Half of employees who left or lost their jobs in the last 12 months kept confidential corporate data, according to a global survey from Symantec, and 40 percent plan to use it in their new jobs. The results show that everyday employees’ attitudes and beliefs about intellectual property (IP) theft are at odds with the vast majority of company policies.

1. What’s Yours Is Mine
How Employees are Putting Your Intellectual Property at Risk
Global Results
February 6, 2013

2. Methodology
The Ponemon Institute surveyed
3,317 individuals in 6 countries across industries
United States 788
UK 530
France 491
Brazil 565
China 440
Korea 503
What's Yours Is Mine - February 6, 2013 2

3. Key Findings
• Employees are moving IP outside the company in all directions, and it is
never cleaned up
• Most do not believe using competitive data taken from a previous employer
is wrong
• Employees attribute ownership of IP with the person who created it
• Organizations are failing to create a culture of security; employees don’t
think their organizations care
What's Yours Is Mine - February 6, 2013 3

4. IP is moving outside companies and never cleaned up
• The majority of employees transfer work documents
outside and don’t understand that it’s wrong
– Half regularly email business documents using personal
accounts (like Gmail) to their home computer where
security is weaker
– One-third move work files to file sharing apps (like Security protection
Dropbox) without permission in home networks
is weaker*
– 2 out of 5 download work files to their personally
• 20% of consumer-
owned mobile devices (tablet or smartphone) grade endpoints
compromised by
• The majority do not delete the data they’ve moved malware
•Gartner, Top Technology Predictions for 2013 and Beyond, Nov. 2012
What's Yours Is Mine - February 6, 2013 4

5. Employees think it’s OK to take and use competitive IP
Organizations are at risk as unwitting recipients of stolen IP
Employee starts new job,
Organization at risk from
offers documents (stolen
• 50% of employees who • 56% of employees do use of stolen IP
IP) to new coworker
left/lost their jobs kept not believe it is a crime
confidential information • 60% say a coworker to use a competitor’s • 68% say their
• 40% plan to use it in hired from a competing confidential business organization does not
their new job company has offered information take steps to ensure
documents from the employees do not use
former employer for competitive info
their use Employee uses the
Employee leaves
competitor’s confidential
company & takes IP
info
What's Yours Is Mine - February 6, 2013 5

6. Employees Believe That They Own the IP
• Employees don’t get it – they don’t personally own IP, companies do
– 44% of employees believe a software developer who develops source code for a
company has some ownership in his or her work and inventions
– 42% do not think it’s a crime for this software developer to reuse the source code,
without permission, in projects for other companies
• Employees are not concerned about employee agreements (IP, NDA’s, etc.)
– 53% say no action is taken when employees take sensitive information that is
against company policy
What's Yours Is Mine - February 6, 2013 6

7. Failure to create culture of security
Only 38% say manager views data protection as business priority
Top Reasons: Employees think it’s Top Reasons: Employees do not
OK to take corporate data delete info they take
• Sharing the business information • It takes too much time
does not negatively impact or • Management doesn’t really care
harm the company • No one will know if this is done or
• Company has a policy that is not not
strictly enforced
• Business information is generally
available and not secured
What's Yours Is Mine - February 6, 2013 7

8. Recommendations
A multi-pronged approach
1. Employee education
• Organizations need to let their employees know that taking confidential information is wrong
• IP theft awareness needs to be integral to security awareness training
2. Enforce NDAs
• Stronger, more specific language in employment agreements
• Focused conversation during exit interviews
• Make employees aware that theft of company information will have negative consequences to
them and their future employer
3. Monitoring technology
• Implement DLP technology to monitor inappropriate access and use of IP and automatically
notifies employees of violations
What's Yours Is Mine - February 6, 2013 8

9. Appendix
Select questions included
For full survey results, please contact chau_mai@symantec.com
What's Yours Is Mine - February 6, 2013 9

10. Q4a-e. How would you rate the following statements? (strongly
agree and agree responses combined)
My manager takes appropriate steps to protect sensitive or
52%
confidential business information
My organization takes action when employees take sensitive
47%
information that is against company policy.
My manager views data protection as a business priority 38%
My organization does not allow employees to access and use
sensitive or confidential business information from remote 35%
locations
Most employees in my organization are cautious in the use and
43%
handling of sensitive or confidential business information
0% 10% 20% 30% 40% 50% 60%
What's Yours Is Mine - February 6, 2013 10

11. Q5. What types of sensitive or confidential information do you
have access to in the normal course of your job?
Please check all that apply.
Customer information including contact lists 45%
Email lists 64%
Employee records 33%
Non-financial business information 38%
Financial information 19%
Source code 15%
Other intellectual properties 28%
Other (specify) 1%
0% 10% 20% 30% 40% 50% 60% 70%
What's Yours Is Mine - February 6, 2013 11

12. Q6. Which one statement best describes your access privileges
to sensitive or confidential business information within your
organization?
My access privileges are too limited and at times prevents me from
17%
doing my job
My access privileges appropriately match what I need to do my job 51%
My access privileges allow me to do more than necessary to do
29%
my job
Unsure 3%
0% 10% 20% 30% 40% 50% 60%
What's Yours Is Mine - February 6, 2013 12

13. Q10a. Do you believe there are times when is it acceptable to
transfer work documents to your personal computer, tablet, smart
phone or Internet files sharing tool?
Yes 62%
No 28%
Unsure 10%
0% 10% 20% 30% 40% 50% 60% 70%
What's Yours Is Mine - February 6, 2013 13

14. Q10b. If you answered yes, why do you think it is acceptable?
Company does not have a data protection policy 19%
Business information is generally available and not secured 44%
Advance permission is obtained from a supervisor or manager 21%
Computer or device retaining this information is secure 30%
Business informatation was authored or co-authored by the
30%
employee who shares it
Sharing the business information does not negatively impact or
53%
harm the company
Employee who shares this information does not receive any
38%
economic gain
Company has a policy that is not strictly enforced 51%
0% 10% 20% 30% 40% 50% 60%
What's Yours Is Mine - February 6, 2013 14

15. S4a. Employees download confidential documents to their
personally owned mobile devices used in the workplace such as
tablet or smartphone. Do you ever do this?
Yes 41%
No 59%
0% 10% 20% 30% 40% 50% 60% 70%
What's Yours Is Mine - February 6, 2013 15

16. S4b. If yes, how frequently do you do this?
Very frequently and frequently combined.
At least once a week 41%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
What's Yours Is Mine - February 6, 2013 16

17. S4c. If yes, do you remove, erase or delete business documents
from your mobile device (tablet or smart phone) after using this
information?
Rarely and never combined.
Rarely or never 62%
0% 10% 20% 30% 40% 50% 60% 70%
What's Yours Is Mine - February 6, 2013 17

18. S4d. Do others in your organization do this?
Yes 50%
No 50%
0% 10% 20% 30% 40% 50% 60%
What's Yours Is Mine - February 6, 2013 18

19. S4e. If yes, how frequently does this happen?
Very frequently and frequently combined
At least once a week 43%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
What's Yours Is Mine - February 6, 2013 19

20. S4f. If yes, do others take steps to remove, erase or delete
business documents from the mobile device after using this
information?
Rarely and never combined.
Rarely or never 65%
0% 10% 20% 30% 40% 50% 60% 70%
What's Yours Is Mine - February 6, 2013 20

21. S4g. If you said you do take steps to remove, erase or delete
documents (choice = always or sometimes), why?
To comply with data protection practices 54%
To protect the data from unauthorized parties 57%
The data is likely to be valuable 11%
To avoid getting into trouble with management 51%
It is the right thing to do 18%
The mobile device is likely to be insecure 13%
Other (specify) 0%
0% 10% 20% 30% 40% 50% 60%
What's Yours Is Mine - February 6, 2013 21

22. S4h. If you said you do not take steps to remove, erase or delete
documents (choice = rarely or never), why?
It takes too much time 67%
No one will know whether this is done or not 40%
This data is not likely to be valuable to anyone 18%
Management doesn't really care 43%
There is no policy or requirement to do this 35%
The mobile device drive is likely to be secure 10%
Other (specify) 1%
0% 10% 20% 30% 40% 50% 60% 70% 80%
What's Yours Is Mine - February 6, 2013 22

23. S4i. In addition to the above facts, assume that permission from
management is not obtained. Do you view the transfer of
business confidential information to your personally owned
mobile device (tablet or smart phone) in the above scenario a
crime?
Yes 30%
Yes, but only if the data is not removed, erased or deleted after
25%
use
No 46%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
What's Yours Is Mine - February 6, 2013 23