Nearly a third of workers would take information to a new job if they were fired, a new study revealed. — Courtesy photo LONDON — When considering risks to their business, employers tend to worry about hackers or burglars, but the biggest threat to security might come from within. According to a study conducted by information management company Iron Mountain, a third of 2,031 European office workers surveyed admitted that they had taken or forwarded confidential information out of the office, and one in seven had taken confidential information with them to a new job. Another 31 percent said they would deliberately remove and share confidential information if they were fired. Data breach is a common concern for businesses, but Peter Eglinton, Iron Mountain's Senior Vice President for UK, Ireland & Norway, says they tend to focus too much on monitoring for attacks from outside, while “the people side of the organization and the hard copy are forgotten about." “You can see who's hacking in and taking information, but people don't leave a trail," he says. “Therefore, if you don't have good policies in place, it's very difficult to work out what has happened with information." Although we may not always consider the data we work with day in and day out to be particularly exciting, Eglinton says that in any given business there are several functions that might use or create information that's commercially valuable or subject to privacy laws. “HR or finance will have an awful lot of access to very sensitive information," Eglinton says. “Sales and marketing will have access to customer data, and some of the service organizations will have a lot of information about their patients or their customers." Of the workers who admitted to taking confidential information to a new job, half said they believed they had a right to take information, and most said they took information because they had been involved in its creation. Although pervasive, this sense of ownership is misguided, says Eglinton. “The information you create in your daily work doesn't belong to you because you created it," he says, “it belongs to the organization that's paying you to do that job." The study also revealed that most of those who had taken information when they left a job had relieved their employers of customer databases. This, according to Chris Pounder of UK data protection training organization Amberhawk, is “a dangerous thing to do." Privacy laws vary from country to country, but in the EU, for example, any processing of information that relates to a living person is a breach of the Data Protection Directive. Although some consultants and lawyers might be able to negotiate permission to transfer clients with them when they leave a company, Pounder says: “If an employee took a database of customers without the consent of their employer, they are risking a criminal offense. Besides, making a gift of illegally obtained information is unlikely to ingratiate you to a new boss. Pounder points out that a new employer who knowingly receives personal data obtained in breach of data protection laws could also be liable for damages caused. So, what can businesses do to protect their data? Information management companies offer solutions ranging from encryption software to systems that allow organizations to track the whereabouts of files across multiple sites. But Eglinton thinks simply communicating policies regarding information ownership is a good first step towards alleviating the problem. — Agencies