mobile devices (tablet or smartphone)

• The majority do not delete the data they’ve moved

Security protection

in home networks

is weaker*

• 20% of

consumer-grade endpoints

compromised by

malware

•Gartner, Top Technology Predictions for 2013 and Beyond, Nov. 2012

What's Yours Is Mine - Embargo until Wednesday, Feb. 6

(5)

Employees think it’s OK to take and use competitive IP

Organizations are at risk as unwitting recipients of stolen IP

• 50% of employees who

left/lost their jobs kept

confidential information

• 40% plan to use it in

their new job

Employee leaves company & takes IP

• 60% say a coworker

hired from a competing

company has offered

documents from the

former employer for

their use

Employee starts new job, offers documents (stolen

IP) to new coworker

• 56% of employees do

not believe it is a crime

to use a competitor’s

confidential business

information

Employee uses the competitor’s confidential

info

• 68% say their

organization does not

take steps to ensure

employees do not use

competitive info

Organization at risk from use of stolen IP

(6)

Employees Believe That They Own the IP

• Employees don’t get it – they don’t personally own IP, companies do

– 44% of employees believe a software developer who develops source code for a

company has some ownership in his or her work and inventions

– 42% do not think it’s a crime for this software developer to reuse the source code,

without permission, in projects for other companies

• Employees are not concerned about employee agreements (IP, NDA’s, etc.)

– 53% say no action is taken when employees take sensitive information that is

against company policy

(7)

Failure to create culture of security

Only 38% say manager views data protection as business priority

Top Reasons: Employees think it’s

OK to take corporate data

• Sharing the business information

does not negatively impact or

harm the company

• Company has a policy that is not

strictly enforced

• Business information is generally

available and not secured

Top Reasons: Employees do not

delete info they take

• It takes too much time

• Management doesn’t really care

• No one will know if this is done or

not

(8)

Recommendations

1. Employee education

Organizations need to let their employees know that taking confidential information is wrong

IP theft awareness needs to be integral to security awareness training

2. Enforce NDAs

• Stronger, more specific language in employment agreements

• Focused conversation during exit interviews

• Make employees aware that theft of company information will have negative consequences to

them and their future employer

3. Monitoring technology

Implement DLP technology to monitor inappropriate access and use of IP and automatically

notifies employees of violations

A multi-pronged approach

(9)

9

Appendix

Select questions included

(10)

52% 47% 38% 35% 43% 0% 10% 20% 30% 40% 50% 60%

My manager takes appropriate steps to protect sensitive or confidential business information

My organization takes action when employees take sensitive information that is against company policy.

My manager views data protection as a business priority My organization does not allow employees to access and use

sensitive or confidential business information from remote locations

Most employees in my organization are cautious in the use and handling of sensitive or confidential business information

Q4a-e. How would you rate the following statements? (strongly

agree and agree responses combined)

(11)

45% 64% 33% 38% 19% 15% 28% 1% 0% 10% 20% 30% 40% 50% 60% 70%

Customer information including contact lists Email lists Employee records Non-financial business information Financial information Source code Other intellectual properties Other (specify)

Q5. What types of sensitive or confidential information do you

have access to in the normal course of your job?

(12)

17%

51%

29%

3%

0% 10% 20% 30% 40% 50% 60%

My access privileges are too limited and at times prevents me from doing my job

My access privileges appropriately match what I need to do my job

My access privileges allow me to do more than necessary to do my job

Unsure

Q6. Which one statement best describes your access privileges

to sensitive or confidential business information within your

(13)

62% 28% 10% 0% 10% 20% 30% 40% 50% 60% 70% Yes No Unsure

Q10a. Do you believe there are times when is it acceptable to

transfer work documents to your personal computer, tablet, smart

(14)

19% 44% 21% 30% 30% 53% 38% 51% 0% 10% 20% 30% 40% 50% 60%

Company does not have a data protection policy Business information is generally available and not secured Advance permission is obtained from a supervisor or manager Computer or device retaining this information is secure Business informatation was authored or co-authored by the

employee who shares it

Sharing the business information does not negatively impact or harm the company

Employee who shares this information does not receive any economic gain

Company has a policy that is not strictly enforced

(15)

41%

59%

0% 10% 20% 30% 40% 50% 60% 70%

Yes

No

S4a. Employees download confidential documents to their

personally owned mobile devices used in the workplace such as

(16)

41%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

At least once a week

S4b. If yes, how frequently do you do this?

Very frequently and frequently combined.

(17)

62%

0% 10% 20% 30% 40% 50% 60% 70%

Rarely or never

S4c. If yes, do you remove, erase or delete business documents

from your mobile device (tablet or smart phone) after using this

information?

(18)

50%

50%

0% 10% 20% 30% 40% 50% 60%

Yes

No

(19)

43%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

At least once a week

S4e. If yes, how frequently does this happen?

Very frequently and frequently combined

(20)

65%

0% 10% 20% 30% 40% 50% 60% 70%

Rarely or never

S4f. If yes, do others take steps to remove, erase or delete

business documents from the mobile device after using this

information?

(21)

54% 57% 11% 51% 18% 13% 0% 0% 10% 20% 30% 40% 50% 60%

To comply with data protection practices To protect the data from unauthorized parties The data is likely to be valuable To avoid getting into trouble with management It is the right thing to do The mobile device is likely to be insecure Other (specify)

S4g. If you said you do take steps to remove, erase or delete

documents (choice = always or sometimes), why?

(22)

67% 40% 18% 43% 35% 10% 1% 0% 10% 20% 30% 40% 50% 60% 70% 80%

It takes too much time No one will know whether this is done or not This data is not likely to be valuable to anyone Management doesn't really care There is no policy or requirement to do this The mobile device drive is likely to be secure Other (specify)

S4h. If you said you do not take steps to remove, erase or delete

documents (choice = rarely or never), why?

(23)

30%

25%

46%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Yes

Yes, but only if the data is not removed, erased or deleted after use

No

S4i. In addition to the above facts, assume that permission from

management is not obtained. Do you view the transfer of

business confidential information to your personally owned

mobile device (tablet or smart phone) in the above scenario a

References

Related documents

Note: Admission to the University of Louisiana at Monroe Graduate School does not constitute admission to the Masters of Occupational Therapy Program.. Formal application must be

Due to the certain uniqueness of Canadian oil sands projects, industry benchmarking data should be collected and calibrated by the owner companies to ensure that appropriate

• Bored piling is cast by using bored piling machine which has specially designed drilling tools, buckets and grabs, it’s used to remove the soil and rock. Normally it can be

The Finance employee or designee must complete all necessary updates for fixed assets and department’s office equipment inventory before year-end closing and place a print out

MOPOXY MASTIC is a high solids, high build, surface tolerant amine epoxy formulated for application over sound rust and/ or deteriorated paint systems as a base coat for upgrading

Airless spraying using Fine Finish spray tips, combined with electronic pressure controls and low pressure, can provide an HVLP-like pattern. Industrial jobs: Professional

Berdasarkan hasil analisis deskriptif diketahui bahwa sistem perkandangan dalam Kelompok Tani Ternak Subur Makmur memiliki tingkat kebersihan lantai kandang yang buruk,

This paper presents an efficient model-driven approach to moving object trajectory reconstruction using KNN classifiers which can be used for real-time video