IP theft doesn’t always come from overseas

With all the discussion about ransomware extortion, data breaches like Equifax, and privacy violations in social media, one of the greatest threats to any business can get lost in the noise — the theft of their intellectual property (IP).

CSO slideshow - Insider Security Breaches - A briefcase of binary code, wind turbines on the horizon
Aram Becker / ChinaFace / Toni Vaver / Getty Images

With all the discussion about ransomware extortion, data breaches like Equifax, and privacy violations in social media, one of the greatest threats to any business can get lost in the noise — the theft of their intellectual property (IP). Not only can IP theft cost a business millions of dollars, but the impacts can extend to the broader economy and become fodder for both political & regulatory action, as we have recently witnessed.

It’s difficult to put a hard value on the impact, but in 2015 the Office of the Director of National Intelligence pegged the annual impact of IP theft in the U.S. at somewhere north of $400 billion, and The Center for Responsible Enterprise and Trade along with PwC put the value of IP theft at between 1% and 3% of GDP. Regardless of the source, these numbers are massive.

Intellectual property theft comes in all shapes and sizes. Sometimes it’s a foreign nation-state halfway around the world that decides they want to get into an industry without making the R&D investments, so they use electronic resources to hack into the systems of businesses already operating in that space and steal the IP. Sometimes they’ll send a “wet work” operative right into a company’s offices to steal their IP (read the CSOonline story of Medrobotics). Sometimes a competitor will pay a businesses’ employee for the information they want. Most commonly, the IP will sneak out the door with a departing employee bound for a competitor. Usually, an organization will never know that it happened.

While not every business is the target of foreign intelligence services, every business is a target for IP theft. Look at your own business. Ask yourself, “what intellectual property do we have that someone else might like to get their hands on?”. Put yourself in the shoes of your adversaries and you’ll be able to quickly identify what the crown jewels are, then you can begin to formulate a plan to protect them. You’ll also find that your employees probably have a funny sense about what is yours, and what is theirs. Many employees feel that it’s perfectly fine to take customer or contact lists with them when they leave for a competitor. In reality, those lists are generally the property of your business, because you paid those employees to develop those lists and that compensation provides your business with ownership (check out “Leaving your job: What you can and can’t take with you” from CIO).

Even on those rare occasions when employees are caught “walking out the door” with IP, businesses tend to turn a blind eye. In more than three-quarters of insider crime cases, law enforcement was never engaged, nor was legal action taken against the perpetrators. Sometimes that’s due to company culture, often it’s due to the inability to prove the person acted with intent. Either way, businesses send the wrong message when they let IP thieves walk.

For the past 16 years, CSO has partnered with the US Secret Service and the CERT Coordination Center at Carnegie Mellon University to research insider crime and look at best practices for prevention. Over those years, two things have stood out as consistent ways a business can reduce its risk of internal IP theft: awareness and monitoring. Train your employees about what is yours and what is theirs. Also, teach them the best practices to prevent inadvertent leaking of IP and trade secrets to parties outside the company. Monitoring employees, particularly if they are “at risk” – such as on performance improvement plans, or in parts of the business that may be going through downsizing or transition – will allow you to catch bad behavior before it can hurt you. You’ll never fully eliminate the risk of IP theft, but every business can manage that risk by leveraging the basics.


You can receive more insights into security awareness by signing up for the Security Smart Newsletter. The newsletter is an employee education program designed to help build security awareness by making security reminders and information fun, interesting, and engaging to all your employees; saving you and your organization precious time on your security awareness program. To learn more about the newsletter and the subscription options, please click here!


Copyright © 2018 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022