DLP Nightmare Realized: Lost USB at Tradeshow Puts Company at Risk
This year we’ve seen records stolen from USBs across industries. 29,000 patient records were compromised in an apparent accidental data breach of Indiana University Health Arnett Hospital. The records, which were downloaded to a USB drive, contained names, addresses, personal information, and medical records for patients treated in the past year. Two foreign nationals who worked for a third-party data company are suspected of stealing the personal information of as many as 4,000 Dow Corning employees. The two men, who worked for HCL America, are believed to have downloaded names, Social Security numbers, income records, and more, then transferred that data to a USB drive.
Think USB breaches aren’t that big a deal in your industry? This is my story of how my product’s future development plan wound up on the floor of a competitor’s booth at an industry conference.
Working for a previous company, I was attending a major exhibition when a coworker was cleaning up after the show and noticed a thumb drive lying in our competitor’s empty booth after everyone had gone home.
Now of course, like any curious person, I had a look. On that drive, I found my own product team’s design documents, along with the presentation I gave a few months earlier to our management. Just as shocking, I saw my competitor’s product roadmap and internal design documents sitting right next to my own on the same drive!
This is a perfect example, one that I experienced, where internal documents were leaked out of the company and seen by a competitor’s engineering teams.
How does IP go missing and how often?
My initial question was how did this happen? However, as I continue in my career, I think the right question is how frequently this happens? Because I think it happens a lot more than we’d like to admit.
In my situation, a sales engineer left our company to work for the competition. On his final day at the office, he emailed a bunch of engineering design files to himself – a rather stupid form of theft as his manager immediately knew he used his corporate email account to send confidential files to his personal account. At that time, my company concluded that the cost of legal action would outweigh any benefits. A few months later, this ex-employee dropped the incriminating evidence at the show.
The value of intellectual property
Intellectual property can constitute more than 80 percent of a single company’s value today, according to Deloitte University Press. “It’s no surprise, then, that thieves [disgruntled or opportunistic employees or hackers]—armed with means, motive, and opportunity—are in hot pursuit.”
The Deloitte Review article said:
“… Compared with PII breaches, IP theft has ramifications that are harder to grasp: fewer up-front, direct costs but potential impacts that might metastasize over months and years. Theft of PII might quickly cost customers, credit ratings, and brand reputation; losing IP could mean forfeiture of first-to-market advantage, loss of profitability, or—in the worst case—losing entire lines of business to competitors or counterfeiters.”
Preventing Intellectual Property Theft
Back to my story – an entirely preventable one. Here’s what went wrong:
- The sales engineer should never have had access to the development team’s future design documents.
- He should have had access to the internal presentation and roadmap, but should not have been allowed to email internal documents to an external email address.
- His new company should not have allowed him to put internal files on a USB drive for him to lose. (Why anyone would want to bring internal design documents to a trade show on a USB stick, I’ll never know!).
We’d like to think our employees are loyal and trustworthy, but sometimes we all need a little extra help remembering how to behave with sensitive information.
Dynamic Data Loss Protection
Companies that need to protect IP (and that should be every company), should employ data loss protection that dynamically adjusts access based on real-time comparison of file content and user context. Using a solution that’s dynamic will help enforce compliance and data security policies for privacy and confidentiality, intellectual property and trade secret protection, data loss prevention, enterprise social communications, PII and PCI compliance, HIPAA requirements, and accessibility guidelines. It extends these same capabilities to file share environments.
In my conference example, a granular approach to security can limit access to:
- Automatically restrict access to and encrypt content based on the presence of sensitive data including PII, PHI and other confidentiality factors
- Detect potential violations and initiate workflows to remediate and minimize risk
- Utilize granular security to more effectively control access to and the distribution of sensitive data
- Provide audit trails and forensics to track access to sensitive data, ensuring transparency and accountability
Learn more about Cryptzone’s data loss prevention solution, Security Sheriff.