In the TV show called Bait Car, the show’s team leaves a car with its keys in it as bait, and the subsequent theft of the car is recorded for the audience’s viewing pleasure. The premise of the show is that some people lack the personal integrity to simply not steal someone’s car, just because it’s out in the open with its keys in the ignition. I can’t help but think that there’s a moment where the would-be thief thinks to himself, “Well… they shouldn’t have left the keys there” — as if it’s the owner’s fault.
Unfortunately, we live in a world where this type of rationalized thinking exists. People believe they “deserve theirs,” and when an opportunity arises, they often simply rationalize it away, blaming the person or group that they’re taking advantage of.
Cars are one thing, but does it happen with data in the workplace?
Over the last few years, two studies have shown that approximately half of your employees, when leaving an organization voluntarily or involuntarily, say that they take sensitive data with them.  And that number has risen in 2016 to 59%!
It is happening — and the question is Why?
We could take the route of looking at user motivations (such as financial gain or espionage), but I’d like to emphasize another aspect of the problem: the IT organization may not be setting the proper tone. As the title of this blog states, if you don’t care, neither will they. And IT can show that it “cares” about the security of corporate data in a few ways:
- Communicate it: If there is no acceptable use policy (AUP) presented to, and signed by, employees that says “taking data is a no-no,” employees simply justify their actions by saying they weren’t told that they couldn’t. Putting an AUP, as well as a Confidentiality & Intellectual Property Agreement (CIPA) in front of employees when they are hired sets both the tone and the organization’s expectations during their tenure there.
- Demonstrate it: Over half of your users have too many permissions, giving them access to far more resources than they should. Nothing says “we don’t care — go ahead and take it” like someone having access to applications, files, and data that have nothing to do with their current job. Ensuring that access to data, applications, and systems — usually via groups in Active Directory — is as locked-down as possible is critical. Proper management of Active Directory groups, including ensuring that group memberships and permissions assigned are correct, will restrict your users’ access to only those resources appropriate for their job.
- Make it the business’ business: IT needs to make sure that verifying and continually updating groups, their members, and assigned permissions are regular tasks. What will also help is expanding the responsibility for this task to members of the organization. Employees outside IT have a much better sense of what’s actually needed to keep their part of the organization running smoothly.
Your employees are regular people, complete with the same imperfections, stresses, temptations, and motivations as you. One would think they should already know that “you’re not supposed to steal company data.” However, in the absence of the organization’s living that mantra through HR policies and IT security, it’s a message that will likely get lost. This could result in too much access, and in too many employees not caring whether they take information or resources from the organization.
 Ponemon, What’s Yours Is Mine: How Employees Are Putting Your Intellectual Property at Risk (2013)
 Veriato, Insider Threat: Alive and Thriving (2013)
 Deloitte, Insider threats: What Every Government Agency Should Know and Do. (2016)