|Why DLP can’t stop insider threats
Disgruntled or departing employees often steal confidential information out of spite or a misguided sense of entitlement. Stolen data are often customer details, prospect or price lists, marketing plans, new product details, financial information and IP. A recent Ponemon Institute study found that nearly 60 per cent of employees who’d lost or left their jobs took confidential information with them, including customer contact lists and other data that could end up in the hands of competitors. Of course, commercial gain is often a motive with insider fraud. In a recent example, US company Starwood (owner of Sheraton, Westin and Le Meridian brands) filed suit against the Hilton Hotel group after it hired a number of Starwood executives.
According to the lawsuit, trade secrets were taken which Hilton used to develop its new Denizen Hotels concept. Starwood claims that the former head of its luxury brands group downloaded ‘truckloads of documents when printed’ on his laptop computer. Other times, when thieves target smaller amounts of specific information, their loss is more difficult to spot. According to last year’s Global Fraud Report, published by the Association of Certified Fraud Examiners, the financial services industry is at the highest risk from insiders: 80% of all fraud was attributable to people working in the accounting, operations, sales, customer service and purchasing departments of lender or financial services businesses.
Why DLP won’t help
Many IT security vendors have developed or acquired Data Loss Prevention (DLP) solutions which promise for data protection or deliberate removal of sensitive information. To use these systems (assuming you know where all your sensitive information resides) you first must classify it by degree of sensitivity and then keep the information updated as sensitivity changes over time. For many organisations, the set-up process is too complex and the ongoing operation too onerous.
More to the point, ‘enterprises don’t know where their unstructured data is,’ says Nick Selby, head of enterprise security research at The 451 Group.’ Putting a box at the gateway doesn’t solve the (data loss) problem, but highlights it.’ Most importantly, insiders with privileged access will know these systems and how to get around them.