Relying in the goodwill of employees when it comes to protecting company data is a risky strategy.
Behind every great new business is a pilfered client list. Not, perhaps, always entirely accurate, but data leakage is a major headache for many companies.
All organisations spend a lot of time and money worrying about external threats. Viruses, hackers and Trojans all hit the headlines (and very often our inboxes), and are a major and legitimate business concern. Worldwide, we spend about $3.4 billion on anti-virus software alone every year.
But what about those people you have already let through your door, your employees and contractors? None of that fancy security software is going to protect your digital assets from disappearing if someone turns “rogue”. To give some scale to the problem, in 2011, a report produced for the Cabinet Office put the cost to UK industry of this type of cybercrime at £21billion annually. That is about 1% of the total UK GDP.
It sounds an almost fantastical amount of money, and should make you stare very suspiciously at the person sitting at the next desk. You know you aren’t stealing company data, so surely it must be them? But then you probably relax, safe in the knowledge that someone is no doubt worrying about this problem anyway, and so if no-one has been caught, your company’s secrets remain secret. Sadly, that is probably not the case.
Digitally exiting the building
First, you have to consider the scale of the problem. In 20 years, we have gone from being a paper-based society to an almost entirely digital one. Paper surrounds us still (at least on my desk it does), but that paper is only a physical manifestation of something that I already have in digital form. And where is the most likely place for me to have a copy? In my e-mail. Either it was sent to me, or I sent it to someone else.
Because it is so conveniently located, removing it from the care of my employers is actually relatively easy. I click the forward button, type in an e-mail address, and it’s gone.
And in most organisations that is the end of it, because no-one is looking at what is being sent out of the building. A number of years ago, I was involved in an IP theft case where it was alleged that a programmer had “zipped” up the entire source code of his employer’s software product, attached it to an e-mail, and sent it to himself at home.
Did he get found out because of the supreme vigilance of the IT, legal or compliance departments? No.The attachment was so large, it choked the e-mail system, which bounced it to the e-mail administrator. Had this alleged malfeasance not taken place in the early days of the internet when bandwidth was scarce (we obtained an actual Anton Piller order, which dates it), it would never have been detected.
You may well be thinking that these days no-one is that stupid. We all have access to more portable forms of theft-enabling devices such as flash drives. That is undoubtedly true, but people are a) inherently lazy, and b) reasonably sure that if they delete the e-mail they have just sent with the client list/business plan/blueprints, they will never be found out.
And they are almost entirely right. Even in organisations that have active compliance monitoring regimes, most monitoring is based on small random samples of e-mail. When you consider you may have a 30:1+ ratio of monitor to monitored, and the monitor has lots of other tasks other than to trawl through your e-mail, the chances of detection for a one-off event are slim.
Watching the detectors
So, can you protect against this sort of threat? Can the casual e-mailing of your company’s crown jewels ever be detected, or do you just rely upon the goodwill of your employees?
The answer is a cautious yes. I have been involved over the past few years in sifting millions of e-mail transactions to look for hallmarks of potential fraud and theft of this nature - and you do see patterns emerging. In the same way that every new generation thinks they have invented loud music and sex, every new budding Mata Hari thinks that the way they are quickly moving the company’s assets about is novel.
No perfect system
I don’t want to give too much away in case you are about to rip off your employer, but for example, can I suggest that if you are thinking of tipping someone off about a hot new stock, the fact that you use a foreign language that your compliance folk don’t understand is now an automatically detectable big waving red flag. Vraiment. No system is perfect, but if you don’t have a system to start with, you don’t stand a chance. Go and have a chat with your IT folk, and ask them what tools they use to monitor IP theft by employees? Don’t be too surprised if they turn a strange colour, and quickly leave the room.