The GlaxoSmithKline stolen intellectual property case shows why businesses should be wary of insider threat

Companies can't be too careful when it comes to protecting their data

When US federal prosecutors charged five people, including two research scientists, with stealing trade secrets about drugs to treat cancer and other diseases from British drug giant GlaxoSmithKline (GSK), it brought to light once again the insider threat that companies face.

Just last week, consultancy EY found that the risk of a data breach, or losing data as a result of an insider threat by a malicious employee, represented the fastest growing risk to UK companies, and indeed GSK was one of those firms who suffered at the hands of malicious employees.

Two research scientists, Yu Xue and Lucy Xi, who worked at a GSK research facility, e-mailed and downloaded confidential data about a dozen or more company products to their acquaintances who planned to sell and market the trade secrets through a company they set up in China, dubbed Renopharma.

The indictment includes charges of conspiracy to steal trade secrets, conspiracy to commit wire fraud, conspiracy to commit money laundering, theft of data secrets, and wire fraud.

According to the indictment, Yu Xue and two of her co-conspirators agreed to title the proceeds in the name of Yu Xue's sister, Tian Xue, and other family members.

Xue was supposedly one of the top biochemists within her field in the world, but was fired by GSK earlier this month, while Xi left GSK just two months ago.

Jens Puhle, UK managing director at security firm 8MAN said that the fact that one of those charged with the conspiracy is a senior researcher trusted with access to top secret research demonstrates that organisations cannot be too cautious when it comes to protecting their data.

"We have seen examples in the financial sector where even senior executives require permission from the chairman before using a USB stick on the network, making data theft almost impossible," he said.

"Organisations must ensure that all sensitive data is locked down with strict access rights management controls, and accessible only on a need-to-know basis. With even the most senior employees still posting a potential risk, companies need to have advanced measures in place that will alert them whenever key files are accessed. By sounding the alarm the moment any suspicious behaviour is detected, such as accessing files out of hours or offsite, they can catch thieves before it is too late," he added.