The market is down. Lending has all but ceased. Projects are cancelled. And reductions in workforce capture the headlines on what feels like a daily basis.
Though companies struggle to hang on to their business and are watching very closely their bottom line, what do they think their employees are doing? Chances are, the same thing; only on a personal level, and quite possibly, with little regard for their employer.
As employees experience the pain of this new down economy in the forms of increasing mortgage payments, decreasing investment and retirement values, and a lack of additional personal credit, they are certainly not blind to the fact that their employer is facing similar challenges. And while most organizations would like to think they have a good flock of sheep managed by their loyal shepherds, these employees are not ignorant. Employees are paying attention to the news, and they know what the status of the economy means to the stability of their own employer. They are not going to just sit back and let this new economy take its southerly toll on their own pocketbook.
Thus, the following question may arise: while employers are watching the bottom line and protecting their business from the market, and their employees are watching the employers and protecting themselves from being laid off, who is watching the employees and protecting the employer from malicious activity? This lack of attention by the employer makes it such that they might not even recognize the risk they face until it is too late. Consider the following scenario:
Say an employee that is worried about her job begins to look for ways to protect her career. An obvious action for her would be to update her resume and to start looking for alternative employment opportunities. While this employee may be an extremely important asset to the company (which we will call Company A), it is most certainly not the end of the business world for Company A if that employee leaves. If necessary, Company A could hire a replacement from the multitude of people looking for work.
Take into account that this departing and savvy employee may be looking to go to a competing company (which we will call Company 99,) and this begins to paint a picture that could lead to some general concern for Company A. Add one more coat of paint to this picture, and you might see to a highly-competitive market where there are many qualified candidates trying to differentiate themselves as they go after the same limited number of positions – one opportunity of which happens to be at Company 99.
This puts Company 99 in a unique position to find the perfect person – the silver bullet – for their business. This silver bullet could be what saves them from going under during these troubled times. What if that silver bullet of knowledge and information happens to now be housed in the shiny 8GB USB thumb drive that Company A's employee has quietly snuggled away in her pocket -- taken today, six weeks prior to her anticipated or planned departure?
That silver bullet could be in the form of sensitive intellectual property, an export of the client renewal database, or the names and price lists from their material suppliers -– just what Company 99 needs to stay afloat, make new clients, generate revenue, and ensure that Company A is out of the picture – all at the same time.
Of course, some companies do have some security measures in place to account for this potential risk of data theft –- but not all companies. And, not all companies keep tabs on what is actually happening. Oftentimes, companies take a passive and somewhat understandably trusting position for their security technologies, adopting the blind faith that the product is doing what they think it was set to do. Worse yet, however, a majority of companies trust their employees to follow the written (or even unstated?) policies –- because, well, why wouldn't they? If the employer didn't trust their employees, it would be a sign of poor judgment on their part as they made that bad hire, right?
The bottom line: organizations must pay attention -– even if they trust their employees. Organizations must now take a proactive stance and technically enforce proper use policies for their systems, removable storage devices, data, and users. They must find a solution that lets their employees use the resources where appropriate and block it where it is inappropriate, while auditing what is being used, by whom, where, and for which data.
There are some quick and easy ways to take a lot of the risk out of the picture –- without disabling the business. An integrated endpoint security product that combines fixed and removable drive encryption with removable device control is the first half of the equation. The second half of the equation is a product that enables the organization to employ a set of risk-based, business-enabling policies that govern and audit the use of USB ports, requiring the use of encryption and approved portable storage devices.
Certainly, a bad seed employee is the exception to the rule, but all it takes is one to send your entire business south.
