Re: Physical Security & Protecting Information

[Philip Storry <phil () philipstorry net>]

Hello discipulus,

Thursday, March 13, 2003, 3:13:44 AM, you wrote:

d> I've read about corporate espionage cases where a perpetrator
d> at one company busts into the network of another company and 
d> stumbles into a directory named "Proposals" of all things but 
d> employees who walk out the front doors carrying protected information 
d> seems just as damaging or more so to me.

There's not much that you can practically do here, I think.

The problem is that although there are many good technical and
procedural methods of ensuring that only authorised people have access
to your systems - and therefore your information - there are few
technical or procedural things you can (realistically) do to control
what those authorised people do with the information they have access
to.

Content security systems (like Mimesweeper) can check outbound emails,
and block anything that contains project codenames. But that won't
stop someone printing it out and putting the paper in their briefcase.

Because this is such a low-tech crime, you're left with policy and
procedure as your only tools.

You should consider making it policy that information does not leave
your sites, without written permission from a senior person. This will
cause trouble for those that telework, however. You could also brief
security staff on what to look for - keep them appraised of new
storage media (like those nifty USB pen drives), and give them the
authority to do random stop and search jobs.

Make sure that all emails and documents have - by policy - a
boilerplate on them saying who owns that intellectual property. Tacky,
but it might be useful in a court of law - and it reminds employees of
the stark reality.

All of these safeguards (except boilerplating, which could be enforced
via templates etc.) are the sort of things people get complacent on
very quickly, because they stand in the way of people working. Within
six months of implementing them, senior people will be signing off
that John Smith can take home "anything relating to projects X, Y and
Z" simply because they don't want to sign it off three times - even
though John Smith doesn't actually work on Y and Z.

So really, the only defence against this is contractual. All employees
must sign an NDA, stating that they will not divulge proprietary
intellectual property. Make them sign it, and understand why they are
signing it. Don't make it too draconian - you don't need the ability
to search their home, for instance. (That's what law enforcement
agencies are for.) But you should make it clear that if they steal,
they'll be sued. Having to spend that pay rise you got when switching
jobs on legal fees is not an attractive proposition.


Finally, it should be pointed out that many companies won't actually
accept stolen IP, because it's a legal minefield. But NDA's make it
difficult for both the person acting as a conduit as well as the
ultimate recipient, and may make employees who were only casually
thinking about it think twice.

Nothing, however, will stop the determined person who's miffed at the
company and leaving for a competitor. Nothing except the competitor's
honesty and their own legal team's advice, anyway. :-)

-- 
Best regards,
 Philip                            mailto:phil () philipstorry net