You are a top executive in a growing business. A marketing department employee just tipped you off he saw your VP of Sales in her office at 5 a.m. with a portable hard drive attached to her laptop, green lights flashing. She was furiously scribbling notes during this process and was quite startled by the employee who noticed her. You think this is odd and are appreciative that your employee cared enough to tell you about this. But, why worry? You just gave her a raise, have traveled together over more than 10 years of service and you consider her a trusted, integral part of your business. As uncomfortable as it may be, consider this increasingly common fact: your coworkers or subordinates are future defendants against your business, for theft of trade secrets and other intellectual property. Back to our story: after being tipped off, although curious, you decide not to pursue anything. About a week later your main competitor unleashes a press release exclaiming their excitement and providing images and stories about their revolutionary new product, ready for initial orders next month. Trouble is: this product was YOUR design, and you were about to release it for orders, next month. Bottom line: after incurring expensive legal and forensic computer examinations, you learn that over the past three months, your VP of Sales was funneling your marketing plans, product designs, patent information and customer and accounting databases to your competitor. Sadly, you could not find evidence of her being paid for this subversive and damaging activity. The actual and projected losses from this behavior could put you out of business, for good. Back to reality. Although this did not happen to you it so easily can. What have you done to manage these kinds of threats to your trade secrets and intellectual property? Similarly, what steps have you taken to protect the “private” information about your customers and employees in your computer systems that, by law, you must adequately safeguard and which, if breached, can make you subject to significant fines, not to mention corporate embarrassment? If you don’t know you should find out. Chances are that your bases are not covered. The costs and pains of REACTIVELY pursuing the kind of behavior you read about in the story so significantly dwarf the costs and benefits from addressing these risks PROACTIVELY that one wonders why most businesses don’t take steps to be proactive. In a recent study involving the FBI, evidence showed that more than 50 percent of information-related breaches have been attributed to corporate mismanagement of data; most often caused by internal parties with too much access to such information. And, those disclosures were only from companies who were admitting to such (embarrassing) breaches. A business manager has a fiduciary responsibility for the protection and safekeeping of information, particularly that of a sensitive nature. Mismanagement of this responsibility can lead to irreversible damage to the manager, and the company. What to do? Knowing what information you have, where it lives and its relative sensitivity are not optional behavior anymore. To get ahead, you need to fully take stock of your information and implement a combination of proactive procedures, tools, and legal and other remedies. To start, take inventory of what trade secrets and intellectual property your business “owns,” in both paper and digital form. With the help of your lawyer, your risk manager, your human resources staff and your information technology personnel, determine what information might be sensitive and that which is not. Then, figure out who should, and does, have access to it. Be sure your business can actually accomplish this now. If not, take measures to get there – fast. Determine what you are doing to protect the information from inside and outside threats. Firewalls and physical access controls/locks are the bare minimum to guard against external threats and are considered “perimeter” security measures. Further, although employee handbooks and non-disclosure agreements can’t “stop” people from behaving adversely, they are a prudent deterrent and provide businesses with some grounds for protection, after the fact. Technology-based controls can also help mitigate your risks. Specifically, implementing perimeter security measures, such as intelligent firewalls and intrusion detection capabilities is a key first step. Next, to reduce losses from insider abuses and data mismanagement, a number of kinds of technology can help: – e-mail and instant messaging management tools to inspect and isolate inbound and outbound digital content; – web content filter tools to limit exposure from subversive and inappropriate browsing and other behavior and limit the use of non-corporate “webmail” such as MSN, Yahoo, AOL and Google mail; and – monitoring tools that take screenshot images of employee computer activities which have been used to catch people (like the VP of Sales, above) “in the act”. Lastly, there are increasingly effective tools to help limit the kind of access people have to the corporate network from both inside and from their homes. These limitations can even preclude people from copying data to external drives. The message should be clear: you can very easily and proactively take steps to protect your trade secrets and other sensitive data from those you trust within your midst, before you incur the pains from being violated by their activity against your business. The costs to be proactive are far less than the tangible and intangible costs of waiting for something to actually happen to you. Use the trusted and skilled resources around and available to you, so that material risks aren’t damaging to your business. Robert P. Green, CPA.CITP is the Managing Director of INSYNC Consulting Group, Inc.; now in its 3rd decade of providing objective IT advisory services, and computer forensics services to its clients. Bob can be reached at (818) 784-8600 ext. 650, or [email protected] .
