“Mr. Mallery, several of our employees have gone to work for a competitor, and we believe they took some of our proprietary information with them. Can you help us?” I hear this plea every single day. What surprises me is that the client acts like this is something new or unusual, when in fact it is extremely common.
Expanded bandwidth and increased data storage capacities are now availble at low cost, allowing people to transmit, store and transport large amounts of data with very little effort. Much has been written about the threat of USB storage (see “Portable Data Storage Devices: Security Nightmare,” July 2005 Security Technology & Design, p.36).
Anything Can Be Uploaded
Another threat is the development of free or low-cost online data storage sites such as Yahoo! Briefcase, which lets users store 30 MB of files for free. Many other sites provide even more storage capacity. For instance, FlipDrive offers 5 GB of free storage for 30 days. Does this frighten anyone?
There are so many of these sites that it’s difficult to keep track of all of them, so it can be difficult, if not impossible, to block access to them. But you should still try. In the box on p.32 I’ve included a short list of sites that you can start with, but keep in mind that it is by no means comprehensive.
Visit some of these sites to learn the types of services they offer. Many allow users to share files, which makes the sites that much more of a threat to proprietary information.
Who Can Access What?
Because people can disseminate proprietary information with the click of a mouse, businesses must work harder to protect their information. The first step is to ensure that all digital files have the appropriate file rights assignments. Not every employee in an organization should have access to every single file. Unfortunately, they do in many organizations, because it is easier to allow everyone full access than to figure out who should have access to which files. But in this environment it is easy to steal information.
Users should have access to only the files they need to do their job. Identifying who has access to which files can be a challenge, but several tools can help.
Sysinternals has two free tools, ShareEnum and AccessEnum. Another useful tool is Somarsoft’s DumpSec (formerly DumpACL) which lets security professionals review the Access Control Lists for all files on a system.Access Control Lists show which users can perform which actions on particular files. The tool is free and can be downloaded from Somarsoft’s Web site.
Manage Files Closely
Now you know how to start securing proprietary information and trade secrets. But blocking storage sites and managing file rights are not enough, since the biggest threats to trade secrets are the employees that do need access to proprietary information. These individuals often remove trade secrets from the office by, for instance, e-mailing material to a personal e-mail account so they can work on projects at home, or downloading materials to a corporate laptop so they have access to information while on the road. At this point, data is outside of corporate control.
If an employee who becomes disgruntled already has proprietary information in his possession, taking it with him when he goes to a competitor is a trivial matter.
You can protect documents by converting them to Adobe .pdf files and applying a password to restrict printing and editing. The nearby image shows this option being configured within Adobe Acrobat 6.0 Professional. This may be helpful for protecting a small number of documents. Larger organizations or businesses that want more control over their data may wish to use an enterprise rights management tool.