DuPont breach lessons: Five ways to stop data leaks

In the five months Gary Min was stealing $400 million worth of proprietary information from a DuPont database, he more than 15 times as many documents as the next-highest user of the system. But he wasn't caught until after he left the company for a rival firm.

Min pleaded guilty last November to misappropriating DuPont data and is scheduled to be sentenced on March 29. His case is only the latest to highlight a lack of internal controls for dealing with insider threats at many companies. Earlier in February, a cell development technologist at battery maker Duracell Corp. admitted to stealing research related to the company's AA batteries, e-mailing the information to his home computer, and then sending it to two Duracell rivals.

Dealing with such issues can be challenging, especially in large corporations, said Tom Bowers, former manager of information security operations for the global security division of Wyeth Pharmaceuticals.

"I am not at all surprised" about what happened at DuPont, said Bowers, who is now managing director at Security Constructs LLC, a Fleetwood, Pa.-based consultancy. "When you have a huge multinational like that, your security department is never really going to fully have any realistic idea of where or how the information is flowing," he said.

But there are ways to mitigate some of the risks and help companies better track what's going inside the firewall, according to security analysts. Experts advise taking the following steps:

- Get a handle on the data. It's impossible to put controls on sensitive and proprietary information on your network if you don't even know where that data is. An organization's sensitive data is widely distributed throughout its corporate network, according to Eric Ogren, an analyst at Enterprise Strategy Group in Milford, Mass. Important data resides not just in databases but in e-mail messages, on individual PCs and as data objects in Web portals. Sensitive information also comes in many forms, including credit card numbers and Social Security numbers. And trade secrets can be found in many types of documents and files, such as customer contracts and agreements and product development specifications, Ogren said.