Last week we learned, thanks to a filing in Massachusetts Federal Court, that more than 100,000 documents had been stolen from chipmaker AMD by former employees who allegedly attempted to ferry the documents to rival chipmaker Nvidia. Assuming the allegations prove true, the blame can be assigned to any multitude of factors, but I would argue that institutional IT practices were, in part, at fault.
Simply put, in today’s climate of fierce competition, massive compact storage, and vast cultural acceptance of piracy, allowing employees to use external storage devices is a massive risk. I would argue that while blacklisting external storage devices from your corporate network and ditching burnable media can create headaches, it is worth the added security, in many cases.
Of course there are plenty of ways dishonest employees could steal documents. They could zip them up in a password-protected encrypted ZIP file and email the file to themselves. They could do it the old-fashioned way by printing paper copies. They could physically steal hard drives.
But all these approaches are easier to detect and require much more effort for the would-be thief. Simply put, many dishonest employees who might steal documents if it was as simple as a copy and paste operation would likely not commit themselves to such extreme efforts.
It seems that every year brings new reports of data loss in the private and public sector via USB sticks and burnable media. (See: Wikileaks Gives IT a Wakeup Call.) The madness will stop only when IT departments and employees accept a certain level of inconvenience in exchange for a stronger guarantee that an employee cannot easily and wantonly mass-copy proprietary materials off the network onto their media of choice.
With the rise of the internal storage cloud, there’s no real need for external storage devices or burnable media. In addition to being a risk to intellectual property and trade secrets, these devices also are a risk to security. Many of the more sophisticated recent pieces of malware have spread to workplace environments via infected USB devices.
But blacklisting external storage alone is not a one-stop solution. Network monitoring is equally important. You have to wonder how hundreds, let alone tens of thousands, of files could be transferred to an external storage device, without raising immediate red flags.
Thanks to the success of BYOD, it’s hard to prevent employees from attaching their tablets and laptops to your network -- and its files. (See: Reject BYOD for the Right Reasons, Not Out of Fear.) Without responsible tracking, BYOD delivers yet another route to data loss, by effectively offering employees a new kind of insecure, easily attachable storage.
Of course, these are just general guidelines. IT departments require unique permissions to do their work quickly and effectively. And it will be near impossible to regulate external storage devices attached to employee-owned BYOD hardware.
Smaller companies may have trouble tracking file transfers. In these cases, it may be most important to carefully store and back up network logs; at a later date, audits can spot suspicious file activity. External audits may be useful in spotting such suspicious activity, if your company lacks the dedicated resources to perform them internally.
With network monitoring and a concerted effort to replace insecure external/burnable media with cloud storage, you can deter most data theft plots. And if the worst case does happen -- an employee makes an attempt to steal your trade secrets -- you will be able to spot it and take action far faster and more discreetly.
— Jason Mick is senior news editor at the independent tech news site DailyTech.
"The madness will stop only when IT departments and employees accept a certain level of inconvenience in exchange for a stronger guarantee that an employee cannot easily and wantonly mass-copy proprietary materials off the network onto their media of choice"
Using tablets and phones for work (helps?) employees do work better (at home, on the go, etc.) but at a higher cost. How can you add control when you allow BYOD?
Recent news in Florida found some hundres of thousands of individual's records missing when a "device" was stolen from the Department of Juvenile Justice. They didn't say what kind of device but likely something pretty easy to pick up and carry off without too much notice.
It's always going to be a problem. Innocent loss, or more evil stuff going on. Montioring for security is going to be a contant challenge.
To the comment that one solution does not fit all, I completely agree with that. For some companies blacklisting external media may not make sense. I would argue it does for many, but some may disagree.
As for the notion that employees will always find a way to steal stuff or screw things up, I agree with that as well. However, the premise is risk mitigation which in turn stands for MINIMIZATION of risk/damage, not elimination altogether of risk/damage. You can stop all attacks/theft attempts, but you can stop a lot of them, with policies that work for your firm.
No, @syed, I don't think an unintentional data leak counts as an act of malice, but the result's the same isn't it? The data is still lost. If someone steals information maliciously, however, data could end up in a competitor's hands, plastered all over the Internet, or used for some other highly public or very expensive reason. If an employee (or ex-employee) accidentally deletes or takes information, a company might not even know about it unless they actually seek or need the missing data. Yet organizations have to prepared to protect themselves against that handful of bad apples; you never know.
Yes, most studies suggest that critical data is lost or stolen because of mistakes made by employees. But does unintentional mistake count as an act of malice?
I agree with you there could be other reasons for illegal activities. Do you think carelessness or negligence unintentionally could be termed as illegal activities?
Yes, the right level seems more appropriate. Thank you for correcting me. Each company has their own requirements and hence should opt for security accordingly.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Whether you’re an engineering firm that uses CAD for parts design, or an e-business that leverages Photoshop for user-interface graphics, you likely require a modest graphics-processing unit. In the old days, this was a daunting hurdle to innovation, but today, the situation has improved thanks to technologies like NVIDIA’s GRID and Microsoft’s RemoteFX. Such virtualized graphics protocols allow you to load-balance graphics-intensive workloads from virtual desktops on a server-side graphics card.
Take a trip down memory lane and imagine, if you will, a system-on-a-chip with Apple IIe-like specs -- 4KB of RAM and 32KB of flash. Add some modern niceties like an ARM Cortex-M0+ 32-bit pipeline, 12-bit DAC, and low-power UART, and you have Freescale's recently unveiled Kinetis KL02, which the company calls "the world's smallest ARM Powered MCU."
Recent reports from the NPD, IDC, and Gartner suggest the end is nigh for ye olde personal computer. They imply that 2017 will be the magic year tablet sales will surpass PC purchases.
From “feeling blue” to the “blue screen of death,” the color blue has a number of negative associations. So it might seem an odd moniker for Microsoft to choose as the code name for its new operating system. But that’s exactly what the world’s top operating system maker has done.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
With 24/7 processing and business continuation paramount, more organizations are considering having three datacenters, where primary and secondary datacenters are in their immediate region and a third is in a remote geography. Why? To avoid repercussions of a major disaster that could hit every IT resource in a specific region.
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
More companies are trolling social networks to find and vet potential job candidates. Beware the pitfalls of blurring the line between personal and professional lives.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
New tools like laptops, tablets, smartphone, and wireless connectivity let us work from San Diego to Katmandu, and anywhere in between. But time management remains a problem.
Showing results is the best way to win over social business doubters, according to Mary Maida, Medtronic lead information solutions manager. Internet Evolution's Mitch Wagner interviewed Maida at the E2 Innovate conference.
Companies need to take advantage of new technologies to simplify interfaces, improve capabilities, and enhance back-office processes. But they can't upgrade their Websites too often.
Wells Fargo uses social software to replace email chains and help its sales team collaborate more effectively to land deals, according to Kelli Carlson-Jagersma, VP Collaboration Strategy for Wells Fargo. Mitch Wagner spoke with Carlson-Jagersma at the E2Innovate conference
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
