However, there are serious flaws in the system configuration and the access control.
The first concern should be that an insider might be acquiring the information in question. There are currently members of the sales, engineering, and production that are sharing the files on the LAN. The files should be restricted and only available on a need to know basis. There should only be a limited number of people in the marketing department that have access to the advertising files. This would eliminate unauthorized access to this sensitive information by a member of the production or engineering staff.
If the attack is coming from an outside source, system access needs to be secured and limited. This may be done by the addition of an effective User ID and password system. The system should require regular changing of the passwords and have a mechanism to lockout the user after a limited number of failed attempts to stop a brute force attack. In addition, IP address monitoring should be implemented and users should be restricted to entering the system only from approved IPs. This would prevent off site hackers from gaining access to the system.
To further secure the system, the Web server needs to be properly configured. The web based e-mail system will give unauthorized users a portal that may be exploited if the server has security flaws in it.