Corporate security lapses are once again sweeping the news hour, but these days the culprit is just as likely to be an inside source — a paid employee at a reputable company — as a hacker doing evil somewhere in a Moscow basement.
Pity poor Boeing, which made headlines in December after personal information including salaries, social security numbers, and home addresses of approximately 382,000 retired and current employees was stolen. According to news reports, a thief made off with an employee’s laptop.
Unfortunately, the laptop’s owner violated Boeing’s policy by failing to encrypt the data after it had been downloaded from a server. In an e-mail sent to Boeing employees, Jim McNerney, chairman, president, and CEO wrote, “This latest incident resulted from a clear violation of our data-protection policy.”
That wouldn’t surprise Brian Contos, CSO of security vendor ArcSight and author of Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures. In the book, he notes, “Too often policies and procedures are outdated, forgotten, not well-communicated through awareness programs, or not even written.”
Financial liability aside, information leaks can disrupt corporate strategy and leave an embarrassing bruise. In January, full details about Cingular Wireless’s latest Palm Treo 750 were leaked to the Web a week before the announcement date. A sales presentation that was supposed to be embargoed until the big day was instead debuted prematurely.
PLUGGING THE LEAKS
Such events are leading to a surge of interest in ILP (information leak prevention), which targets policy-compliance monitoring and enforcement pertaining to information on the desktop and all data that moves along the internal network and across the corporate boundary.
“Maybe we were na