Based in St. Louis, Missouri, The Doe Run Company (Doe Run) is a natural resource company focused on metals mining, smelting, recycling, and fabrication. Its mills employ state-of-the-art automation to maximize the recovery of metals from ore, and the company’s recycling facility is the most technologically advanced, environmentally sound, and safest of its kind in the world.
Protecting intellectual property was a growing concern
Doe Run executives routinely travel abroad with valuable intellectual property (IP) on their laptops. This IP might include product documentation, proprietary research documents, patents, and formularies, as well as many other types of business-critical information with a total value in the billions of dollars.
To address potential security issues, the company launched an extensive effort to protect its intellectual property. During the project’s assessment phase, the data risks of mobile computing were high on the list of priorities, but a variety of additional security risks were also identified.
Doe Run information security officer Craig Williams explains, “You name it. Open text emails were going outside the firewall. We had unencrypted proprietary information copied to USB keys or carried on 25 laptops all over the world. We had 30 contractors with open data access. There were no network access controls for certain people. Information was stored everywhere on 12 file servers. It was a nightmare.”
Step one — policy creation. Step two — risk mitigation
Williams also discovered that Doe Run didn’t have intellectual property policies in place. There wasn’t an IP standard to which employees and contractors could be held accountable.
“I wrote a policy for intellectual property and project-specific intellectual property, which I distributed to my team and the team responsible for contractors,” Williams says. “That was necessary and it was fine as far as it went. It protected the company legally, but it didn’t stop people from doing the things that put IP at risk.”
To address that risk, he started looking into data loss and data leakage prevention products. After a thorough evaluation of the market, he chose McAfee Total Protection (ToPS) for Data, which includes McAfee Host Data Loss Prevention and McAfee Endpoint Encryption integrated with McAfee ePolicy Orchestrator (ePO) 4.0.
“It’s exactly what we needed,” Williams comments. “It has excellent monitoring, policy configuration, and data transfer blocking — plus encryption — which is really important for our mobile users. And we can manage it through McAfee ePO 4.0.”
"We are using McAfee to prevent instead of react. I don’t want to spend millions responding to a breach. I’d rather spend our resources preventing one."Craig Williams
Information Security Officer, The Doe Run Company
Top-secret information on the loose
Many companies are propelled to take data security more seriously due to a disaster or near-disaster. Doe Run, fortunately, was in the latter category.
“Through our intrusion detection system, we discovered a member of the IP project team sending very, very confidential information via unencrypted email across the Internet,” Williams remarks. “That was a wake-up call. We realized we needed a more comprehensive security approach than an IDS could provide. So, we began looking at DLP solutions.”
Now, with ToPS for Data, the company can block that kind of data leakage automatically. In fact, all the McAfee capabilities fit the Doe Run prevention strategy.
“We are using McAfee to prevent instead of react,” Williams affirms. “I don’t want to spend millions responding to a breach. I’d rather spend our resources preventing one.”
In spite of the security and coverage McAfee affords, Williams continues to scour the Internet on a monthly basis, using keyword searches within message boards and underground forums to uncover anything to do with Doe Run’s intellectual property project.
“The stakes are so high,” Williams explains. “If anything proprietary does mistakenly get out, there could be serious competitive consequences.”
Moreover, industry research bears Williams out. More than 75 percent of Fortune 1000 companies have fallen victim to accidental or malicious data leakage. In 2007, the average cost of those breaches was $6.3 million. (Ponemon Institute’s 2007 Cost of a Data Breach study)
McAfee ePO centralizes DLP management
Prior to deploying McAfee ToPS for Data, Williams oversaw the upgrade to McAfee ePO 4.0, which went without a hitch — as many ePO customers are discovering.
“It was the smoothest thing that I think I’ve seen happen in our company,” says Williams. “Literally zero downtime. It was a reboot. That’s how easy it was.”
With the ePO management console, Doe Run administrators can access centralized policies and event monitoring, manage data protection for the host and gateway, and deploy and update agents. And the 4.0 interface is drawing raves.
“We love the new 4.0 interface,” Williams exclaims. “It’s incredible. I can pull up one page with nine reports that show me all the things I need to see.”
Data security as a vision
Williams was recently a guest at the McAfee Strategic Executive Security Summit. He found that the McAfee vision and approach to data security were very compatible with his own.
“The Executive Summit meeting with Dave [CEO Dave DeWalt] and the entire McAfee executive team gave me a whole new perspective on the company,” comments Williams. “I want to evolve to much more centralized data management going forward. I want to buy from a company like McAfee that tries to look at the 50,000-foot view instead of the 9,000-foot view.”