Driving Intelligent Security: RSA 2014 Group

I read with great interest The New York Times’ “Room for Debate” that discussed whether companies should disclose when they get hacked. When brands big and small suffer a data breach and lose customer data, they are required to disclose the breach based on various state privacy laws that mandate disclosure when personally identifiable information (PII) is lost. But, when hackers get in the backdoor and make off with other valuable IP, we typically don’t hear about it. Opinions on the matter of disclosure run the gamut. Some think mandatory disclosure of security breaches will telegraph weaknesses while others think disclosing cyber-risks is material and investors should know if a company can keep its crown jewels secret. There’s plenty to debate on this front, but by focusing so much attention on hackers pilfering sensitive corporate data we’re ignoring one of the biggest threats to IP that companies face everyday – our own trusted employees. We need to consider to whom more corporate secrets are lost – the external attacker or the insider? Retailers face a similar predicament of external and internal theft where shoplifters and employees are stealing their wares. Shoplifters are essentially the retailer’s equivalent of hackers. However, retailers know the bigger threat is their own employees – in 2011 shoplifting accounted for 35.7 percent of total losses in 2011 while employee theft accounted for 43.9 percent and cost retailers $35 billion. Thwarting insider theft is where retailers heavily invest in increasingly sophisticated and concealed tools like Internet Protocol cameras that provide live stream viewing, video correlation with transaction data and register keystrokes, RFID inventory systems, and even biometric identification systems to prevent cheating on time sheets. Like the shoplifter’s spoils, the take from a hack most likely pales in comparison to the slow, steady trickle of insider IP theft. A study Symantec released last month found that half of employees admit to taking corporate data when they leave a job, and 40 percent say they plan to use the data in their new job. This means valuable IP – the crown jewels— is falling into the hands of competitors. Even if hackers went away completely, you won’t solve the problem of routinely losing your IP unless you take steps to reduce the risk of insider theft. We suggest that companies take a multi-pronged approach:

• Educate employees. Organizations need to let their employees know that taking confidential information is wrong. Employee training and awareness is critical – companies should take steps to ensure that IP theft awareness is a regular and integral part of security awareness training. Create and enforce policies that provide the do's and don'ts of information use in the workplace and when working remotely. Help employees understand that sensitive information should remain on corporate-owned devices and databases. Make it clear that new employees are not to bring IP from a former employee to your company.
• Enforce non-disclosure agreements (NDAs). Review existing employment agreements to ensure that it uses strong and specific language regarding company IP. Conduct focused conversations during exit interviews with departing employees and have them review the original IP agreement. Include and describe, in checklist form, an overt description of information that may and may not transfer with a departing employee. Make sure all employees are aware that any policy violations will be strictly managed and will affect their jobs. Employment agreements should contain specific language about the employee's responsibility to safeguard sensitive and confidential information.
• Implement monitoring technology. Support education and policy initiatives by using monitoring technology to gain insight into where IP is going and how it's leaving. Deploy data loss prevention software to notify managers and employees in real-time when sensitive information is inappropriately sent, copied, or otherwise inappropriately exposed, which increases security awareness and deters theft. Leverage technology to learn what IP is leaving your organization and how to prevent it from escaping your network.

While hackers make for sexy headlines, we can’t lose sight of the insider threat. Employees walking out the front door with corporate secrets can be just as damaging and enterprises need to pay attention. As to whether companies should disclose insider theft incidents, well that’s a debate for another day. What do you think? Are enterprises paying too little attention to insider threats?