Think your employees can be trusted with confidential company data? In a recent survey of 1,000 working adults across the UK conducted by market research organisation Tickbox.net, an astonishing 60 per cent of respondents admitted to theft of confidential documents, customer databases, business contacts and sales leads from their employer. Thirty per cent said they believed sales leads and business contacts rightfully belonged to them.

"Clearly, many employees do not see data theft as stealing and do not apply any moral brakes to these activities", says Graeme Pitts-Drake, chief executive of data security specialist Prefix IT, which commissioned the survey. Naïve employers who continue to trust their staff blindly are "just asking for trouble", he says.

When it comes to data security, too much management attention is focused on implementing security technology, such as firewalls, in order to protect corporate networks from external threats, such as hackers, viruses and spam, says Edward Wilding, co-director of computer crime investigators Data Genetics International (DGI) and author of Information Risk and Security: Preventing and Investigating Workplace Computer Crime.

But the problem, in most cases, lies closer to home. "In around 70 per cent of the data-theft cases that DGI investigates, the guilty parties are shown to be company insiders," he says.

Wilding believes the proliferation of portable storage devices, such as memory sticks, handheld computers, digital music players and mobile phones, are to blame. "These seemingly innocent devices offer ever-increasing storage capacity," he says, "but, at the same time, they are small enough to conceal and unlikely to arouse suspicion."

Take, for example, the Apple iPod, says Simon Azzopardi, managing director of data security specialist GFI. "At a glance, it's an innocent-looking portable audio device. But under the hood it boasts up to 60Gb of portable storage space-practically large enough to store all the data found in a typical workstation," he says. A malicious insider could use an iPod to steal "millions of financial, consumer or otherwise sensitive corporate records" in one go.

Company directors should make it clear to their employees that this kind of theft will not be tolerated, says Pitts-Drake. "While trust in staff is laudable, it's professionally negligent not to protect company assets appropriately through policy and technical means," he says. "Failing to communicate with staff about unacceptable activities is tantamount to endorsing theft."
The first step is to get an Acceptable Use Policy (AUP) in place and ensure that employees understand it, says Wilding. "It needs to be made clear that company data is company property.

An AUP should provide direction on how portable storage devices may be used and which kinds of corporate data may and may not be downloaded onto them," he says. Making that information clear to staff is simply good business practice-but an AUP can also be vital evidence in tribunal situations, he adds.

Many companies are exploring ways to technically "block" the USB (Universal Serial Bus) ports on corporate PCs into which these devices are plugged for data transfer. Some simply disable the USB ports although this can be problematic, says Pitts-Drake, as vital peripheral equipment such as mice, printers, and keyboards also need to be plugged into them. In any case, many employees use portable devices in perfectly legitimate, revenue-enhancing ways.

Instead, other companies are turning to specialist software tools that enable managers to control the download of corporate data onto portable devices and to keep an audit trail of downloads.

This need not be expensive, says GFI's Azzopardi. A 10-user licence for GFI's product, EndPointSecurity, costs £300, a 25-user licence £400 and a 50-user licence £575.

"Small firms may well need to keep an eye on costs, but when you point out to them that their survival may depend on them keeping their corporate data private and safe, a few hundred pounds suddenly starts looking like a very shrewd investment," he says.