There are two ways to steal corporate secrets. Hack into corporate networks and steal files or have someone on the inside steal them for you. The insider may have access to a lot more information as part of their job then the hacker can get by just poking around. It’s also harder to hack into networks today, since there is so much attention to huge data breaches like Sony Pictures. This is causing more corporations to review their security and tighten it.
A corporate spy could be someone paid to come into your organization as a lower level employee or someone who is already there. Someone intent on stealing corporate secrets may get hired as a janitor, someone in shipping or even an IT staffer. Those people may have easy access to sensitive information on people’s computers, paper left on printers or even corporate data centers.
Another way to access sensitive information is to approach an existing employee who may be unhappy with her current job. A competitor might lure the employee into grabbing company secrets on the way out the door by offering them monetary or other incentives to leave and join the competition. Sometimes it may be a disgruntled employee who wants to get back at the company. While an improved hiring process is a great way to weed out potential spies, that’s not always going to work. If someone is very skilled at this, it’s not hard to avoid detection.
When recruiting current employees to steal secrets, the best source may be the IT professional who has full access to everything. IT supports all the systems that run the business, so it’s common for them to have access to company secrets. The company may audit other user access, but not typically IT. They could take confidential information without anyone knowing it.
So how do you stop corporate espionage and make sure your corporate secrets do not walk out the door?
The first step is to use technology to identify and limit employee access to sensitive information such as IP, customer data, and anything that might be tempting to a corporate spy. This includes appropriate controls to monitor employee access to this information.
The best way to control access to information is to encrypt it at the time of creation or when someone downloads it from a a document or data repository. As you encrypt sensitive documents, you should apply a security policy that controls what someone can do with the information when they open the file. Providing access control to limit someone’s ability to edit or print provides additional security. If you suspect someone with access is stealing corporate secrets, you can kill their access no matter where the files are.
It’s also important to monitor the behavior of new hires and anyone you suspect of being a corporate spy. You don’t want to become a dystopian organization that’s looking over people’s shoulders as they work, but a little diligence is helpful. Employees should understand their job functions and act accordingly. Using technology that can audit sensitive file use is a simple way to determine usage patterns and spot a potential problem before it becomes a data breach. Something completely out of the ordinary may be a clue to someone about to steal a lot of sensitive data.
Many organizations rely on non-compete agreements and other legal means to protect themselves from insider threats. The problem is that the horse has already left the barn (insert your favorite metaphor here) once you discover the problem. At that point you can try to get the data back, but who knows where it is. It might make the lawyers feel better, but your secrets are already in the hands of your competitors and the likelihood of retrieval is unlikely. It’s like when a judge says “The jury will disregard that last statement.” Too late.
Monitor your corporate secrets and decide who should access them based on roles and responsibilities. Securing them at the point of creation or download is the best way to stop spies from stealing your corporate secrets.
Photo credit Kangrex