Protecting intellectual property from insider threat

null
Image credit: Shutterstock
About the author

Josh executes the FlashPoint's strategic vision to empower organisations with Business Risk Intelligence derived from the Deep & Dark Web. He has worked extensively to track and analyse terrorist groups. 

The topic of intellectual property (IP) protection is getting the much-needed attention it deserves on the global stage. 

Due largely to the U.S. administration’s line on trade negotiations with China, the issue of counterfeit products and international IP theft by state-sponsored actors has risen to the fore. Recent estimates suggest economic espionage in the form of IP theft by Chinese actors costs the U.S. economy up to a staggering $600 billion. 

While the impact of the U.S. ultimatum to the Chinese government on IP theft has yet to be seen, this previously below-the-radar issue is now gaining long-overdue recognition.

Intellectual property – a critical business risk

A company’s IP is estimated to represent as much as 70% of its market value. Ideas and innovations are what make an organisation unique and competitive, yet businesses have often struggled to properly value their IP. A recent study found that, despite 80% of organisations citing cyber liability and IP theft as a serious business risk, only 16% of IP assets at risk of cybercrime are adequately insured. The report also found that 28% of organisations have experienced a material IP event in the past two years.

Unfortunately, the value of IP is often only understood once it has been stolen and commercialised. When copycat products start appearing, or unique features pop up in competitor designs, the loss becomes apparent. By that point, the damage has been done, and recourse is limited to patent infringement courts. So, what can businesses do to protect IP assets, quickly identify when theft has occurred, and reduce the risk of exploitation?

Image credit: Pixabay

Image credit: Pixabay

(Image: © Image Credit: IAmMrRob / Pixabay)

Motivations for insider IP theft

A key vulnerability for businesses defending their IP is company employees. When tracking the history of an IP breach, we often find that the door was unlocked by someone on the inside. With privileged access to critical systems and information, employees are trusted with corporate secrets that, for some, prove too much of a temptation. There are many scenarios:

Employees with a grievance against their employer bid to punish them by sharing sensitive information for personal profit. Another scenario might see an employee tempted by a high salary position with a competitor in return for stealing corporate secrets prior to leaving their current role. This is the alleged situation with Tesla and Xiaopeng Motors where a former Tesla employee is accused of stealing 300,000 files of the company’s self-driving source code from the car maker by using his personal iCloud account attached to the corporate network, before leaving to take up a role with the Chinese firm.

Employees don’t always deliberately reveal secrets; they can simply be targets of malicious activity themselves. They may be recruited by bad actors using an apparently legitimate front, such an invitation to an overseas academic conference, and manipulated into divulging trade secrets.

Compromised employees are vulnerable to threats of blackmail from actors who have either uncovered compromising information or have manipulated them into actions that they fear being made public. These employees steal company data to prevent their own secrets from being revealed.

Finally, we see bad actors take roles within target organisations with the sole aim of accessing and exfiltrating trade secrets.

Managing insider IP theft threat

Managing and mitigating the risk of IP theft is a complex, multi-layered activity that needs broad reach to be effective across the different kinds of insider threat. It’s also a multi-disciplinary undertaking that should incorporate HR and IT, but have visibility at board level, too.

User access management (UAM) is an important element that restricts employees to accessing only the data and systems that are relevant to their role. Combined with user behaviour analytics (UBA), this can pick up unexpected access attempts and spot a potential theft— perhaps by an unhappy or compromised employee—before it takes place.

From an HR perspective, policies about data access and management should be regularly reinforced and companies should also seriously consider controlling access to public data-sharing sites from within the corporate network. HR departments should be alert to the risks around employees leaving the company, working with IT to ensure that permissions are revoked and analysing activity prior to the exit date to identify any unusual data movements or actions. Bear in mind that many employees believe they have ownership of the projects and data that they’ve worked on, and the temptation to take it with them can be strong.

Organisations also need to be aware of high-risk dates on the corporate calendar. These include the development and launch of new products, when stolen IP is likely to command a premium price. Overseas visits by senior personnel should also trigger a higher level of vigilance, and staff should be advised how to protect their devices and be aware of being manipulated.

Image credit: Shutterstock

Image credit: Shutterstock

(Image: © Image Credit: Andrea Danti / Shutterstock)

Swift detection to mitigate impact

Such is the market for stolen IP that, even in the most vigilant organisations, breaches happen. Detecting them as quickly as possible is critical in limiting their impact. A valid way to do this is by looking at the onward journey of stolen IP. If its theft has been motivated by greed, the IP may potentially be offered for sale to the underground community. Monitoring these illicit online communities for references to the organisation can help detect the theft. This practice, however, requires access to such communities and is not something the average IT team should be expected to undertake. Instead, companies should consider using business risk intelligence to underpin their insider threat programme.

A prior incident shows how this works: Flashpoint analysts identified a post on an elite cybercrime forum offering the sale of source code from unreleased software owned by a multinational technology company. Analysis subsequently determined the actor was a company employee. This intelligence enabled the company to safeguard the source code and terminate the rogue employee.

Attempted sales of stolen IP are not the only use case for business risk intelligence. It can also pick up chatter that indicates bad actors are planning to target a company or expose prospective employees’ links to undesirable organisations.

IP theft stifles innovation and legitimate competition, damaging companies and economies on an enormous scale. As companies begin to better recognise the value that IP represents, they need to gain greater insight into who is aiming to steal their IP and how. By combining this with a robust insider threat programme, companies can do a better job of protecting their most valuable assets.

Josh Lefkowitz, CEO of Flashpoint