Johnson and his colleagues found lots of supposedly confidential information floating freely out on the Web, including job performance reviews and a bank's spreadsheet containing 23,000 business accounts including their contact names and addresses, account numbers, company positions, and relationship managers at the bank. He even found the results of a "confidential" security audit that a company had commissioned. Whoops.
One of the most effective ways to prevent business information from being leaked through peer-to-peer networks is to understand how these services are used. "Security people say they've blocked ports inside their firewalls so that users can't connect into peer-to-peer networks," Johnson says. "That's fine until those employees take their laptops home at night or go to a Starbucks and connect to a peer-to-peer network."
There are ways of tracking whether corporate data has been leaked onto peer-to-peer networks. Security pros can set up their own accounts on the most popular peer-to-peer networks, which include Gnutella, FastTrack, and eDonkey, and search to see if any information being offered resembles their proprietary data or intellectual property.
"Create a digital footprint for your company," Johnson says. Keep track of all searchable keywords that would lead a Web surfer to your company, including firm names, abbreviations, ticker symbols, brand names, subsidiaries, etc., and use those terms to search the peer-to-peer networks.
The idea for the Dartmouth study came from Homeland Security Department-sponsored work Johnson and his colleagues had been doing in studying international cyberattacks on U.S.-based targets. As the Internet increasingly becomes a part of the country's critical infrastructure, like telephone networks or power grids, Homeland Security wants businesses to protect themselves from cyberthreats.