A global supply chain manager for Apple has been arrested as a result of allegedly accepting more than $1 million in bribes and kickbacks. Apple's investigation focused on personal Web-based e-mail accounts on the accused manager's Apple-issued laptop, and provides valuable lessons for enforcing policies and protecting data.
The Wall Street Journal reports that Paul Shin Devine is facing both a federal grand jury indictment and a civil suit from Apple following an investigation which implicates Devine for leaking confidential information to key suppliers to enable them to negotiate better contracts with Apple. In exchange, the Apple suppliers made payments to various bank accounts set up in the names of Devine and his wife according to the indictment.
Apple suspected Devine was violating corporate policy and launched an internal investigation that uncovered suspicious e-mails on his company laptop using personal accounts on Hotmail and Gmail. The e-mails divulged sensitive and confidential information to key Apple suppliers.
Apple deserves some kudos for discovering the alleged improprieties, however had Apple been more proactive about enforcing corporate policy and monitoring employee communications for sensitive data Devine's actions could have been detected and prevented much earlier. There are some lessons IT admins and security professionals can learn from the Apple kickback scheme.
Most companies have acceptable use policies in place that govern the use of company-owned computers, networks, and communications, and policies related to protecting sensitive and confidential data. What most companies lack, however, are the tools to monitor or enforce those policies. Unethical employees quickly find ways to exploit the honor system.
One solution would be to implement Windows Rights Management. File and folder permissions are typically the only security measure in place to guard sensitive data. Some employees have access, and some don't. The problem with this approach is that it doesn't restrict or control what authorized employees do with the data once they access it.
Windows Rights Management Service (RMS) provides IT admins with significantly more control over what happens to data once it is accessed. Rights can be configured to restrict whether the data can be modified, printed, forwarded via e-mail, or other actions--and access can be set to expire. More importantly, the RMS restrictions stay with the file even if it is saved to a USB drive or stored on a user's personal computer.
Companies can implement more comprehensive monitoring using applications like Spector 360 or Spector CNE from SpectorSoft. These tools can capture every e-mail--including Web-based e-mail--online searches, instant messaging chats, keystrokes typed, Web sites visited, applications used, files accessed and more. Monitoring and restrictions can be configured for the company as a whole, or by department, group, or individual users.
Another option would be to use tools like Zgate or Zlock from Zecurion. Zgate monitors e-mail and social networking communications to detect and block attempts--whether intentional or inadvertent--to transmit sensitive or confidential information, and Zlock restricts the use of peripheral devices for storing or transmitting such data.
With Windows Rights Management in place, Devine might have been prevented from forwarding protected information via e-mail. Tools like Zgate or Zlock would have kept Devine from saving sensitive information to a USB thumb drive, or printing hard copies, or blocked attempts to communicate it via e-mail or social networks. Software such as Spector 360 would have captured every detail of Devine's actions--allowing Apple to thwart the alleged unethical behavior much sooner, and giving it the tools to quickly and easily conduct an extensive investigation at the push of a button.
Implementing tools to automate monitoring and proactively protect corporate data does not necessarily mean that the company has to act as Big Brother or spy on every action of employees. Having such applications in place, though, gives IT admins access to the details if needed, and provides the tools quickly detect and identify suspicious behavior before it becomes a federal case over $1 million in kickbacks.