[Survey of 1,019 Executives/IT Managers] Onboarding Training Isn't Enough: 80% Fear Data Theft by Departing Employees, Yet Only 20% Complete Account Deletion on Time!

ISO Pro Co., Ltd. (Headquarters: Shinjuku, Tokyo; Representative Director: Taizo Yoneda) conducted a survey on the risks of confidential information theft and unauthorized access by departing employees, as well as organizational security structures, targeting corporate executives and IT department personnel. While employee training is essential for corporate security, challenges remain in its effectiveness. A survey conducted in March this year revealed that about 60% of employees only have a vague understanding of security even after receiving training, and about 20% tend to resolve security mistakes on their own, highlighting hidden organizational risks. While challenges remain in 'entry' (onboarding) security, another critical threat that companies cannot overlook is 'exit' (offboarding) security. In an era of high talent mobility, the risk of 'insider threats'—such as departing employees taking customer lists or proprietary data—has become a major threat to companies. How thorough are 'exit' measures, such as account management and data wiping from personal devices (BYOD), in actual practice? Therefore, ISO Pro, which operates the ISO certification support site 'ISO Pro', surveyed corporate executives and IT personnel on this topic. (Survey details omitted for brevity). About 80% of companies are concerned about the risk of 'confidential information theft' at the time of departure. When asked about their level of concern regarding information theft or unauthorized access by departing employees, about 80% answered they are 'very concerned' (35.4%) or 'somewhat concerned' (47.1%). This indicates that many recognize the risk of information leakage via departing employees as a serious threat. The advancement of digitalization and easier access to customer information and internal data are likely factors driving this sense of crisis. Furthermore, the increasing news coverage of insider threats may also be heightening the vigilance of management and IT departments. When asked about specific concerns, 'theft of customer information or sales lists' (58.4%) was the most common, followed by 'leakage of design data or proprietary know-how' (54.3%) and 'unauthorized access due to failure to delete departing employee accounts' (45.8%). Data directly linked to corporate competitiveness and credibility topped the list. Regarding actual incidents, when asked if they had experienced theft or unauthorized access due to account deletion failures, 15.4% reported actual damage, and 39.5% reported 'near-misses' or suspicious incidents. Combined, over half of the companies have faced security issues related to employee departures. Specific examples included selling company-purchased smartphones without wiping data, attempting to copy personal information of employees and partners, and using customer information for new business ventures. While some incidents were prevented by security software, the results show that relying on individual morality is insufficient; systematic control and monitoring tools are essential. Only about 20% complete account deletion on the day of departure. When asked about the timing of account deletion or permission changes, only 22.1% do so on the day of departure. About 20% take several weeks to a month, creating a window of risk for unauthorized access. Regarding BYOD, measures vary significantly, with only 20.2% implementing account suspension/permission deletion upon departure. The most common challenges cited were 'reliance on individual morality' (24.8%) and 'manual account management prone to errors' (24.5%). To address these issues, about 80% of respondents believe that obtaining third-party certifications like ISO27001 is effective, as it helps standardize rules, procedures, and risk assessment, moving away from reliance on individual effort. In conclusion, standardizing organizational rules and systems is an urgent necessity to counter the risk of information leakage during employee departures.