One of the most devastating experiences any knowledge-based business can undergo is to wake up one morning and discover the precious IP that is at the heart of company’s competitive advantage has been compromised.
This is precisely the experience our founder had a few years ago – and eventually it’s what drove him to establish DigitalEndpoint.
Executive Summary
- IP theft is on the rise.
- The number of backdoors available to employees for smuggling data out of company networks is constantly increasing
- Preventive approaches that rely on restricting access to data, services, or both, are only partially effective, and come with at a cost to performance.
- Employee Monitoring Software provides an elegant solution by ensuring network activity can always be traced to a particular identifiable individual.
The Security Paradox
We normally have excellent protection for our physical assets and the prevalence of cloud-computing has made getting multiple backups for our data a simple commodity. But… Cybercrime is growing at exponential rates and protecting IP from accidental or malicious exposure is an increasingly complex operation
The Cloud = Endless Employee Backdoors
The reason is glaringly obvious – there are simply so many possible “backdoors” by which data can be transferred / smuggled in and out of the network. Many of these avenues are free, and / or have legitimate reason for being available in the workspace. A quick rundown would include:
- Skype, Whatsapp, Line, and other chat and VOIP clients which allow file attachments.
- Gmail, Hotmail, Yahoo and other webmail services are all accessible in any web browser and can all be used to send and receive files.
- Cloud backup services such as Dropbox and Google Drive are literally built to allow for the upload of GIGABYTES of data.
- File transfer services such as Wetransfer, Yousendit etc. pose a similar threat.
- Even seemingly innocuous social networks like Facebook and G+ offer culprits ample opportunity to upload and store files.
- USB flash drives costing as little as $30 now offer storage of 1TB (1,000 Gigabyte) – To put that in perspective that’s enough to hold 220 million pages of text
- etc…
Once you stop to think about it, it’s quickly clear that the possibilities for data breaches are literally endless – and we haven’t even begun considering the damage that can be wrought via explicitly malicious attempts – e.g. hacking / malware / phishing etc. There are multiple strategies businesses employ in an attempt to address these issues. Classic approaches include tactics such as cordoning off data, making access role based, and blocking access to many of the services listed above. These are all effective to a degree and should be considered as part of the organization’s overall response, but they all come at costs that must be evaluated as well.
Cordoning Data
The concept of cordoning off data is simple and sounds very sexy. In our mind’s eye we imagine a facility not dissimilar to the Coca Cola vault, with massive steel doors, 24 hour surveillance, laser beams flashing, and Tom Cruise hanging upside down in an outfit with lots of gadgets attached…
Where Cordoning Fails
The vaulting approach makes perfect sense and looks good on paper, especially if you happen to have Coca-Cola’s budget, but in reality it’s difficult to implement. In most cases the very same data you’d like to seal off, is also critical to the daily operations of your organization. Classic examples being client, prospect, vendor and supplier lists. Are they valuable? SURE! Can you seal them up and prevent employees from accessing them? Not if you want to stay in business… Cordoning data is an approach that’s probably only viable for businesses who, like Coca-Cola, have critical IP that is, or can be patented. Even then there will still be employees that need to access this data – so the risk of a breach is at best merely mitigated. More on that below.
Role Based Access
Knowledge is power Absolute knowledge is absolute power Absolute power corrupts absolutely… This aggregation of adages should serve as a dire warning to any entrepreneur – The risks of allowing everyone in the company to know everything far outstrip whatever benefits they might be perceived to hold. In a previous post we related that 80% of employees will take company data with them upon leaving for a new position – Do you really want your competitors to have ALL your secrets? A policy of flat access hardly makes sense from an operational perspective either – is there any value in your accounting team having access to your lead list? Do sales reps need access to your IP? In most cases it only serves to make it more complicated for each team to find and access the files they DO need for work.
Where Role Based Access Fails
While role based access is pretty effective at ensuring no single employee can run off with ALL your data – it still serves as no protection against employees mishandling the data they CAN access. The above quoted statistic makes it very clear that sadly this is actually the prevalent practice…
Blocking Access
This approach is one we’ve covered extensively before. The methodology is simple – whatever backdoors you’re able to identify – you block. Facebook? Blocked! Gmail? Blocked! Whatsapp? Blocked! You get the picture…
Where Blocking Fails
Again – on paper this looks like an effective solution, but in reality it’s an approach that poses nearly as many problems as it solves:
- Many of the services you’ll consider blocking are also useful and perhaps mission critical communication tools – Skype being a prime example.
- No matter how many sites and services you block, there will always be those you forgot, or simply weren’t aware of – The web is far too big for you to be able to cover ALL the possible backdoors available.
- Blocking is sure to antagonize your employees, bringing down morale and productivity as a result.
- Blocking can usually be circumvented via the use of proxy services. Trust your employees to find a way around your blocks, and share the knowledge with their colleagues.
Cloud Based Employee Monitoring – Approaching Security Personally
There is one more approach to protecting your IP we haven’t yet covered – Cloud based Employee Monitoring. It’s a tactic that relies on a completely different, and far more effective approach to protecting IP – Instead of quixotically trying to limit or block access to the IP and the endless available backdoors, this approach ensures any such access is LOGGED and can be TRACED to whomever was involved. It’s a fundamental truism of human behavior that we all tend to be much better behaved when we know we’re being watched. This approach has massive benefits insofar as it puts the responsibility for employee’s behavior where it belongs – WITH THE EMPLOYEES. It also means that if, god forbid, a breach occurs, all the necessary evidence for identifying and prosecuting the guilty parties is immediately available.
Where Employee Monitoring Shines
It’s an elegant solution that neatly avoids all pitfalls covered previously. Here’s a quick rundown:
“Cordoned data can’t prevent IP theft by employees who have approved access”
With monitoring in place this is no longer a concern since every interaction any employee has with your IP is logged and can be attributed to a single, easily identifiable individual.
“Role based access can’t prevent data breaches by authorized employees”
Here again the logging and easy attribution of all activity in the network to particular individuals serves as a deterrent that prevents “misbehavior”.
“Blocking services has an operational cost and antagonizes employees”
Much wiser than blocking a service is an approach that allows is to be USED, BUT NOT ABUSED. Employees can access all the communication tools and websites needed for their job, and management can rest assured that staff is highly unlikely to abuse this privilege.
Full Transparency = Safety for All
In an environment where cybercrime in all its ugly forms is becoming increasingly lucrative and therefore prevalent, Cloud-based Employee Monitoring Software brings at least one more huge benefit to the table, and this one is sure to appeal to employees at least as much as it does to management. The transparency it brings into the workplace pretty much guarantees employees are no longer at risk of being unjustly accused for a breach they had no part in or control over. If you think this is of little concern – you might want to look up the sordid tale of 17 such false accusations of online pedophilia made by the UK police, five of which only ended after the police conducted searches in the homes of entirely innocent individuals…. What other methods of IP protection do you feel are missing the mark? Let us know in the comments section below!