Apple has a serious security problem and it has virtually nothing to do with the platform it sells. The source: its intellectual property. And in that vein, it appears to have a lot in common with healthcare organizations, financial institutions, and government entities.
We will start by covering the nature of Apple's problem and why its litigation response has largely been unsuccessful and then cover a new product from Israel we just stumbled across, which appears to address this information leakage exposure better than anything else we have seen to date.
Apple's shared security problem
Most companies have intellectual property leakage, and much of it is traced to employees. Unfortunately, we estimate something like 80 percent goes undiscovered, and of the 20 percent that is discovered, less then a fourth is ever reported outside of the organization. This suggests that there is a lot more theft going on than we actually know about.
The reason we are focusing on Apple is because of what Apple is. Apple's own practices and the uniqueness of much of what is stolen from the company is unique. What makes Apple information so attractive is that Apple stands alone in avoiding roadmaps for future products, pre-briefing analysts and press under NDAs, and hinting at big things to drive up demand for the information before it arrives.
In effect, they create a feeding frenzy, which drives up the media value for the information and then provide no legitimate ways to get at it. It's worth noting that this mirrors tactics used by the movie and music industries, which in part has contributed to the piracy problem both sectors face.
Faced with a leakage problem earlier this year, Apple sued some blog sites in an attempt to find out who had squealed. But the court ruled such information is protected to ensure freedom of the press; in parallel, traditional media organizations felt they had no choice but to come to the defense of their new media brothers. This added to the problem because the blog sites that were taken to court, basically Apple fan sites, feel a bit differently about the company now and are likely to be more critical of Apple as a result of being attacked.
Visible or not, this problem is shared by many, and the leaks aren't just to the media they're often to competitors who gain an illegal competitive advantage as a result. This just shows that, not only is litigation ineffective, it may actually make the problem worse.
This happened to me back when I was still working for IBM. I had created a highly classified document that finely detailed the many competitive weaknesses of our own products. Unfortunately, this document found its way into the hands of a competitor, which then provided it to our largest California customer, Kaiser, as part of its own sales pitch. Nothing can be more damaging then a report sourced from a company that actually says the competing company's products are better. The senior VP of sales wanted me fired on the spot.
Fortunately for me, I also had security responsibility for my division and had instituted a rudimentary form of watermarking. So I was able to trace the document to the SVP's own organization and then to the person who actually leaked it. It turned out that the document had been given to a departing employee, with full knowledge that she was going to a competitor, via one of the SVP's direct reports. The SVP left IBM shortly thereafter for a job at the competitor and his "new" responsibility was for competitively displacing our equipment. He probably had been an inside corporate spy for much of the time he worked for IBM.
However, because I was prepared, my job was secure and the leak was eliminated. And being prepared isn't just the Boy Scout motto it should be the motto for everyone in the security business.
I was lucky that I had instituted a watermarking process, but that only worked because I was actually able to get my hands on the leaked document itself, something that isn't very usual. The goal in attempting to stop employee leaks is to both stop the leak and to flag the attempt so anyone inside the company trying to do this can be caught before they are successful rather then after the fact. (If they are blocked, you certainly don't want them to have unlimited time to find a way to circumvent the obstacle.)
Ounce of prevention
The before part is important, because once the information's out, in most cases no amount of punishment will mitigate the damage done.
To contain the problem you now have to prevent and tag attempts for printing, screen grabs, cut and paste, USB drives, handheld computer syncs, iPods, and portable hard drives.
You could turn off the ports, but there are often legitimate reasons to use some of these devices, and this doesn't capture all attempts. All the thief has to do is find a computer that is on the network where the ports aren't turned off, or find a way to turn his or hers on, and you are compromised.
There are gateway products as well that provide some granularity, but they generally don't track attempts and often aren't effective with laptops or remote users, can't protect against many external physical devices, don't address the problems of screen captures or cut and paste, and often have problems if the data is encrypted.
I take several briefings a day to stay up to date with new companies. Onigma, a firm out of Israel, where a great deal of the innovation in the security industry is now sourced, had the most comprehensive solution I have yet seen to this problem.
They are relatively small but were able to name several multinational companies as clients; however I did not confirm these client relationships, so if you engage them, you should do your own due diligence (good advice in any circumstance).
On paper, their product does everything I was looking for and have outlined so far. For those who really need to contain sensitive information and are worried about employee leaks, Onigma may provide what you need to sleep well. Given Apple's need, it is ironic the solution only runs on Windows for now.
Organizations mentioned in this story