With the Great Resignation in full swing, employees are leaving in droves. What does the Great Resignation mean for employers? Employers are now struggling to protect themselves against the consequences of employees’ departures. When employees leave, they often take a lot more than their experience. A key employee or a group of employees may, intentionally or unintentionally, take and transfer valuable trade secrets that a competitor may use to their advantage. Fortunately, two simple steps can help employers prevent trade secret loss before it becomes a problem.

For nearly 15 years, I’ve conducted countless investigations often involving trade secret loss, theft, and/or misappropriation. I forensically examined hundreds of devices and, when applicable, conducted dozens of face-to-face interviews. My experiences show that there are clear patterns for how data often leaves a company.

My investigations show that the points of exfiltration and the methods the employees use to take company data have not changed much over time. Often, these methods include copying data to USB drives, personal email accounts, and personal cloud storage platforms. This poses a question: why does data loss keep happening in much the same way, time and time again? The employees often respond with two statements: “I didn’t know how it would affect me!” and “No one (or nothing) stopped me!” Luckily, the following two approaches—one behavioral and one technical–will help employers reduce data loss. 

Step 1: The Behavioral Approach

“I didn’t know it would affect me!”

Employees usually undergo corporate compliance training on how to handle company data. Some of the training is monthly, while some are less frequent. During onboarding, employers may give employee handbooks to read and acknowledgments to sign. Almost every employee, in my experience, has acknowledged reading words or watching videos that can be summarized as follows:

1. Corporate data is owned by the corporation.
2. Employees are not allowed to take corporate data for their own use.

However, this training is often mundane or repetitive. Some employees even make jokes that other people (e.g., their kids or a patient pet) take training for them. While this training ticks some compliance checkboxes, the training rarely, if ever, discusses the aftermath of what happens when employees take corporate data. After countless hours of training, education, quizzes, tests, acknowledgments, and attestations, employees still do not know or understand the consequences of their actions.

Changes to Training

Employee training should include discussions about the personal and financial consequences that can occur when employees become entangled in a trade secret investigation, including:

• Investigations cost a lot of money. 
  Frequently, the employees will be asked to pay some, if not most, of the cost of investigations. Between forensic fees and legal fees, it’s not unreasonable to suggest that a “simple” matter may cost close to $50,000.

• Investigations are invasive. 
  Once taken, data can be copied, or transferred to other devices, or cloud storage. Forensic examiners may be asked to look through the former employees’ personal computers, electronic storage devices, smartphones, email accounts, and cloud-based storage platforms to determine that the data was not further saved, used, or transmitted.  A person’s entire life may be inconveniently interrupted to prove their assertion that “I didn’t do anything with this data.” On more than one occasion, I’ve heard the equivalent of, “I just want to make this go away. If I knew how difficult this process would be for me and my family, I would have never taken this data.”

• Investigations can even extend to a new employer and may cause a damaged reputation for the employees.
  Even worse, these investigations can lead to the termination of the employees from their new jobs. Employees do not understand the concepts of injunctions and temporary restraining orders (TROs). Those words are scary and can have a chilling effect on behavior if they’re known in advance.

Step 2: The Technical Approach

“No one (or nothing) stopped me!”

In my experience, most trade secret loss occurs in one or more of the following ways:

• Employees copy data to a USB device, such as a hard drive or thumb drive.
• Employees email data to a personal email account through their corporate email.
• Employees attach data to personal email that they access through a web browser (Gmail, Yahoo, Hotmail, etc.).
• Employees upload data directly to a personal cloud-based storage service (Google Drive, Dropbox, Box, OneDrive, etc.).
• Employees synchronize data between corporate computers and personal devices using the same personal Apple ID across all devices.

Luckily, except for the second point, the methods above can be eliminated without a large investment in software or IT staff.  In fact, much can be done using existing resources for maximum benefit.

Technical Changes

• Disable all USB write functionality by default. 
  Modern operating systems make it easy to disable write access with a few mouse clicks, without the need to purchase third-party software. Any exception for USB write functionality must be reviewed and granted for a limited period of time and then taken away. Users can still be given read-only access to USBs if that is the desired business model.

• Remove access to personal email services and non-corporate cloud storage platforms. 
  Unless there is a valid business reason to use personal accounts, by default, users with access to corporate data should not have access to their personal email and cloud-based storage platforms from the same devices.  Most modern firewalls, even those at home, allow for blacklists of unauthorized websites/domains/specific email addresses and whitelists of those that are allowed.

• Enforce the use of a corporate-managed account for any corporate device.
  Any corporate device, e.g., mandates that an account created and managed by the company – not a personal account – is used for services like Apple ID, which allows for the synchronization of data.

Mitigating Risks – The iDS Way

In summary, employers can greatly reduce the risk of corporate data loss by:

• Changing employee behavior through education that focuses on the consequences of data loss (high cost, loss of reputation, invasive) as well as prevention.
• Eliminating common avenues of data loss (writing to USB, access to personal email services, and cloud storage platforms).

While these steps are not exhaustive and will not stop all employees from taking corporate data, these two methods, combined with basic and inexpensive security policies, will greatly reduce the amount of data that leaves companies.

At iDS, we help businesses develop strategic plans to secure, store, and protect data from both internal and external threats. Our dedicated team of consultative experts comes prepared to maximize the value of your data while decreasing risk and reducing costs. iDS can provide a tailored, comprehensive strategy for managing your business’ information systems over time, helping you develop everything from data maps and retention policies to specific plans designed to reduce your overall Data Footprint.

Over the last 15 years, my clients have told me that I’ve become quite good at these investigations. In fact, many of my clients call me for this very expertise because I am efficient and cost-conscious. Yet I yearn for a day when I stop asking the question: “Why am I seeing the same thing after all these years?” In fact, in the words of my colleague, “I’d like to work myself out of a job.” I hear there are some excellent TV shows to check out.

To learn more about how the consultative experts at iDS can provide custom solutions to assist in preventing employee data loss, contact us today.

iDS provides consultative data solutions to corporations and law firms around the world, giving them a decisive advantage  – both in and out of the courtroom. Our subject matter experts and data  strategists specialize in finding solutions to complex data problems – ensuring data can be leveraged as an asset and not a liability.