Protecting intellectual property against cyberattack

Intellectual property (IP) covers a wide variety of corporate capital, including customer information, business plans, trade secrets, creative work products such as scripts, and proprietary software or hardware. Hackers, corporate competitors and nation states are all potential IP thieves. Scripts and video from the hugely popular Game of Thrones television show were recently leaked online. Earlier this year, Forrester Research admitted that it was the victim of a cyberattack. While no confidential client data was stolen, hackers gained access to Forrester.com content intended for exclusive use by clients. “We recognize that hackers will attack attractive targets—in this case, our research IP,” said George F. Colony, CEO of Forrester.

Corporate insiders can negligently open the door to IP theft – or intentionally steal the data:

• Accenture data regarding its enterprise cloud offering was exposed recently on an unsecured cloud server.
• Jawbone is suing Fitbit and five former employees in California state court over the alleged theft of trade secrets.

Insights into IP theft

To get a good picture of the threat actors and targets around IP theft, let’s look at some recent findings:

• FBI reports have confirmed insiders are a major target in opponent efforts to gain proprietary information and are also a leading source of these leaks.
• Studies show that half of departing employees leave with confidential company information — either deliberately or unintentionally.
• Research from the CERT Insider Threat Center found that theft of IP occurred most frequently in the Information Technology, Banking and Finance and Chemical sectors.
• Estimated financial impacts in the theft of IP cases averaged around $13.5 million (actual) and $109 million (potential).
• Loss of IP can have an impact beyond the corporation’s walls. In some cases, intellectual property can include customer or partner data (such as business plans) as well. For example, consulting firms’ efforts on behalf of clients can provide insight into the current and future direction of their clients, making for attractive – and impactful – IP if leaked.

The insider and IP theft

When investigating theft of IP cases in their database, CERT found that very few insiders steal intellectual property in order to sell it. Rather, they steal it to take with them to a new job, to start a competing business, or to take to a foreign government or organization. It’s relatively easy for insiders to steal IP during normal working hours because, in many cases, these insiders already have authorized access. This can make it challenging to distinguish between access for legitimate purposes and access with intent to steal.

Symantec conducted a review of literature on insider theft of IP and found:

• Insider IP thieves are more often in technical positions, such as engineers or scientists, managers, salespersons, and programmers.
• Typically, insider IP thieves already have a new job: about 65% of employees that commit insider IP theft had already accepted positions with a competing company or started their own company at the time of the theft.
• Fifty-six percent of insiders studied stole data within a month of their departure.
• Over two-thirds of the attacks lasted less than a month, consistent with their need to take the information on their way out and use it at a new job or business.
• There were six channels through which insiders stole this information — email, removable media, printed materials, remote network access, file transfer, or downloads to laptops.

I’ve written before about the observable behaviors of malicious insiders; these behaviors may be noticeable in cases of IP theft.

Protecting IP against insider attacks

When it comes to insiders and the corporate crown jewels, organizations can take several steps to help protect their IP:

• Identify your IP, confirm the right people have access to your IP, and take steps to compartmentalize your IP.
• Ensure that information security plans include procedures and policies on the proper protection of IP.
• Establish procedures to ensure cloud storage security, train anyone setting up storage in the cloud on these procedures, and monitor adherence.
• Extend security measures to plug any holes that could result if employees have remote access to your IP. The use of encryption and requiring additional authentication can help to ensure hackers don’t exploit employees working remotely.
• If partners or suppliers contribute to your IP – or have access to IP – vet the security practices of these organizations.
• Have employees acknowledge IP agreements by regularly re-signing, especially when leaving the organization. Periodic reminders and training can also help employees identify signs of IP theft risk in coworkers. Failure to show effective employee indoctrination and training on IP theft policies and practices can weaken any legal remedy to address violations.
• Use monitoring software to watch actions taken on IP data, including file transfer tracking and email transfers.
• Partner with HR to ensure proper offboarding of employees. As mentioned earlier, most insiders steal data within a month of departure. Chemours was able to determine theft of IP by an insider due to offboarding and forensic efforts put in place after giving the employee a termination notice. They monitored the insider’s activity on the network, and detected confidential documents sent to the individual’s personal email account.