How can I prevent data theft from a company? [closed]

the only solution that works: happy employees and trust.

the other stuff you have in mind is the same as DRM (digital rights management) and that is doomed to fail.

if your employees have to work on a file then they can copy the content.


The problem of data loss prevention (DLP) is one of the most difficult to solve in information security. As we saw with the Wikileaks After-Action Report disclosure, even organizations with a strong will for security, non-disclosure agreements, a non-Internet-connected network, and employees with security clearances have unauthorized disclosures.

I mention that to make the point that this is a battle, one you're not likely to win 100%. That being said, here are some steps you can take.

First and foremost, follow the principle of least privilege. If HR doesn't need access to your manufacturing data, don't give it to them. Only allow as much access as is necessary for that person/group to get their job done. There is expensive software that can scan all outoging Internet traffic at a company, including SSL. You can disable USB disk drives by disabling the USB Mass Storage Class driver in your operating systems (there is a free way to do this using Windows Active Directory). You can install outgoing email quarrantine software. You can disable CD writers.

You mention encryption. That is a good idea for general DLP, but not for the specific threat you present. Encryption does not prevent copying by people authorized to view the information. Even if you did encrypt the data in your important files, which you classify as .doc or .xls, nothing stops them from exporting the data in another format like .odt. Plus, if someone can view the file, nothing stops them from taking a screenshot or using their cameraphone to take a picture of the data.

The best bet in a small company is to follow the principle of least privilege, take inexpensive steps to prevent USB leakage, create loyalty in your employees, maintain good morale, and have a strong non-disclosure agreement signed by everyone in the company.


Etam: This problem has existed for ages -- ever since guilds were invented in Europe. The modern solution is to write an Employee Handbook, know it well, and ask the employees to sign-off that they have read it. Intellectual property and security should just be one chapter in the handbook.

You will find that a) the Handbook limits bad behavior in a plethora of areas; and b) the handbook can be a useful tool to measure the overall quality/compliance of an employee's work.

As one of the commentators mentioned, building trust is also essential. Trust comes from 1) knowing the kind of people you hire; 2) fully explaining to them the expectations of the job (and not just entirely making it up as you go). Think of the Employee Handbook as the list of 12-20 rules that appear at most public pools (at least here in the U.S.). It will contribute greatly to the order of your office, without resorting to a bunch of yelling and tears.

Oh, and if it comes down to one bad apple, I recommend you secure competent legal advice and sue anyone who breaches your security under contract law and applicable intellectual property statutes. Speak softly and carry a big stick.