Companies that ignore the progression, or don't look hard enough, are setting themselves up by failing to respond to sequence of conflicts that become more serious over time and end up in data theft or other negative responses.
By the same token, companies that jump on every incident as if they've caught the next Julian Assange just about to make off with all their precious data, will cause more angst and anxiety and, ultimately, more data theft, too.
"Far more people think about data theft than actually go through with it," Stock said. "The reaction of the organization to any suspicion, if it's a harsh or unjustified reaction, can make it much more likely that person will go through with something they might only have considered before."
Don't assume the worst about anyone, at least, not too soon
"In 90 percent of the cases the organization does something that makes the situation worse," Stock said. "The person might get into a conflict with the organization and the organization either doesn't realize it's a problem, doesn't take it seriously enough, or does not respond well toward addressing the issues or acting quickly to terminate an individual who doesn't match the [demographic] profile [of a data thief].
Data theft most often happens within 30 days of the time the employee quits or is fired from the company, after planning the theft as part of a series of other reactions for weeks or months.
"Data theft is not a spontaneous event," Stock said. "You don't wake up disgruntled on a Friday and steal on a Saturday. Before they do anything, people have been thinking about it for a while but their behavioral indicators were ignored or there were not enough detection mechanisms in place to identify the person's progression down the critical pathway."
What are legitimate signs of a growing problem? How do you address them?
Fault for data theft remains with the data thief; Stock and Shaw aren't trying to excuse corporate espionage, whether committed for profit or out of spite.
The reaction of managers to a deteriorating relationship with the potential data thief can make it far more or less likely the employee will go through with it.
Firing someone for either real or imagined patterns of behavior that could lead to data theft might cause the event managers were trying to prevent, in fact.
"We found that, of individuals committing sabotage on IP systems, 80 percent commit the attacks after termination. So terminating someone prematurely, before you've either tried to move them off that critical pathway or taken precautions to prevent damage, could be the catalytic moment that leads to an unfortunate event," Stock said.
Reuters: Jim Young