Enterprise Ban Suggested on Storage Devices Like iPods Until Enforcement Policies Developed

NextSentry has launched a PR campaign suggesting that "Pocket Fraud?" (a term the company has apparently trademarked) is quickly becoming the methodology of choice for employees with legitimate access credentials to download confidential customer data and intellectual property for profit or personal gain. Since the start-up launched in June 2006, NextSentry has seen employees increasingly confident in using traditional removable storage devices like memory sticks and CDs to improperly extract data from the enterprise with tools that fit in their pocket. However, the company now believes that the use of iPods for "Pod Slurping," MP3s, and even digital cameras with massive storage capacities will become the biggest Pocket Fraud assets for internal theft from rogue employees. As a result, NextSentry suggests corporations prohibit employees from using such devices until proper policy enforcement capabilities are in place in order to prevent data leaks.

According to NextSentry, mass storage devices like iPods, MP3s, and memory sticks are finding a place in the enterprise either to make employees happy or to increase productivity. For example, according to an article by Anjali Athavaley in the October 25, 2006 issue of the Wall Street Journal, "National Semiconductor Corp., a chip manufacturer in Santa Clara, Calif., spent $2.5 million on video iPods for its 8,500 employees, including those overseas, for training purposes and company announcements. At Capital One Financial Corp., a financial-services company based in McLean, Va., more than 3,000 employees have received iPods since the company began using them in supplementary training classes. Siemens AG unit Siemens Medical Solutions, a health-care supplier based in Malvern, Pa., purchased about 100 iPods for its molecular-imaging group last year for training and sales support."

With the average Word document averaging 25K to 30K, a 20GB iPod could hold more than 750,000 documents, which NextSentry believes should cause alarm for any company concerned about insider threats.

Through its transparent client that runs on the desktops of employees, NextSentry is increasingly catching forms of "Pocket Fraud" conducted by trusted employees who attempt to extract data before they exit the company, to sell for profit, or to simply transfer to personal PCs to work at home. With most employees recognizing that email is often monitored, and almost always recorded, NextSentry more frequently catches trusted employees misusing critical channels like printing, Web, instant messaging and traditional mass storage devices to leak confidential data to the outside world. However, the company believes removable media, especially iPods and MP3s, will quickly become the Pocket Fraud tool of choice.

In addition to proactive policy education, NextSentry believes proper policy enforcement to prevent Pocket Fraud requires monitoring data leak activities taking place on the desktop. This includes being able enforce the wholesale shutdown of unauthorized iPods or removable media in the enterprise or ensuring that those with legitimate business needs only have access to such devices. Enforcing policies for legitimate users requires the ability to understand the context of a user's actions, monitor moving data, and the ability to quickly block and log activity deemed unacceptable according to an organization's security policy.

"Many employees enjoy listening to their iPods at work, but companies can't afford this luxury at the expense of leaking valuable customer data or intellectual property into the hands of criminals or competitors," said Jim Hereford, CEO of NextSentry. "If you don't have proper policy enforcement capabilities in place to monitor the desktop and all removable media, even the CEO who loves their iPod could be stealing millions of dollars worth of data right underneath the chief security officer's nose."

The Insider Threat -- It's Real and It's Serious
According Ernst & Young, "...an insider attack against a large company causes an average of $2.7 million in damages." Yet in the financial services industry for example, "ninety percent of the money spent by banks on vendor-built fraud detection solutions is focused on detecting and mitigating