By Robert Douglas, President
What if all your IT security – firewalls, antivirus, network passwords – only protected you half
Then you would want to significantly reduce your risk. What risk? Internal theft by your own employees.
On March 16 of this year, the FBI arrested Bo Jiang, a contractor who had been working at NASA before he boarded a flight. A one-way flight, out of the U.S., heading to China. He was carrying several hard drives and USB flash drives. Drives loaded with secrets from NASA databases. (CBS News
This was an attempted theft of federal trade secrets. And it only happened 3 weeks ago!
Internal Threats, and How They Start
No one wants to suspect their own employees or contractors of violating security. But the scary fact is, U.S. businesses lost $300 billion
to trade secret theft in 2012 (Reuters
). And most of those losses came from inside their own networks.
There are 2 ways trade secrets are stolen via internal channels:
- Cyber-espionage – spies targeting unsuspecting employees in spear phishing attacks, or employees using infected thumb drives
- Employee theft – current or former employees/contractors taking company information & giving/selling it to others.
Though both methods use technology, neither is solely a technical problem (nor can it be solved with just technology). According to former Homeland Security Secretary Michael Chertoff:
“In reality, decisions about cybersecurity involve profound questions of policy and governance—who gets access, what kind of devices are allowed in the network, what deserves the most protection, and what deserves less protection—that strike at the very heart of business decision making.”
You'll find many chilling examples of both types of internal theft in this article from Lexology:
Department of Justice issues report highlighting trade secret theft prosecutions and need for companies to vigilantly protect their data – Lexology.com
Horror stories like these are not intended to undermine trust in your employees, but they should be a wake-up call that companies need to vigilantly protect their data.
The problem has become so serious, that the White House announced their strategy for stopping trade secret theft in February 2013. It has five parts:
- Focusing diplomatic efforts to protect trade secrets through diplomatic pressure, trade policy and cooperation with international entities
- Promoting voluntary best practices by private industry to protect trade secrets
- Enhancing domestic law enforcement, including through outreach and information-sharing with the private sector
- Improving domestic legislation to combat trade secret theft
- Improving public awareness and stakeholder outreach
(Source: The National Law Review
How Internal Theft Happens: Open Access to Information
Last year, an employee at a Northern California chemical company left his job. It was soon discovered that he had taken trade secrets from work with him. In March of 2012, he pled guilty to “conspiracy to commit economic espionage” in court. For whom? Companies controlled by the Chinese government.
Trade secret theft is happening everywhere. Even in our backyard.
When the theft is internal, it usually happens because workers have access to data they never had any business accessing.
For instance, consider these scenarios:
- Employees can access schematics for all products, when they only work on one.
- An employee who’s not in Sales can still view sales & prices data.
- Someone granted a non-management employee access to manager-level planning information.
- Confidential operations data is not secured separately from common-access data.
- Employees are provided with security cards giving them open access to the office premises, to and including the server room, 24/7
This sort of unbridled access leaves your business vulnerable to would-be thieves. And they’re increasingly taking advantage of it.
China may be the biggest fish in the cyber-theft pond, but it’s not the only one after U.S. trade secrets. In October 2012, employees of South Korea’s Kolon Industries were indicted in Virginia for stealing trade secrets over several years. They targeted DuPont, a major U.S. manufacturer.
What were they after? The manufacturing process for Kevlar!
Kolon's employees in Korea were even able to duplicate Kevlar, using the stolen data. DuPont sued them in civil court as well, and won almost a billion dollars in settlement
for theft of its trade secrets.
There are dozens of examples of internal trade secret theft, just in the past 5 years. A Department of Justice report, released in December 2012, contains 82 pages of them! Read the full report here:
Summary of Major U.S. Export Enforcement, Economic Espionage, Trade Secret And Embargo-Related Criminal Cases (PDF)
Which industries are most at risk? According to The National Law Review
, these 5 industries:
- Information technology and communications
- Business information relating to supplies of scarce natural resources, or information that gives foreign actors an edge in negotiations with U.S. businesses or the U.S. government
- Military technologies, particularly in connection with marine systems, unmanned aerial vehicles and aerospace
- Civilian and dual-use technologies in sectors likely to experience fast growth: Clean energy, health care and pharmaceuticals, advanced materials and manufacturing techniques, and agricultural technology
If your business operates within one of these industries, your data may already have a target on it.
Fortunately, trade secret theft is not inevitable. Here's how you can reduce your risk.
How You Secure Your Network: Use Security Audits and Limit Access
Minimizing internal security threats requires a combination of physical security, employee policies, and regular checks. If you are already operating under Sarbanes Oxley (SOX) these shouldn’t be news to you. Either way if you haven’t implemented the following already, now is the time to start.
- Only grant employees the appropriate security access to perform their job functions (need-to-know basis).
- Monitor employee access to secure databases.
- Prohibit network access to external devices (such as BYOD).
- Institute policies regarding use of company computers and email, to protect internal data from being stolen or accidentally leaked. Inform all employees, and mandate compliance.
- Conduct an IT security audit of your network. Security audits:
- Analyze your current security architecture
- Review BYOD (Bring Your Own Device)
- Create procedures for testing physical & logical IT security, including penetration testing
- Test all secure data access, including remote access and email use
- Test all applications for authentication vulnerabilities
- Examine workstations and employee accounts’ access levels
- Implement server-based rules which control the types of hardware that can be connected to client computers, and which ones may have access to thumb drives or external hard drives.
- Enforce encryption of external data storage devices.
Setting rules for behavior & data access doesn't mean you have to suspect co-workers. On the contrary, rules like these apply to everyone, which means trust is still a valued part of the workday.
If you are concerned about your internal IT security, it might be time for an audit. While you’ll never make your network 100% secure, you can still take steps to significantly reduce your risk of employee trade secret theft.
This is Part 1 of our “Securing Your Network” content series. Next month will have Part 2, “Protecting Your Trade Secrets from Cyber Espionage”.
If you enjoyed it, make sure to subscribe to our mailing list
for future issues of “WOOF!”
Robert Douglas is the Founder & President of PlanetMagpie IT Consulting. An IT industry expert with more than 25 years’ experience, he has spoken at trade conferences & consulted with Microsoft on everything from billing systems to unified communications. Originally from New York, Mr. Douglas received his B.S. in Computer Science from York College of Pennsylvania in 1984 and studied for his MBA at Union College. He can be reached at 510-344-1200 or ITconsulting@planetmagpie.com