“Maybe money can’t buy happiness, but it can buy you an advantage.”
It is indeed probable that an organisation with good security practices has a good chance of detecting and preventing an outsider (non-employee) from unauthorised access to company systems and data.
However, the thief who is harder to detect and who could cause the most damage is the insider, the employee with legitimate access, the trusted user. That insider may steal solely for personal gain, someone who is stealing company information or products to benefit themselves, another organisation or country.
Here are a couple of examples
- Cisco Systems Inc. sued three former senior employees whom it accused of stealing thousands of files containing confidential information when they defected to a competitor.
- Months before, one of the former employees downloaded more than 3,000 internal documents containing trade secrets including information about the company’s contributions to 5G technology and its design specification for a video-conferencing prototype
- Together with two other colleagues, they joined an unidentified company that competes in the IP telephony, headset, video and collaboration
- Phillips 66 Research filed a complaint within the US Department of Justice, to the value of technology that was stolen was greater than $1 billion.
- A former materialist scientist for Phillips 66 Research told that he was returning to China for a few weeks to care for his parents
- The FBI investigators allege that former employee stole the documents to take with him to China, where he had lined up his next “opportunity.” According to FBI, he was offered the position of Energy New Material Engineering Center Director in Xiamen, contingent upon his “guarantee that the information is provided and is of value.
- The ex-employee was arrested when a subsequent search of his residence uncovered a thumb drive containing the Phillips 66 files.
In the above two cases, both organisations failed to place appropriate protection for their critical assets against their insiders.
As we know the impact of theft of IP can be devastating. Imagine this…what would befall your organisation if a contractor whose contract ended took the source code of your key application with him or the salesperson who took your key strategic plans with them to start a new competing company? And worse of all, what if one of your employees gave your intellectual property to a foreign organisation or a government? Once an IP leaves your organisation, it is extremely difficult and often impossible to get it back.
For example, the cost of data theft and industrial espionage to the German companies is valued at $229.1 billion (€205.7 billion) over the past two years according to the Federation of German Industries.
How do we then define insider IP theft? According to the Insider Threat Division of CERT, Insider Theft of Intellectual Property is an insider use of IT to steal proprietary information from the organisation.
Intellectual Property: Intangible assets created and owned by an organisation that is critical to achieving its mission.
Types of IP stolen
- Proprietary software/source code
- Business plans, proposal, strategic plans
- Customer information
- Product information (designs, formulas, schematics)
What was the primary reason that insiders stole IP?
Very few insiders steal intellectual property to sell it. Instead, they steal it for business advantage – either to take it with them to a new job, to start their own competing business or to take it with them to a foreign government or organisation.
In 2019 Blackhat USA conference, Gurucul found that 24% of respondents admitted that they would take company information to help them apply for a more senior role at a competitor. Further, 27% of those who said they look for another job while at work would also take company data to apply for another job.
Insiders have an advantage over external hackers/intruders. Insiders have authorised access to facilities and information. They have knowledge of the organisation systems and their processes and know the location of critical or valuable assets. Insiders know when and where to attack and how to cover their tracks.
Interestingly, 75% of Insiders steal information for which they already have authorised access and usually steal it at work during business hours. What makes it extremely difficult for the victim organisation is the ability to detect it – as it is being copied or removed from the organisation. In other words, the window of opportunity can be quite small.
What can you do?
To prevent your intellectual property from walking out the door, consider the following set of recommendations.
- Review employment contract
- Employees do bring information with them and possibly competitive and stolen data from their previous employer. Be aware that your organisation may be liable for the theft. As part of your IP agreement that you make new employees sign, include a statement attesting to the fact that they have not brought in any IP from any previous employer.
- It is inevitable that many of your employees will move to other businesses at some point in time. As soon as a person turns their resignation, you need to be prepared to act. Identify what information they are accessing. Identify movement of that information 30 days prior to resignation and 30 days post-resignation.
- Establish consistent exit procedures which should include – Access termination procedures; Ask departing employees to sign a new IP agreement reminding them of the contents of the IP agreement while they are walking out of the door; Review your termination policies and processes.
- Periodically review and adjust your access controls. Many insiders at the time of stealing information, had access above and beyond what their job description required.
- Monitor user anomaly activity.
- Monitoring online and social media actions. These sites allow employees to easily share information about themselves as well as organisation details. Establish a social media policy that defines the acceptable use of social media and information that should not be discussed online.
- Monitoring of data movement such as unusual large attachments; Printing, copying or downloading of certain information;
- Tracking of all documents copied to removable media;
- Preventing or detecting emails to competitors
- Consider targeted monitoring strategy for employees and contractors when they give notice of their exit.
- Pay careful attention to the proper use of their personal email.
- Develop real-time alerting when a user has breached their policies as a result of their online activities by placing the organisation at risk.
How can we help you?
If you want to develop insider threat resiliency practices specifically addressing IP theft prevention, reach out to us.
You can reach us at the following