The most secure and impenetrable defences are useless if they only cover a portion of what needs to be protected. This is the situation most South African companies find themselves in, as they have not realised that protecting corporate knowledge has more to do with people than it does guards and technology.
Knowledge security is an established concept internationally that deals with the processes involved in securing corporate knowledge, a term that incorporates trade secrets, intellectual property, business processes and intellectual capital.
Far from the traditional mechanisms that see vendors recommending a specific product for a specific function, knowledge security focuses on the biggest threat any corporation faces, people stealing information critical to the company's operations.
"As the world globalises, markets are shrinking because of the increased competition," says Amir Lubashevsky, director of Magix Integration. "And as competition increases, it is becoming accepted practice to try to gain an advantage over competitors by stealing their corporate knowledge."
Knowledge theft can be executed via a number of mechanisms; the most common is through the target company's own employees. Using social engineering techniques or simple bribery, employees in key positions can be persuaded to pass on company information to criminals and, in most cases, they can do so without fear of detection.
"Middle management is generally an easy target as these people are tasked with making the company work and have access to almost any information they want, whether it is directly related to their jobs or not," explains Lubashevsky. "Database administrators (DBA) are also great targets, especially disillusioned ones, as they can generally do anything with any information and hide the evidence."
Using traditional security technologies to prevent this is useless as they focus on securing data and not monitoring the actions of people. Even those systems that do monitor activities have difficulty in distinguishing between the valid use of corporate information and criminal intent.
"The best solution in these instances is to use non-invasive monitoring systems, along with a common-sense security policy," notes Lubashevsky. "This policy should stipulate the segregation of duties between various individuals, along with the allocation of access rights to only the information each person needs. Granting global access to data "in case" someone needs it is no longer permissible."
He adds that ensuring all knowledge security policies and processes are documented, independently verified and regularly updated is also important to keeping the company's information treasures secure. These steps may require a tweak to the budget, but they are necessary.
"We all want to trust our employees and think the best of them," concludes Lubashevsky, "however there is always that 10% who have no scruples in selling the company's and the other staff's future to the highest bidder. Moreover, there are very good social engineers out there who can con even the most loyal employee into parting with critical information.
"The only way to establish knowledge security is therefore to accept that fraud happens and take the appropriate steps to prevent it. Honest employees won't even know they don't have access to information they don't need and the dishonest won't be inclined to expose themselves by complaining."