This hit the news recently. Hilton hired two senior executives from Starwood Hotels. Starwood is now suing Hilton along with the two executives for allegedly using stolen Starwood information to develop a new luxury hotel chain. The executives are accused of stealing more than 100,000 electronic and paper documents containing sensitive information.
I have dealt with very similar circumstances in my work, and it is very challenging. First, it is difficult to define what is personal property or company property. While most companies tend to take a stance of "Anything and everything is ours, take nothing with you," many employees considered to be "generally" honest don't believe this meets muster in terms of common sense. A recent study at the Ponemon Institute indicated that 59% of employees leaving companies take confidential information. Personally, I think this is a low percentage. Second, it is difficult to detect electronic and physical theft of property, especially if the theft occurs far in advance of an employee's departure.
The best strategy for a company to diminish this type of risk is in the context of a comprehensive information security strategy. Unfortunately, many companies fall into the trap of wanting a quick return and will look to implement quick fixes. As result, you see the emergence of the DLP (Data Loss Prevention) market as the latest wave in quick fixes. If a consulting firm or security professional is forced into having to or needing to execute the short-term play, there are ways to wrap longer-term information security strategy into a near term DLP implementation. In essence, it is simply pointing at the need for DLP as a symptom of a broader need for an information security strategy, and then incrementally incorporating elements of the long-term strategy as a part of the tactical game plan.
Mark Brooks
Comments