CORPORATE ESPIONAGE, DATA THEFT

Posted on November 18th, 2009 by John

He had been preparing a great new discount deal for that long time client they could not afford to lose. It would be hard to say no to that. On the day before he could send it off he had to find out the hard way that the client had already agreed to another deal from the competitor, which offered an even steeper discount and bad rep for his company’s products. Someone must have infiltrated our systems. An investigation followed in which it was identified that nothing sophisticated was going on. In part he could only blame himself for not living up to the clean desk policy he demanded of the rest of his crew. One of the cleaners had found the file lying on his desk and realized the value of the information, made a copy and delivered it to the competition to be rewarded with a nice commission.

This may sound like a story from a book but the sad fact is that this and similar stories happen on a daily basis. Many companies do their very best to keep their data and especially sensitive data safe from outsiders. The sad fact is however that the largest threat comes from the insider. The current economic climate does not help. Employees worried about job security face rising temptations to seek out and take proprietary data that could help boost their job performance, or at least make them more marketable should they get laid off.

And it has become so much easier nowadays: where in the early days you had to  physically carry out files, nowadays you could store almost a complete library on a USB stick the size of a small lighter. More and more employees are given access to the internet and it becomes easier and easier to send sensitive data to yourself or other interested parties, share it using all kinds of apps available or even securely store it online for later use.

Kiwi businesses complacent about data theft

Kiwi businesses are just as, if not more, vulnerable to data theft or destruction from disgruntled ex-employers than US companies…

A recent survey by the Ponemon Institute in the U.S. found that up to 59% of fired workers admitted to stealing company data and 67% used their former company’s confidential data to leverage a new job.

Source: Scoop

We have an expectation that our critical information assets including intellectual property and sensitive company data will be readily available when required, protected against technology threats such as hardware failures and malware attacks, and secured against loss due to events such as fire or earthquake.  We spend relatively large proportions of our ICT budgets on remedies that protect against these known types of uncertain events.
Investment in the remedies obviously makes sense and provides insurance of continuity where a disastrous event occurs.

Employees however oftentimes seem to have gone of the radar in these protection efforts. We continue to provide our employees with new technical solutions that help or are supposed to help in their daily tasks. Email and instant messaging, internet access for B2B engagements, social networking options to for relational marketing, and all kinds of peripheral (USB) storage devices. We expect these solutions to assist in carrying out jobs more effectively not in carrying out information.

While meant and often effective in enhancing productivity these same solution can also be used to the detriment of the organization. Employees stealing, illegally modifying, or destroying data is not a new phenomenon in the business world, however what is different is the wider range of available options to do so.

To determine and validate the risks that organisations face in protecting their critical information assets, McAfee recently commissioned a survey of 1,000 global senior IT decision makers. The findings of this survey were startling. Companies surveyed estimated that they lost an average of $4.6 million worth of intellectual property in 2008. Forty-two percent said laid-off employees were the single biggest threat to their intellectual property.

In a separate survey published in February 2009 by Ponemon Institute and sponsored by Symantec, the findings showed that of 945 individuals who were laid off, fired or had quit their jobs in the past 12 months, 59% admitted to stealing company data and 67% used their former company’s confidential information to leverage a new job.
Source Datasouth

The most common methods used for the theft of the data:

  • the removal of paper documents from company premises,
  • sending documents as attachments from personal email accounts, or
  • transferring data onto optical disks or USB memory sticks.

Proactive: prevention is better than the cure

So how do you protect your company from employees stealing critical information assets?  There simply is no ‘one solution fits all’ and there is also no 100% fail safe remedy. Some steps that may help however

  • CLASSIFY information and LIMIT ACCESS to sensitive information;
  • Have an appropriate compliance regime in place, through clear GUIDELINES on the responsibility of the employee and employer on the termination of the employment.
  • EMPLOYMENT CONTRACTS should include appropriate clauses in regards to the use and ownership of intellectual property and critical information assets;
  • REVIEW your information security policies periodically and ensure that they are current, actual and relevant and clearly define what is acceptable and non-acceptable use;
  • Create sound PASSWORD POLICIES AND PRACTICES;
  • REMOVE OLD USERS immediately. This may seem like a logical and obvious thing to say but all to often we encounter situations where ex-employees still have access to the systems and actually access the systems, weeks if not months after the termination.
  • Undertake regular AUDITS of network usage to ensure employees are utilizing these resources as per company guidelines;
  • Implement technology that provides protection against intellectual property and critical data assets leaving the company.

In the current global economic environment, the risk to businesses critical information assets has never been higher. We can assist in the mitigation of these threats.  To better understand the current threats and how you can mitigate the risks to your business, contact us to discuss your specific requirements.

  • Share/Bookmark

Filed under: INFORMATION SECURITY

Leave a Reply

« »