No CIO wants to believe that the greatest threat to their firm’s corporate security might be on their very own payroll. Given some recently startling examples of the developing “insider risk” trend, however, the prospect is one that most IT leaders are being forced to contemplate.
Witness the details of a case involving Gary Min, a scientist at DuPont, a decade of experience under his belt working for the U.S.-based chemical giant. Released last month by the U.S. attorney’s office, they show that Min pleaded guilty to stealing proprietary data from a DuPont electronic library and taking the information with him to a new job with rival Victrex PLC out of England. Min now faces a maximum of 10 years in the slammer and a fine of US$250,000.
Although it was later discovered that Min’s downloading activity was 15 times greater than that of the next-heaviest user during the period in question, this bloating of the network pipes went undetected. Could Min’s machinations been nipped in the bud had a more rigorous network monitoring policy been in place?
The situation around inside threats and protecting against them is akin to the changing of smoke detector batteries within the home twice a year: It’s easy to put the task off and comfort oneself with the misleading thought that, “It won’t happen to me.”
Odds are it won’t, and the odds also are that one’s employees are good people with no desire to illegally profit from the stealing of the company’s data stores. But you never know for sure, unless the battery is changed or the networks monitored effectively.
Typically, in the pre-Internet age, knowledge of company secrets within most firms was tightly guarded amongst a select group of senior management members. Being at the top of the corporate heap, most had no interest in applying what they knew to any nefarious, profit-driven purposes.
The situation is drastically different today. In the era of business intelligence in which we live, sensitive corporate info is at the fingertips of a much larger percentage of an outfit’s charges than ever before. The risk of a DuPont-style catastrophe has skyrocketed — and the need for effective monitoring policies has grown right along with it.
Hiring someone to mange the monitoring process should be on the radar screens of today’s CIOs. The cost of that salary is more than worth avoiding the cost of data loss and the embarrassing PR that accompanies it. Just ask DuPont.