MOUNTAIN VIEW, Calif. – Dec. 7, 2011 – Symantec Corp. (Nasdaq: SYMC) today released the findings of a new report “Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall”. The report addresses the high level of organizational anxiety surrounding potential theft of sensitive, proprietary, intellectual property or similar critical data by employees. It describes what is known about the people and organizational conditions which contribute to this risk. The research paper was authored by Dr. Eric Shaw and Dr. Harley Stock, experts in the fields of psychological profiling and employee risk management.
“Most organizations are aware of the security threats posed by outsiders, but the malicious insider within their own ranks may pose an even greater risk,” said Francis deSouza, group president, Enterprise Products and Services, Symantec Corp. “In this era of global markets, companies and government entities of all sizes are recognizing the ever-expanding challenges of protecting their most valuable asset—their intellectual property—from rivals.”
Theft of intellectual property costs U.S. businesses more than $250 billion per year and FBI reports confirm that insiders are a major target of opponent efforts to steal proprietary data and the leading source of these leaks. Based on a review of empirical research, Dr. Stock and Dr. Shaw have identified the key behaviors and indicators that contribute to intellectual property (IP) theft by malicious insiders. The most compelling patterns observed include:
- Insider IP thieves are often in technical positions - The majority of IP theft is committed by current male employees averaging about 37 years of age who serve in positions including engineers or scientists, managers, and programmers. A large percentage of these thieves had signed IP agreements. This indicates that policy alone—without employee comprehension and effective enforcement—is ineffective.
- Typically insider IP thieves already have a new job - About 65% of employees who commit insider IP theft had already accepted positions with a competing company or started their own company at the time of the theft. About 20% were recruited by an outsider who targeted the data and 25% gave the stolen IP to a foreign company or country. In addition, more than half steal data within a month of leaving.
- Malicious insiders generally steal information they are authorized to access - Subjects take the data they know, work with and often feel entitled to in some way. In fact, 75% of insiders stole material they were authorized to access.
- Trade secrets are most common IP type stolen by insiders - Trade secrets were stolen in 52% of cases. Business information such as billing information, price lists and other administrative data was stolen in 30%, source code (20%), proprietary software (14%), customer information (12%), and business plans (6%).
- Insiders use technical means to steal IP, but most theft is discovered by non-technical employees - The majority of subjects (54%) used a network--email, a remote network access channel or network file transfer to remove their stolen data. However, most insider IP theft was discovered by non-technical staff members.
- Key insider patterns precede departure and theft – Common problems occur before insider thefts and probably contribute to insider’s motivation. These precipitants of IP theft support the role of personal psychological predispositions, stressful events and concerning behaviors as indicators of insider risk.
- Professional setbacks can fast-track insiders considering stealing IP - Acceleration on the pathway to insider theft occurs when the employee gets tired of “thinking about it” and decides to take action or is solicited by others to do so. This move often occurs on the heels of a perceived professional set-back or unmet expectations.
The report features pragmatic recommendations for managers and security personnel concerned with intellectual theft risk, including:
- Build a Team: To fully address insider theft, organizations need to have a dedicated team made up of HR, security, and legal professionals that create policies, drive training, and monitor problem employees.
- Organizational Issues: Organizations need to evaluate whether they are at greater risk due to inherent factors—employee morale, competitive risk, adversary operations, local overseas, use of local contractors, etc.
- Pre-Employment Screening: The information collected during this process will help hiring managers make informed decisions and mitigate the risk of hiring a “problem” employee.
- Policies and Practices: This is a checklist of specific policy and practice areas that should be covered within an organization’s basic governance structures.
- Training and Education: These are essential to policy effectiveness since policies and practices that are not recognized, understood and adhered to may be of limited effectiveness. For instance, most IP thieves have signed IP agreements. Organizations should have more direct discussions with employees about what data is and is not transferrable upon their departure and the consequences for violating these contracts.
- Continuing Evaluation: Without effective monitoring and enforcement, compliance will lapse and insider risk will escalate.
In addition, Symantec recommends:
- Preempt IP theft by flagging high-risk insider behavior with a security technology like Data Loss Prevention (DLP).
- Implement a data protection policy that monitors inappropriate use of IP and notifies employees of violations, which increases security awareness and deters insider theft.
- Alert managers, HR, and security staff when exiting or terminated employees access and download IP in unusual patterns with a file monitoring technology like Data Insight.
Dr. Eric Shaw aids corporate and government organizations in the investigation of insider cases, insider research, employee risk assessments, and the evaluation of organization insider risk. He also helps these organizations develop training in the area of insider security awareness. Dr. Shaw is a clinical psychologist and a former intelligence officer. He has served as an expert witness on insider-related litigation including representing the Department of Justice in a recent Anthrax case. He is president of Consulting and Clinical Psychology Limited. located in Washington DC. Dr. Shaw also specializes in the psycholinguist risk and holds eight patents on psychological content analysis software designed to locate, assess, and monitor disgruntled at-risk for insider activity. He is a professorial lecturer at the Elliot School of International Affairs of George Washington University and a behaviorial consultant Stroz Friedberg Incorporated, an international corporate investigations and computer forensic fraud firm.
Dr. Harley Stock is a managing partner with the Incident Management Group (IMG). Dr. Stock's specialty is high risk threat assessment in the workplace. Dr. Stock and his group have developed a comprehensive violence prevention program using forensic psychology, linguistic analysis, protective security and deployment of innovative labor and legal strategies to resolve individual cases and executive preventive programs. IMG threat management services are routinely used by Fortune 500 companies and the U.S. government. Dr. Stock guides clients through the intricacies of case handling and presents decision makers with security and psychological assessment strategies and a range of practical management options. He is one of 250 board certified forensic psychologists in the U.S.
- Executive Summary: Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall (PDF)
- White Paper: Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall (PDF)
- Webcast “The Psychology of Insider Theft: What Pushes Employees to Steal?” Registration, December 12th
- Blog Post: Insider Data Theft: When Good Employees Go Bad
- Infographic: Can you spot a malicious insider?
- Podcast: Psychology of Insider Theft
Connect with Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.
Note to Editors: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at http://www.symantec.com/news. All prices noted are in U.S. dollars and are valid only in the United States.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
Forward-looking Statements: Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and are subject to change. Any future release of the product or planned modifications to product capability, functionality, or feature are subject to ongoing evaluation by Symantec, and may or may not be implemented and should not be considered firm commitments by Symantec and should not be relied upon in making purchasing decisions.
TECHNORATI TAGS: Symantec, data loss prevention, encryption, security