If you are responsible for protecting your company from the risk of a trusted insider stealing intellectual property, consider packing a lunch because it's going to be a bit of a journey. Intellectual property (IP) means different things to different people. And far too many believe they don’t have access to the company's IP, and therefore are not responsible for protecting it.
First, intellectual property is more than patents. It also includes trade secrets, business processes, and even an extraordinary strategy or playbook. These all fall under the rubric of intellectual property, so when the employee answers, "I don't have any exposure," ask them to explain their work, how they use email, and what portions of the company intranet they touch. By doing so, they will begin to understand that by simply being an employee, they are exposed to company intellectual property.
Insiders Are a Target
You, your company, or another employee don’t get to decide whether the business is worth attacking. So what do you do if you can't determine in advance who is a social engineer or criminal looking to capture your data or your customer data for profit?
To determine if an employee is being targeted, do you monitor your employee's keystrokes, their access to data, their coming and goings, their internal building movements, their laptops, tablets, and smartphone activities? Do you educate the employee on how they may be a target and how to detect an approach from a social engineer, be it face-to-face, over social networks, or via phone? And when detecting the initial approach, do you have a playbook on what to do next? Your trustworthy employee will fall within the targeting sights of an adversarial entity, and he or she needs to be protected.
In early November, Kaspersky Lab published a report on the "Darkhotel APT" targeting scheme, which focused on top executives while they were in travel mode. According to Kaspersky, the entity (criminal or nation state, the jury is still out) targeted executives from the United States and Asia who traveled to Japan, Taiwan, China, Russia, and South Korea. The executive insiders were unwittingly targets of the technical collection, with the unlawful entity's ultimate goal of capturing IP and investment plans. How many of these insiders were equipped with travel laptops, tablets, and phones that were availed with the expectation that they would be subject to attack while the executive was in travel mode? Does your company implement a travel laptop/smartphone/tablet program to limit exposure of potential intellectual property theft?
Insiders May Break Trust
What of the employee who, for a myriad of possible reasons, decides to break trust? Those aforementioned logs, records, and data controls all come into play to determine when, where, how, and potentially why the insider decided IP theft was an acceptable path to pursue. Watching and reading the courts filings of IP theft cases is one way to assist a company analyst charged with protecting the company IP to better understand methodology being employed by employees who broke trust.
One example of how this plays out is taking place right now in California's Superior Court. In early November 2014, Lyft accused former chief operating officer VanderZanden of providing Lyft's trade secrets to Uber, the company's competitor and VanderZanden's current employer. In Lyft v Travis VanderZanden and Does 1-10, the company alleges that VanderZanden uploaded sensitive files to his Dropbox account prior to resignation. How many of your employees upload files to their personal cloud storage accounts?
Another example is the famous 2009 Starwood v Hilton case, in which The New York Times reported Starwood accusedsome executives of jumping ship to Hilton with the entire playbook for Starwood's W concept. Knowledge of the acquisition was made after the Starwood legal team inadvertently learned that internal documents were in the hands of Hilton when an exchange of data was made for an unrelated issue. Luck was on Starwood's side, as the internal controls missed the theft of the confidential documents. In late 2010 the case settled, with Hilton reportedly paying $75 million to Starwood and having to provide a plethora of additional accommodations, including killing Hilton's own Denizen concept brand.
What to Do
The obvious area of investment for every entity lies within employee on-boarding and exit processes and procedures. Businesses should make sure they include a non-disclosure agreement and intellectual property protection segments. Additionally, the exit process should include an attestation from the departing employee which details their having returned all intellectual property in their possession (including that which has found its way onto the employee's personal devices permitted within the company's BYOD policy).
What is not so obvious are the opportunities presented throughout the period of employment. Engage with employees and discuss the intellectual property life cycle, emphasizing the need to protect the company's intellectual property via ongoing review of processes and procedures. The insider is the linchpin to intellectual property security. Educate, engage, and empower your insiders to secure your intellectual property, and then verify they are doing so.