Slashdot Mirror
How to Prevent IP Theft by Your Own Employees?
Cursed by USB asks: "We are a small software startup based in India. Recently one of our employees was caught trying to steal our IP (work) from a computer using a USB thumb drive. While all the staff computers are devoid of floppy drives, cd writers and internet connections, we simply cannot disable the USB ports since there are a lot of USB enabled peripherals that we use. Apart from trying to hire "trustworthy" people, are there any other bright ideas that Slashdot readers might have in this regard to help prevent such theft from workplace?"
Like you said, hire people you can trust. Then foster a different environment, removing net connections, burners, and floppies is a good way to say, "I don't trust you." Why don't you embrace your employees, make them happy to work for you. Then maybe they won't steal, in fact, I would guess you'd see better productivity.
You've got yourself a self fullfilling prophecy there...
http://monkeyserver.com --- weeeeee
... and even then, it doesn't always work. In the extreme case, you can always copy code using a pen and paper. Unless you're thinking of introducting full cavity searches, you're spinning your wheels. Give up on this "prevention" avenue. Focus more on your hiring process, write up a strict code of conduct, and don't be afraid to fire employees who are caught violating these terms.
Just my $0.02.
As long as your employees have access to your IP, there is absolutely no way to prevent them from "stealing" it if they are determined to do so. Period.
No amount of security will make your data safe. Data is easy to move, easy to duplicate, and easy to store. During the industrial revolution, American industrial spies stole factory plans from British firms by memorizing them. Unless you know how to erase a person's brain, there will always be a hole.
Technology is making this issue ever-more pressing.
You have two options:
1) Hire only trusted people, and trust them.
2) Don't rely on IP as a business model.
Option 2 may sound stupid, but it's really the only way in the long run. Sell a service, sell a product, but don't try to sell information. If the sole thing your company provides is data, someone will endeavor to get that data for themselves, and then you'll be boned.
A business that relies on the scarcity of information it holds internally can not survive. Even if your employees are all 100% trustworthy, outsiders will still vie for your data.
It may sound pessimistic, but it's the truth.
GeekNights!
Late Night Radio for Geeks!
Start -> Run: regedit
Find the following key:
This allows writing. Change the value to 1. This will prevent writing. Save your registry and reboot. Of course, it's always recomended to backup your registry before making changes.Allegedly, Longhorn will have this control without having to hack the registry.
Free MacMini
--
Given enough personal experience, all stereotypes are shallow.
You should pay them partly with shares,
then they would only be stealing from themself
and their coworkers/Coowners.
You definately can prevent your employees from `stealing' things like code and data. It may not be 100% effective, but you can make it very _very_ difficult.
Think NSA. I certainly never worked there, but I imagine they're 1) very picky about who they hire, and 2) take security to the extreme, and 3) it's all backed up by serious legal threats. (I believe treason is still eligible for the death penalty, is it not?)
#2 is probably most interesting to those here. Physical security is extreme, with metal detectors detecting guns and hard drives, and enforced by men with guns. Things like USB drives (and even Furbies or cell phones) aren't allowed in at all, and I imagine there's spot searches for things like this.
Places like that often have two networks, a secure and an unsecure one. If you plug a computer into the wrong network, it never leaves the building again. The secure network has no access to the Internet whatsoever.
I imagine there's a lot more that they do, but I'm sure that there's web pages dedicated to this sort of thing if you want to read more about it.
Of course, even this isn't 100% effective -- but I imagine it's pretty close. Of course, it's also extremely expensive and restrictive, and few companies are probably willing to do this sort of thing to their employees -- but I imagine that a few do, perhaps to some key employees in key positions ...
...you can edit the following registry key to change the value of Start from 3 to 4. This will disable the USBSTOR.SYS driver preventing the use of USB filesystems. It will not disable other types of USB devices.
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR
I don't see how this would protect them, as copyright protection doesn't imply protection of trade secrets, which is what the submitter is probably concerned about. The only real protection for trade secrets is trusting employees, and an NDA might be appropriate in the employment contract. The key isn't to remove all of the technology from the offices, but to create enough dis-incentives to prevent the employees from wanting to steal.
-- Microsoft is the most expensive commodity operating system and office suite vendor in the marketplace.
I think the core difficulty here is that you think you have a technology problem, when what you have is a management problem. If you rule out hiring trustworthy people, and fostering an atmosphere that earns their trust, then you are just wasting your time. Think about this: do you think that putting in time clocks would make physicians (let's say) work harder ?
You also need to think about what it is that you are actually trying to protect. One defect (among many) of the term "intellectual property" is that it leads people to think by analogy with actual (tangible) property. If your IP is in software, what are you trying to protect: the typing of the code, or the ideas the code embodies? If it is the latter, you can't open your employees' skulls and remove the ideas from them.
I worked in, and managed, an investment management firm, where it was a truism that our most important assets walked out the door every night. You have to run the business so that people want to work there; so that they have fun, find the work and their environment interesting, and believe that they will be fairly compensated (financially and otherwise). It isn't necessarily easy, but then that's what you get paid for.
Deleting the drivers would be good but what about internet access? It might be required to do work since the internet is one of the best tools for research and coding.
There are many things that can be done and it all depends on how far you're willing to go.
The first thing is fire the employee and make it known that this person was FIRED for IP theft. Also prosecuting this person to the full extent of the law will also send a message to other staff.
Send out a memo stating that discovering ANY storage media that has been brought in from outside will result in immediate investigation of what is on the media and can be grounds for termination of employment and prosecution. Having people sign NDAs also help with the theft. These things are intimidation and to show the company is serious with this matter.
Then there is the physical side of things. You might consider getting the computer looked in a box with holes for wires and vent holes. Of course you would want trusted members to have keys to access the box. Also security plates just to cover the USB openings might be a valid option.
There is no 100% protection against this. Even the human brain is a storage device and to proect from that you would have to basically lock the employees in the ofice to do the work and after they're done, kill them.