logo

How to Prevent Intellectual Property Theft by Insiders

Intellectual Property (IP) is often the most important asset that a company has, because development of innovative solutions is the most efficient way for companies to compete in an all-tech world. Unlike patents, which can secure the right of exclusivity in exchange for public disclosure, IP includes trade secrets and know-how that the owner cannot disclose and that require particularly rigorous protection.

Unfortunately, some employees who have access to IP might have a lax attitude to its security. According to a study based on a feedback of 1,700 business leaders from the U.K., the U.S., and Germany, 72% of CEOs confessed that they have taken IP from a previous employer. This is backed by Netwrix’s 2018 IT Risks Report, which found that 39% of companies consider departing and terminated employees to be the biggest risk to their IP. If a company has not detected an insider in time, the individual can take stolen data to a competitor. It is hard to prevent IP theft, because all employees who come into contact with confidential data may be complicit in this. Here are a few simple tips that can help organizations mitigate against this risk.

Step 1. Know where your confidential data resides and who has access to it

Today, many companies store IP in the cloud or spread it across multiple systems and applications. Examples of such confidential information can include source code, formulations, methods and processes. In addition, users often copy data to their personal devices when working remotely on their laptops, which makes it very hard to eliminate the risk of a data breach.

To be able to protect such information assets, a company needs to determine which sensitive data it holds and classify it from the least to the most sensitive. When this step is completed, it is necessary to identify all users, contractors and partners who have access to it, and define potential points of compromise. For example, if an employee has access to company’s information on new product development, then they belong to a high-risk group.

Step 2. Establish data security policies for the entire organization

A vital step to protecting a company’s IP is to ensure that sensitive information is available only to authorised personnel, whose access is strictly limited on a need-to-know basis. Just as in the example above, access rights to the files with data on new product development should be limited only to the employees who are involved in research and development. It is also necessary to update access rights regularly and to deactivate operationally all user accounts on an employee’s last day. Another important step is to ensure that all employees who work with intellectual properties are informed about security policies and the penalties for ignoring them.

Step 3. Control that all users adhere to policies

In real life, employees are susceptible to forgetting or ignoring security policies  Research by Kaspersky Lab found that only 12% of employees are aware of their organization’s IT security policies. This refers to companies of all sizes: even enterprises cannot say their IP is 100% protected from the insider threat. For example, U.S. authorities recently arrested a former Apple employee when he was about to fly to China with confidential information relating to Apple’s self-driving car project.

Therefore, organizations should put all possible efforts into ensuring the enforcement of security policies. In particular, it is necessary to implement specific methods for user behavior monitoring and tracking unauthorized or unnecessary access attempts. These methods should enable IT security professionals to intervene if required to terminate a suspicious session.

Some examples of signs that someone is trying to violate the security policy and steal IP are:

  1. Spikes in activity. For example, if someone has copied a large amount of sensitive data, the cyber security team should receive an alert about this incident and investigate it straight away
  2. Activity outside of business hours
  3. Anomalous VPN access

Step 4. Involve CEO in the establishment of the cyber security culture

To eliminate the risk of rogue employees stealing IP and disrupting operations, a Head of Information Security Department should collaborate with a CEO to develop a cyber security strategy. The CEO should set goals for the management team and the HR department to raise cyber security awareness within the entire organization.

This goal should include certain specified tasks. The role of management teams is to ensure that their subordinates follow the security policies. The role of HR is to conduct cyber security training for employees to remind them how to deal with the confidential data and to encourage people to report on incidents. HR should also establish a set of rules when hiring. This includes asking specific questions during job interview to discover an individual’s attitude towards ethics. It is advisable to require employees to self-certify that they have read and understood the organization’s security policies – whether relating to IP or other data assets – and to ensure that this process is conducted annually.

Each company should have a strategy for mitigating insider threats to its IP, as each company has individual points of data compromise and faces specific threat actors. It is impossible to outsource the solution of this problem. There is no any external algorithm to a company’s security policy to minimize this risk. Senior management should collaborate with cyber security managers to identify the most efficient strategy that both protects data and systems and is in line with the business’s processes.

Former General Manager EMEA at Netwrix. Matt holds a CISSP certification and has over 19 years of experience in the cybersecurity industry. He has worked for many organizations, specializing in areas such as risk management, identity and access management, and network and database security. In the Netwrix blog, Matt shares insights on how to achieve greater levels of security and compliance.