A Firing Offense

By Eileen Feretic  |  Posted Monday, August 10, 2009 18:08 PM

By Eileen Feretic

It's no surprise that a rapidly growing number of white-collar workers are communicating via e-mail, social networks, blogs and/or text messages. And I guess it shouldn't be surprising that the number of workers who are misusing these tech tools to leak their company's confidential information is also growing.

That's the unsettling news from Proofpoint's sixth annual study of outbound e-mail and data loss prevention issues (www.proofpoint.com/outbound), which found that 34 percent of the 220 U.S. companies surveyed were affected by the exposure of corporate information that was "sensitive or embarrassing." That represents an increase of 11 percent from 2008.

Concerned about this problem, 38 percent of the surveyed firms, all with more than 1,000 employees, "employ staff to read or otherwise analyze the contents of outbound e-mail"--up from 29 percent last year. One impetus for this proactive approach is the increase in subpoenas for employee e-mail: 24 percent of these companies in the last 12 months.

Another statistic that continues to rise is the number of people fired for misusing their company's communications systems. Consider these findings from the Proofpoint survey of breaches during the past 12 months:

Of the surveyed companies, 43 percent investigated an e-mail data leak, and 31 percent "terminated an employee for violating e-mail policies."

Eighteen percent probed a breach that happened via a blog or message board, and about 9 percent fired a staff member.

When it comes to video and audio media, 18 percent looked into data exposures, and 8 percent terminated the employee involved.

Seventeen percent of the companies suffered losses due to social networking sites, and 8 percent fired a worker for these violations.

In the latest area of risk--short message services such as Twitter--13 percent investigated exposures.

This report offers lessons for both management and staff. On the management side, it's vital to remember that securing the data center is not enough. Security policies and technologies must also cover all the above-mentioned communications vehicles.

Education is key here, since many employees may not understand the company's policies regarding the types of information that can--and can't--be safely included in their e-mails, blogs, tweets, videos and Facebook pages. Organizations need to have clear and comprehensive policies that are read and understood by all workers.

Some staff members--especially younger ones--may be used to posting all manner of personal information on these media, so they may not understand why their work information has to remain private. It's up to management to make that distinction absolutely clear.

Employees themselves have to do their part. They need to learn their company's security policies and follow them to the letter. If they don't, they may end up in that unfortunate group of workers terminated for violating them.