Computerworld - During the five months when Gary Min was stealing $400 million worth of proprietary information from a DuPont database, he downloaded and accessed more than 15 times as many documents as the next most active user of the system. But he wasn’t caught until after he left the company for a rival firm.
Min pleaded guilty last November to misappropriating DuPont data and is scheduled to be sentenced on March 29. His case is only the latest to highlight a lack of internal controls at many companies for dealing with insider threats. In February, a cell development technologist at battery maker Duracell admitted to stealing research related to the company’s AA batteries, e-mailing the information to his home computer and then sending it to two Duracell rivals.
Dealing with such risks can be challenging, especially in large corporations, says Tom Bowers, former manager of information security operations for the global security division of Wyeth Pharmaceuticals Inc.
“I am not at all surprised” about what happened at DuPont, says Bowers, who is now managing director at Security Constructs LLC, a Fleetwood, Pa.-based consultancy. “When you have a huge multinational like that, your security department is never really going to fully have any realistic idea of where or how the information is flowing,” he says.
But there are ways to mitigate the risks and keep track of what’s going on inside the firewall. Experts suggest taking the following steps:
1 Get a handle on the data. It’s impossible to set controls for sensitive and proprietary information on your network if you don’t even know where that data is.
An organization’s sensitive data is widely distributed throughout its network, says Eric Ogren, an analyst at Enterprise Strategy Group Inc. in Milford, Mass. Important data resides not just in databases, but also in e-mail messages, on individual PCs and as data objects in Web portals. Sensitive information also comes in many forms, including credit card and Social Security numbers. And trade secrets can be found in many types of documents and files, such as customer contracts and agreements and product development specifications, Ogren says.
Implementing one set of controls for all data types can be inefficient and impractical. Instead, categorize data and choose the most appropriate set of controls for each data class. Tools that automatically scan company networks and identify where sensitive data resides are available from vendors such as Reconnex Inc., Tablus Inc. and Websense Inc., and such products are growing in number. Many of these tools can be used to separate data into different categories based on policies defined by a company.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
