The plant manager of a high-tech company in Asia was eating his dinner one night and flicking through the television channels, when a news item made him choke. It was the face of one of his former engineers, working for one of the company’s key competitors. The engineer had told him that he was returning to his home town to help his aging parents run their small fishing business. The plant manager went to bed that night feeling concerned. His concerns were compounded when he got to work the following morning and realized that 12 more engineers had also left to go to the same competitor.
He reached out to Kroll for help. We found that a total of 25 engineers working in design, production, and quality control had been systematically recruited by the competitor through employee networks and recruiters. These employees had taken valuable know-how, confidential engineering data, drawings, vendor lists, and process manuals with them when they left.
Many companies are waking up to the risk of valuable trade secrets and technologies being stolen or leaked through their employees. This risk is becoming particularly acute in the fast growing Asian countries. An increasingly favored route to acquiring confidential commercial or trade secrets from a competitor is by recruiting their staff.
However, in our experience, managers often ask the wrong questions. They say, “How can I stop my good employees going to my competitors?” Their questions should really be focused on “Are we doing enough to make them stay?”
The best way to retain confidential information and know-how is to treat employees well so that even when they do leave, they leave well. Any initiative that can keep employee turnover low will lead to better corporate integrity in every sense of the word. This is borne out by the Kroll survey, which shows that the most common driver suggested for the increase of fraud risk was high staff turnover, mentioned by 37% of companies.
However, even though companies may have taken rigorous steps to create a positive working culture, events can still lead to employee dissatisfaction. In Europe, for example, many companies are family owned. When there is a shift in ownership or a generational change over, the atmosphere in the company can change overnight. M&A transactions are also a cause of disgruntled employees as jobs amalgamate or disappear entirely.
Seven common mistakes companies make in dealing with employee-related risks of information theft are:
1. Underestimating the purpose of the exit interview
The exit interview serves many purposes. When an employee is leaving, the employer should use the interview to assess the risk of information or IP theft. It is an opportunity to assess employee morale, and to remind the employee of the company’s information and IP security and non-compete/non-solicitation policies. Gauging morale can flag whether there is a deeper malaise and the potential for more employee exits. Too often, companies underestimate the unhappiness of their employees.
2. Destroying critical evidence
When employees leave, companies tend to reutilize computers, delete email accounts and fail to archive telephone logs. In Asia, we often deal with cases where exiting employees are allowed to keep their computer and mobile as part of the severance package. All data and devices, including company access logs and CCTV (where permitted by law), should be kept for a period of time as it can often take months to discover a breach. If employees are allowed to retain any devices, these devices must be thoroughly wiped or reset to ensure that no confidential information is left on them that could be used by the departing employee for the benefit of another business.
3. Assigning responsibility too narrowly
Often, companies only task Information Security or Human Resources departments with assessing the threat and designing plans and policies. However, the risk should be addressed by multiple stakeholders including, Legal, IP, Marketing, the business itself, and even the CEO if the potential loss is of strategic importance, large scale or likely to result in negative publicity.
4. Allowing employees to use their own devices for company work
With the increase in overtime, home, and flexible working, it has become more important to establish clear rules about employee devices. It is rarely, if ever, possible to investigate personal computers and mobile phones belonging to employees. We advise that clients only allow employees to work on company devices and not on personal devices. Moreover, programs and work documents should be stored on the company server at all times and not locally. It is also important to take decisions out of the employee’s hands through robust policies and configurations. For example, it may be a deterrent to issue a regulation banning USB memory sticks. However, if all devices issued to staff have their USB ports deactivated, inappropriate use - whether by mistake or by design - becomes significantly more difficult.
5. Focusing on digital theft
Too often, companies focus on the theft of digital information, but physical records are also an important conduit of loss.
6. Rewarding bad behavior
Companies might hire an employee who brings information from a previous employer such as client lists or product information. What they fail to consider is that individuals who have behaved badly once are likely to do so again. Kroll recently worked with an engineering company whose key engineer had left and taken some important plans to the competition. During the investigation, we learned that the employee had done the same with their previous employer.
7. Neglecting the impact of an investigation
When an employee leaves under suspicion of information theft, an ensuing investigation can damage the morale of other employees. It is important to make sure that any steps the company takes to legitimately protect its assets do not appear vindictive. People do not like to be investigated or to participate in the investigations of their colleagues. Companies often bring in external investigators to avoid the disruption of employees being investigated by their coworkers, and to ensure that the investigation is run as efficiently as possible. It is also important to keep in mind that internal investigations must be conducted in accordance with applicable law including (but not limited to) employment, data privacy, and whistle-blowing laws, if applicable, and that laws differ from country to country. An external investigator would work alongside internal or external counsel to ensure that the investigation is conducted in accordance with all applicable laws and that any evidence obtained is not compromised.
As always, prevention is better than cure. Maintaining the right culture and having the appropriate processes in place will help protect your company’s most valuable assets.