Yes, The Butler Did It

Yes, The Butler Did ItThis sounds like a line from an old English novel or movie, but refers to a major data breach at the Vatican.  The Pope’s butler, Paolo Gabriele, has been arrested by Vatican police on suspicion of stealing confidential documents from the Pope.  The scandal has rocked the very secretive world of the Vatican and brought to light numerous intrigues, infighting and general power grabbing.  Vatican and Italian police believe the butler is just the tip of the iceberg and that many other people are involved.  Theories range from insiders who want to bring down the current pope to positioning for influence when the next pope is elected.

It all sounds like the plot of a suspense novel or the latest Hollywood blockbuster – I bet it will be in time.  It could also be a sequel to a Dan Brown novel.  Some are dubbing the scandal VatiLeaks and it might be just as big as the release of US State Department cables by WikiLeaks in 2010.

The Vatican is not just an organization or a company, but a sovereign state.  The consequences of leaking confidential documents may be more dire than for a typical business, but everything is proportional.  The same issues are in play.  One or more trusted insiders breached that trust and let sensitive information leak to unauthorized people.   

In a study by Symantec in December 2011, two forensic psychologists examined corporate data theft trends from trusted insiders. The research showed that in about half of intellectual property (IP) theft cases the employee or insider stole trade secrets.  In 75% of cases the person had authorized access to the information they stole.

Why did the butler do it?  Time will tell, but it is typically for monetary or political gain.  This incident may be a major power play with the control of the papacy and the Vatican as the prize.  This is not dissimilar to corporate espionage, social engineering, phishing or other tactics intended to steal confidential information.  The cost to the Vatican could be enormous.

How do you stop the theft of your important information?  Most people assume technology is the answer, but that’s only part of it.  When you hire someone, you should let them know about your information policies.  What is the company’s and what is theirs.  This needs to be reasonable.  Many companies still say anything created on company time or with a company device belongs to the company.  In today’s world with work and personal time blurred, this needs to be reasonable and spelled out.

Your company needs to show employees their value.  If an employee is engaged, feels part of a team, enjoys their work and feels that the company values them, there is less likelihood of data theft.  The Pope’s butler may have been a disgruntled employee or maybe someone promised him money and power.  We may never know, but job satisfaction goes a long way toward warding off problems.

On the technology front, many organizations spend a lot of money on perimeter security.  Much of that is intended to keep out the bad guys.  That does nothing for the trusted insider.  Since most of the IP in a company is in documents, the best way to protect yourself is by encrypting the files with a persistent security policy that controls access to the file no matter where it is.  If you suspect sensitive information was taken, you can remove the access to that document.  This renders the information inside useless.  It doesn’t matter if it’s a Microsoft Word document or a jpg.

Stopping information theft by insiders is not an easy problem to solve. Your first goal should be determining the value of your information.  Then you can decide who should access it and how to protect it.  Creating a company of trusted, loyal, engaged employees is part of the answer.  The other is putting in technology that controls access to the documents that houses that information.  This protects malicious and accidental leaks.

The VatiLeaks scandal may cost the Pope, the Vatican and the Catholic church a great deal.  There are clearly legal implications, political and monetary issues at stake.  Reputations will be ruined and the business of the church will suffer.

Every organization could become victim to the same problems when confidential information is stolen.  Protect your business with a security policy that guarantees that your documents and IP are always under your control.

 

Photo credit jadeb

Leave a Reply