How CIOs Can Learn to Catch Insider Crime

Research shows that CIOs rarely discover the internal security threats that can ruin companies, even though it frequently involves IT systems. Here's what needs to change.

Yuan Li knew what she wanted and how to get it. For 32 months, starting in October 2008, the 29-year-old research chemist at Sanofi-Aventis downloaded trade secrets from the pharmaceutical firm. Li had worked for Sanofi, which makes the allergy pill Allegra and sleeping pill Ambien, for more than two years when she started to steal data. Her target: five chemical compounds that the company had kept secret for possible use in future drugs.

She knew which database to query to download the information to her work laptop, and from there she emailed it to a personal account. Sometimes, she loaded a USB flash drive with material. Li, a Chinese national, then put the information up for sale through a pharmaceutical company that she partially owned, whose parent is based in China.

Sanofi helped investigators from the FBI and the U.S. attorney in New Jersey to prosecute Li. In January, she pleaded guilty to theft of trade secrets and is due to be sentenced this month. She faces up to 10 years in jail and a $250,000 fine.

Sanofi declines to be interviewed about the technology and policies it uses to detect and prevent corporate crime, including Li's long-term theft. "The measures we had in place actually contributed to the successful outcome of this particular case, and we are continuously looking for ways to improve security," a spokesman said in an emailed statement.

Experts say this is a textbook example of insider crime and, perhaps, of IT failure. Just as no one knows what goes on inside someone's marriage, outsiders can't say with certainty what goes into someone else's IT strategy. Sanofi could have done everything right and still been victimized. That happens.

But too often in cases of insider crime, basic technology safeguards are ignored or missing. CIOs can't be proud to learn that of 11 methods of detection identified in 1,843 recent fraud cases studied by the Association of Certified Fraud Examiners (ACFE), IT controls came in dead last. They are the least likely means of identifying wrongdoing, responsible for just 0.8 percent of cases, the ACFE says. It's more common to find out by accident (8 percent), from the police (2 percent) or even by confession from the perpetrator (1 percent). Tip-offs are by far the most common way authorities discover corporate crime, at 40 percent. Those findings have been consistent for a decade.

To continue reading this article register now

Download CIO's Roadmap Report: 5G in the Enterprise