This is the second significant trade-secret theft involving a relatively high-level research scientist to be disclosed by DuPont in the last two and a half years. In February 2007, Gary Min, a former research scientist at DuPont admitted to stealing proprietary and information valued by federal authorities at $400 million. The theft was noticed only after Min announced plans to leave DuPont to join a rival company in the U.K.
Min is currently serving an 18-month sentence in connection with the theft.
The manner in which both Min and Meng were caught suggests that DuPont has a "great exit process" for checking employees on their way out the door, said Michael Maloof, chief technology officer at TriGeo.Network Security Inc. What it appears to lack, however, is a similar mechanism for monitoring employees' while on the job, he said. While it can be extremely difficult for a company the size of DuPont to keep tabs on every bit of sensitive data on its networks, "common sense" policy enforcement mechanisms -- such as monitoring the use of USB storage devices and access controls -- could have helped cut the risk somewhat, he said.
Such data thefts are becoming increasingly common and highlight the continuing challenges companies face in protecting their corporate assets from insiders with legitimate access to them.
Too often, the focus of security efforts is on satisfying compliance requirements such as those involving the protection of credit card and other financial data, said Phil Neray, vice president of security strategy at Guardium, a vendor of database protection products. "What this reminds us is that many companies have a lot of valuable data that is not covered by compliance" and, therefore, not as well protected he said.
While such thefts can be hard to stop, security controls are available at multiple layers that can help, he said. For instance, activity monitoring products can help detect suspicious activity such as a high volume of downloads involving sensitive data, or downloads that occur after hours, he said. Similarly, tools can help companies restrict the copying and downloading of certain kinds of data to USB devices, for instance, or to an e-mail account, Neray said.
Sign up for CIO Asia eNewsletters.