Protecting information from insiders: although organizations are making strides in protecting their sensitive information from outside threats, reports show they often are failing to protect it from the much greater threats posed by their own employees.

• Author: Swartz, Nikki
• Position: ON THE EDGE: The Use & Misuse of Information

In recent months, insider data theft stories have been grabbing headlines from tales of stolen laptops. Despite the growing risk, however, many businesses--even the biggest and most well known--are not properly protecting their sensitive information from inside threats.

For example, a federal jury recently convicted a former Coca-Cola secretary of conspiring to steal trade secrets from the world's biggest beverage maker in an effort to sell them to competitor Pepsi Co. Joya Williams faces up to 10 years in prison, pending sentencing.

In February, Computerworld.com reported that a cell development technologist at Duracell Corp. admitted to stealing research related to the company's AA batteries. He e-mailed the information to his home computer and then forwarded it to two Duracell rivals.

In another case, a former DuPont scientist walked away with more than $400 million worth of trade secrets after being hired by a rival company. Gary Min, who had worked at DuPont for 10 years, pleaded guilty in November to stealing proprietary data from DuPont by illegally downloading or accessing thousands of documents stored in an electronic library. He faces a maximum of 10 years in prison and a fine of up to $250,000.

Experts say too many firms are still relying on the old security model that advocated protecting information assets from the outside in through firewalls, intrusion detection systems, and other defenses. But those methods will not protect companies from insider threats.

"Frankly, we all have to actively stop thinking of insider vs. outsider" and improve access controls for all users, Matt Kesner, chief technology officer at California law firm Fenwick & West LLP, told Computerweek.com. "It means looking at each and every person and machine as an island and deciding what rights and access each person and machine needs or doesn't need."

Paying closer attention to access rates would have provided DuPont a clear warning about the jeopardy of its intellectual property. According to court data, Min downloaded about 22,000 document abstracts from DuPont's Electronic Data Library server and accessed another 16,700 full-text PDF files. The documents related to DuPont's major products and technologies, including some that were in the research and development stage. Min illegally downloaded and accessed more than 15 times as many documents as the next-highest user of the DuPont database, according to Computerworld.com. Still, he wasn't caught until after he left the company.

Upon Min's resignation, an internal investigation exposed his activities, which DuPont then reported to the FBI and the U.S. Department of Commerce. Meanwhile, he was brazen enough to upload another 180 DuPont documents onto a laptop--owned by Victrex PLC, the England-based company he left DuPont to join --a full month after he had left DuPont. DuPont contacted Victrex officials, who seized Min's laptop and turned it over to...