If you think that your organisation takes data security seriously, perhaps the story of Sergey Aleynikov, ex-employee of Goldman Sachs might serve as a cationary tale.
Goldman recently posted record quarterly profits, no small feat in the middle of a serious economic downturn, and is set to pay out millions in bonus payments to staff. You would not blame it then, for taking data security very seriously indeed. Sergey Aleynikov is a computer programmer and former Vice President at Goldman. After being arrested by the FBI he was charged with stealing software which gives Goldman Sachs a competitive advantage in the stock trading markets. It is alleged that after taking a better paid job with another company Aleynikov copied and encrypted parts of the Goldman Sachs proprietary software which is used to automatically buy and sell stocks. Aleynikov allegedly then uploaded the code to an external server, and attempted – but failed – to hide his actions by erasing the history of what he had done on Goldman Sachs computers. Fortunately for Goldman, they have systems in place to alert them to suspicious employee activity and the transfer of large files alerted system administrators. There are many other companies that suffer this kind of theft and do not even know about it.
This case raises many interesting aspects of corporate data security – regardless of the outcome of the court case in progress between Goldman and Aleynikov. If nothing else, it perfectly highlights that employees trusted with access to confidential corporate data can abuse that trust and that an organisation without the policies and systems in place to enable the monitoring of employee action can unknowingly lose sensitive data, which in many cases will not mean proprietary software code, but more likely would include customer details, future business plans, research and development information and such like.
Even if an organisation does have systems in place to detect intellectual property theft or employee fraud, data that is crucial to the continuing functioning of a business could be lost in the event of a fire, burglary, or a common or garden server crash. A disaster recovery plan is essential for any organisation that keeps company data on a hard drive (so, that would be every company, then!) In the case of Goldman Sachs, it is fair to assume that the software that contributes to a multi-billion dollar profit in a single quarter is not simply saved onto a computer without being backed up on a daily basis. More than that, it is likely that Goldman can track changes to the lines of code in the software so that it is possible to monitor who made what changes to the software and when.
A disaster recovery plan is a part of a larger business continuity plan, and your disaster recovery plan should include measures to prevent, detect and correct unwanted events. Taking a regular backup of your data and software could save your business from serious loss, especially so if you run a small organisation which could be disproportionately affected by the failure or loss of of a computer upon which you might store all of your accounting data, or all of the work for your clients.
Finally, it is worth noting that the software that Goldman alleges was stolen was the result of years of development. Software development might be the preserve of coding geeks, however, the software itself is merely the silicon incarnation of a thought process which began in the mind of somebody within the Goldman business. Perhaps a Goldman Sachs trader with no knowledge of software had the idea which was then converted into code. A good business idea – such as automating stock market trades based on real-time data – can mean the difference between boom or bust for a company, who is having those kinds of ideas in your company, and how are you acting on them?