The same ingredients that make a company a great place to work can also leave it highly susceptible to data theft by insiders. In a successful engineering design firm, for example, there are employees who are passionate about their projects – some willing to fill their evenings and weekends with work, big projects of sufficient value and interest to warrant intense competition among firms, and powerful tools that relieve tedium and promote creativity and collaboration. The mix is a recipe for a thriving business, but not without the worry that one day an employee or contractor will abscond with valuable intellectual property (IP). Bury + Partners, a leading Austin, Texas, -based civil engineering firm is using DeviceLock software to alleviate that worry.
Competition Gets Less Than Civil
Like many service contracting firms, a civil engineering firm's greatest asset is its ideas; thus IP protection is one of its biggest information security concerns. In its quarter century of growth, Bury+Partners has seen just about every task that formerly involved pencils and drawing boards migrate to computer-aided design and drawing (CADD) workstations. With the rise of digitization and networking, the competition for customers and talent expanded to the national and international level. Civil engineering firms could more easily follow the work by opening offices wherever they won contracts. Bury + Partners itself grew from a company of a few principals in Austin to a firm of more than 350 employees with offices in multiple cities across Texas and in Virginia.
"The success and growth of our business depends on recruiting and retaining talented people. From our civil engineers to CADD designers and field surveying crew, everyone is a vital contributor with specialized skills and knowledge in great demand," explains James Curtis, Bury + Partners Director of IT. "Attempts by competitors to lure away employees and, with them, precious knowledge of customer work is common in this field. This was true in the relative boom times of the last few decades and is likely to be even truer in the leaner times to come. So, we’re happy that we’ve already taken steps like deploying DeviceLock to defend against the leakage of valuable files off our network and onto employees' personal devices."
Burning Valuable IP Along with the Midnight Oil
CADD files for the large-scale surveying, project management, landscape architecture, public works, traffic engineering and mechanical/electrical/plumbing(MEP) projects handled by Bury + Partners tend to be large, some exceeding 300 megabytes of storage. This is due in part to how CADD systems link construction documents. Display of vital information on one drawing file can depend on links to a number of others. The scale and sophistication of the software applications and files makes it hard to take work home. At the same time, missing deadlines in the early project planning and engineering phases of a large-scale building and transportation project will have serious budget and schedule repercussions later on. So civil engineers and CADD designers tend to stay at their workstations until the job is done.
"It’s not unusual to see staff at their workstations until 12AM in the morning," comments Curtis. "But even when diligent people are involved, there is a security issue when employees blur the line between home and office."
Curtis recognized such blurring when an ever increasing number of employees began bringing their iPods and other PC-compatible music players to work. "We understand that listening to music can help employees stay focused and relaxed when drawing throughout the day and late into the night," he comments. "Having the devices is not a problem; but, we have asked our employees not to plug these types of devices into the corporate network. It is feasible that they could be used to upload and download proprietary files. As, most of these music devices have been loaded by employees at home, there is really no need to plug them into the local workstation."
Once Bury + Partners did have an incident in which an ex-employee had been recruited by a competitor, and subsequently there was some reasonable evidence that IP was taken to share with the new employer. "You can have such suspicions, but it’s difficult to catch someone in the act without the proper system in place, should the need ever arise." observes Curtis.
‘Set It & Forget It’ Leak Prevention
Once Bury + Partners IT staff recognized their vulnerability to IP data leaks, its reaction was two-fold: first it set and communicated a clear corporate policy related to device use, and then it implemented DeviceLock to monitor activity at the local workstation-level to ensure that this policy was being observed.
"Obviously the first line of defense is to make all of the employees aware of our IT security and IP protection policies, drawing clear boundaries for device use. The devices in question include music players, phones, flash drives, etc. Our people are some of the brightest in the industry and a simple understanding of the policies is all that we need 99% of the time. If they have a particular need, they can request approval prior to plugging a device into the network."
Bury + Partners looked at a number of alternative products and approaches before settling on DeviceLock for endpoint data leakage prevention. With about 400 PC workstations requiring coverage, Curtis and his staff wanted a solution that would be relatively easy to implement and maintain at this scale; thus DeviceLock’s tight integration with Active Directory and use of Group Policy Objects gave it a significant edge over competing solutions.
Some of the lower-end products considered were targeted at ‘compliance’ installations; that is, at enterprises that simply wanted to put up a reminding barrier for well-meaning employees to avoid unsanctioned downloading. However, with a fair amount of emphasis on IP data theft, Bury + Partners wanted a way to catch a determined wrongdoer, if the need ever arose. Thus, it was important that the solution cover all open data leakage channels, including print jobs destined for hardcopy output. DeviceLock will control, audit and shadow all local and network printing activity. Even virtual printing is covered, so files cannot be converted to Adobe pdf format for further copy and transfer without being detected by DeviceLock.
"We purchased DeviceLock in April of 2008, and rolled it out to all the workstations in the office in June. Deployment went smoothly due to the integration of the product into Microsoft Active Directory for Windows and the push installation via the DeviceLock admin console. Initially, we are using the software only for monitoring local ports and drives. We haven’t blocked access privileges for any particular category of device or user; but, we do have plans to do so in the future," explains Curtis.
"Engineers involved in a large transportation-related project have been using flash drives to carry their CADD drawings across town for presentation of their work to their collaborators. This may be done for a simple presentation or so the drawing can be opened and edited over the course of the meeting. It’s efficient, so we are likely to issue flash drives to more teams. Then we will use DeviceLock to ensure that only the drives we’ve sanctioned and distributed to select individuals will be able to pull files from or place files on the corporate network," he adds.
Future DeviceLock Plans
Future DeviceLock roll-out plans include deployment to other offices in Texas and Virginia and the integration of the product into survey data collection devices. These portable data collectors are used to transfer field data shot at a project site into the corporate network, thus creating another avenue of risk that must be considered. The ability to set and manage DeviceLock permissions remotely was another advantage to Curtis’ IT team, whose infrastructure is centrally managed from the Austin office location.
"We’re confident that our diversified practice that includes a number of municipal and state clients will see us through this economic downturn. We’re ready should federal, state and city governments launch infrastructure repair and rebuilding projects in the next fiscal year. But, for now, many such projects are on hold and our own operational budget is not expanding. So we don’t have around-the-clock IT staff that can be there at 2AM or in every Bury + Partners office around the country. That’s why a product like DeviceLock that is always on the watch is a good solution for our needs," concludes Curtis.