Global Security, Privacy, & Risk Management

“Trust but Verify”- Insider Threats & Intellectual Property Theft February 20, 2012

According to the US Government, intellectual property theft costs the US approximately $250 billion per year.  Unfortunately, a large and growing percentage of this theft is due to insiders.  The human element of data security is a topic that I have written on numerous times.  This article follows one I wrote in August, 2011 titled: Security 101: The Human Element.

I have worked with a number of large (and small) organizations that were very focused on risk management and information security.  It is always disheartening when you find that the companies focus solely upon external threats and ignore one of the largest threats to their intellectual property; their own employees.  Humans are social creatures.  We make friends and we want to be trusted.  We also believe in our fellow person.  Nobody likes to feel like they are not trusted and consequently, few like to make others feel like they are not trusted.  Unfortunately, where data security and the protection of intellectual property is concerned, companies are well advised to adhere to the old adage: “Trust but Verify”.

With increased responsibility often comes increased authority and increased access to sensitive systems, and information.  Companies often make the mistake of believing that with increased responsibility comes a decrease in the need to monitor activity.  It is often not until it is too late that companies find that their ‘trusted executive’ has stolen sensitive data. In my own experience, I have worked for a company in which we found that the CIO had downloaded every single employee’s email (including the CEO) onto his personal system.  The emails included personal data such as health information, and bank account data.  While not as serious as stealing valuable product or technology plans, it highlights the problem and the challenges.

Recently, Symantec released a report which details findings related to insider theft of intellectual property.   One of the more compelling parts of the report is their list of characteristics of insiders who steal corporate data.  Below is a list of those characteristics:

• Insider IP thieves are often in technical positions – The majority of IP theft is committed by current male employees averaging about 37 years of age who serve in positions including engineers or scientists, managers, and programmers. A large percentage of these thieves had signed IP agreements. This indicates that policy alone—without employee comprehension and effective enforcement—is ineffective. (please read my post titled: “Pick Your Poison”)
• Typically insider IP thieves already have a new job – About 65% of employees who commit insider IP theft had already accepted positions with a competing company or started their own company at the time of the theft. About 20% were recruited by an outsider who targeted the data and 25% gave the stolen IP to a foreign company or country. In addition, more than half steal data within a month of leaving.
• Malicious insiders generally steal information they are authorized to access – Subjects take the data they know, work with and often feel entitled to in some way. In fact, 75% of insiders stole material they were authorized to access.
• Trade secrets are most common IP type stolen by insiders – Trade secrets were stolen in 52% of cases. Business information such as billing information, price lists and other administrative data was stolen in 30%, source code (20%), proprietary software (14%), customer information (12%), and business plans (6%).
• Insiders use technical means to steal IP, but most theft is discovered by non-technical employees – The majority of subjects (54%) used a network–email, a remote network access channel or network file transfer to remove their stolen data. However, most insider IP theft was discovered by non-technical staff members.
• Key insider patterns precede departure and theft – Common problems occur before insider thefts and probably contribute to insider’s motivation. These precipitants of IP theft support the role of personal psychological predispositions, stressful events and concerning behaviors as indicators of insider risk.
• Professional setbacks can fast-track insiders considering stealing IP – Acceleration on the pathway to insider theft occurs when the employee gets tired of “thinking about it” and decides to take action or is solicited by others to do so. This move often occurs on the heels of a perceived professional set-back or unmet expectations

A good example of a person having many of the characteristics outlined above is that of David Yen Lee who stole $20 million of trade secrets from Valspar after accepting a position in Shanghai at Nippon Paints.   Lee has nice been found guilty and sentenced to 3 years in prison and required to pay restitution.

It is important for all organizations that they ensure every employee from the CEO to the must junior employee has access provided based upon the principles of Need to Know and Least Privileged and that all employee’s are monitored.  Remember to Trust but Verify and you can minimize the likelihood of insider theft.