I read with great interest The New York Times’ “Room for Debate” that discussed whether companies should disclose when they get hacked. When brands big and small suffer a data breach and lose customer data, they are required to disclose the breach based on various state privacy laws that mandate disclosure when personally identifiable information (PII) is lost. But, when hackers get in the backdoor and make off with other valuable IP, we typically don’t hear about it. Opinions on the matter of disclosure run the gamut. Some think mandatory disclosure of security breaches will telegraph weaknesses while others think disclosing cyber-risks is material and investors should know if a company can keep its crown jewels secret. There’s plenty to debate on this front, but by focusing so much attention on hackers pilfering sensitive corporate data we’re ignoring one of the biggest threats to IP that companies face everyday – our own trusted employees. We need to consider to whom more corporate secrets are lost – the external attacker or the insider? Retailers face a similar predicament of external and internal theft where shoplifters and employees are stealing their wares. Shoplifters are essentially the retailer’s equivalent of hackers. However, retailers know the bigger threat is their own employees – in 2011 shoplifting accounted for 35.7 percent of total losses in 2011 while employee theft accounted for 43.9 percent and cost retailers $35 billion. Thwarting insider theft is where retailers heavily invest in increasingly sophisticated and concealed tools like Internet Protocol cameras that provide live stream viewing, video correlation with transaction data and register keystrokes, RFID inventory systems, and even biometric identification systems to prevent cheating on time sheets. Like the shoplifter’s spoils, the take from a hack most likely pales in comparison to the slow, steady trickle of insider IP theft. A study Symantec released last month found that half of employees admit to taking corporate data when they leave a job, and 40 percent say they plan to use the data in their new job. This means valuable IP – the crown jewels— is falling into the hands of competitors. Even if hackers went away completely, you won’t solve the problem of routinely losing your IP unless you take steps to reduce the risk of insider theft. We suggest that companies take a multi-pronged approach:
While hackers make for sexy headlines, we can’t lose sight of the insider threat. Employees walking out the front door with corporate secrets can be just as damaging and enterprises need to pay attention. As to whether companies should disclose insider theft incidents, well that’s a debate for another day. What do you think? Are enterprises paying too little attention to insider threats?