Well, one of our users did the unforgivable today and tried to email corporate data out of the network to a third party.
We picked this up, no problems and he now has his own problem - unemployment.
The higher ups were happy that our existing systems and procedures caught this, but I've pointed out to them that there is still a gaping hole in our set-up (which I constantly remind them of, but they've never wanted to do anything about it until now).
At their insistence, everyone is allowed to use web based email systems outside of working hours/lunchtime.
As it stands, there's nothing stopping someone attaching a file from one of the network shares and emailing it that way - and we'd never know.
Fair enough, I can block access to webmail, but I'd rather not. I could log all file access and look for things that seem suspicious, but that seems like overkill.
My suggestion is that we have a number of dedicated PCs that have Internet access (we've got some spare) that are totally separated from the other network resources (whether VLAN or completely different subnet) and people can happily use them.
This is a no-cost, no-brainer as far as I can see. We already restrict use of USB drives/CD/DVD so it's easy enough to ensure that no-one can copy a file to removable media and take it to one of those PCs.
Any other thoughts/approaches worth considering?