That seemed suspicious enough, but the real payoff came from the way network DLP and endpoint DLP complement each other. The same IT engineer had been flagged by our network DLP, which sent an alert about him based on the "I'm leaving" rule, which instructs the system to look for any communications suggesting that someone is planning to leave the company. We wouldn't have paid attention to that notification if the endpoint DLP hadn't also alerted us to the fact that he was copying data. We talked to the engineer, he gave us the USB drive, and HR reminded him of the confidentiality agreement he had signed.
Naturally, we highlighted the case of the departing IT engineer in building our business case for a global deployment of endpoint DLP early next year.
If we get the green light, we'll do a lot of tuning to reduce the number of false positives and to make sure we don't monitor personal activity involving things such as finances and healthcare. But it looks like we're going to have our eyes opened again, this time by endpoint DLP.
Sign up for CIO Asia eNewsletters.