Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nine Ways to Stop Industrial Espionage

Posted by ryuzaki0 on from the just-unplug-em dept.

An anonymous reader writes "IT staff are in the unique position that if they are nosy, immoral, greedy or corrupt that can get at what they want within their company at the touch of a button. The corporate crown jewels are usually left open and exposed to the IT guys. So how do you protect your corporate crown jewels from staff that can so easily be bribed to steal them and hand them over to a competitor?" I can't imagine having to be paranoid about employees. That seems to me to be a bigger problem than hardware.

7 of 351 comments (clear)

  1. Encrypting backup (communication and storage) by amanda-backup · · Score: 5, Insightful

    Backed up data is especially vulnerable. In many environments, while lot of work is done on network security, secure management of backup data is not given due concern. Since backup data has sometimes all of the important information at a single place, it is a juicy target for espionage. Data should be encrypted while moving to a backup sever (especially while using a online backup service over the internet) and definitely encrypted while it is stored on the backup media (tape, CDs etc.).

    --
    Amanda: Open Source Backup Software
  2. Your staff are the jewels... by patrixmyth · · Score: 5, Insightful

    A company is worthles without it's employees. Select good people, pay them well and treat them fairly. Next question... How do you remove paranoid executives from positions of power and stop them from inflating operating costs through needless and morale busting authoritarian technology.

    --
    "Don't you know you're going to shock the monkey?"- Peter Gabriel
    1. Re:Your staff are the jewels... by Hoi+Polloi · · Score: 5, Insightful

      I wish there was a way to stop the leadership from looting the company and handing out extravagent severance pay for failed execs, massive bonuses even when the company is struggling, etc. The damage an IT guy can cause pales in comparision to what the CEO and the board can cause.

      --
      It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
  3. Narrowminded author by CogDissident · · Score: 5, Insightful
    The author is completely forgetting to mention the sticky note with the root password that half of these companies have on the side of people's monitors because they force a password change every 3-6 months to something arbitrary.
    It also says to completely seperate the outside and inside network, which means that employees have no email, no google, no internet access at all.
    It mentions nothing about compartmentalized access rights to various databases, with a different division of admins having responsability and access to only their systems.

    In fact, all it does talk about is transmission interception (which is much less common than those problems mentioned above), and data security.

  4. Not a technical problem by giminy · · Score: 5, Insightful

    People try to make everything a technical problem, which is really the wrong approach. This ain't something you're gonna fix with fancy access control and slick hardware. No matter what you do (separation of duties, cryptography, trusted operating systems), all you'll succeed in doing is making life more annoying for your regular users, and demonstrate a huge lack of trust of your employees.

    If you really want a solution, it's got to be as much policy as it is technology. I'd start with, oh, making your employees sign an NDA, and making sure they're aware of what is a company secret (most companies like Apple, Sun, IBM, etc, have classifications just like the government, e.g. "Apple Secret", "Sun Top Secret"). Make sure they know what those secrets mean, e.g. "Our documents labelled Top Secret will probably cause us to lose our dominant position in the market if leaked." Then, you implement auditing on your data storage. If your IT guys start reading company business strategy memos off the file server, you probably won't catch them when it happens. But if it becomes obvious that those memos were leaked, you can go back through the audit logs and see if anyone read them that shouldn't have, and act appropriately (though don't just assume that that person leaked the info).

    Bear in mind that the technical part of this 'solution' will probably fail. What you're trying to do is paradoxical. You're saying, "I ultimately trust these guys with the security of all of my information, but I don't completely trust them with the security of all of my information."

    --
    The Right Reverend K. Reid Wightman,
  5. Just to clarify by einhverfr · · Score: 5, Insightful

    Espionage is a real concern. But the solutions in this article are worse than the problem. THe real solutions include:

    1) Mandatory Access Controls (for example SELinux) on systems that hold confidential information.
    2) Data encryption for confidential information using public/private key encryption. AES is NOT an answer here though you can use it for session encryption with Diffie-Hellman, etc. if necessary.
    3) Training and loyalty of employees is critical.
    4) Separation of duties, powers, and responsibilities.

    But I guess this is harder than just throwing technology at such a problem.

    --

    LedgerSMB: Open source Accounting/ERP
  6. Re:Keep them happy? by Aden_Nak · · Score: 5, Insightful

    Well, one way would be to not treat them like crap. Sorry to say, the IT people shoulder the brunt of user frustration. And maybe that's part of the job. But between being bitched at by morons who are probably the cause of the initial problem, being on-call whenever, wherever, and living with the constant fear of contractual replacement (as is the case in many support positions) or just plain old outsourcing. . . look. Businesses don't want to deal with the fact that their employees are people. You can't put that on a quarterly report, and it's not really something that most company policies I've come across takes into account. But the ONLY way you're ever going to keep that sort of information secure is to make sure that your IT people wouldn't even dream of stealing it, tampering with it, or auctioning it off to the highest bidder. You have to make sure they don't want to do that kind of thing. And when you're trying to build loyalty and trust, the carrot goes a lot farther than the stick.