IP Theft – Understanding The Insider Threat To Information Security



Part 2: An expert’s perspective

In the first of this two-part series, we discussed the threat that malicious insiders – often employees who are tendering their resignations – pose to your most valuable information assets. In this second installment, Pete James, a digital forensics examiner and expert in Intellectual Property theft with more than 25 years experience, shares his perspective on the issue.

The move to digital technology has not come without its problems. In the 1980’s when I started my working life, digital technology in the workplace was in its infancy. My first employer had two IBM PS2 desktop computers, each with a whopping 10 MB of disk space. These computers were not networked with each other – let alone connected to the internet. Additionally, there were no cellular phones, tablets or cloud applications. To anyone recently entering the work-force this would seem like a foreign world. A recent commercial for General Motors explored these generational differences by discussing “new” technologies like VHS tapes and facsimiles to a group of very confused people.

In today’s world, we routinely send documents that are stored in our cloud account using our cell phone to anyone in the world in a matter of seconds. These conveniences have become the norm and are expected by those working in the business world.

Therein lies the problem. In the competitive and fast-paced world of business today, it is all too easy to focus on convenience at the expense of information security. A 2009 study by the Ponemon Institute found that 60% of employees who quit or are asked to leave take confidential or sensitive business information upon their departurei. These employees will typically copy data in the 30 to 60 days prior to their departure. USB thumb drives, cloud storage, email and portable hard drives are all popular methods of transporting files. These devices today all have the ability to store huge volumes of data while being easily concealable.

Corporate policies covering the accessing and dissemination of the company’s data are predominately useless if no one is checking to see they are being adhered to. While large corporations have for years utilized a need-to-know approach to the access of their computer systems, many small to medium-sized companies with limited IT budgets fail to put in place many of the necessary safeguards. It is not uncommon to find a company whose computer network allows equal access for all employees regardless of need or standing in the company. If the employee is in the IT department – a so-called “privileged” user – the risk can be compounded.

So what is the answer? Well, Trust but Verify. Businesses today should have in place procedures dealing with the access to corporate networks covering two areas; Preemptive and Reactionary. Preemptive policies and procedures would govern the necessary access level to data retained by the company. All employees should be given the access necessary to perform their business function. Even the IT department should be segmented with no one employee holding the “Keys to the Kingdom.” Have the IT department implement tracking on the networks to identify anomalous activity as it occurs as the first level of verification.

Reactive procedures would encompass employee separation situations wherein the separation must be categorized as either voluntary or involuntary. I am still amazed by the number of calls I receive from companies that gave an employee “two weeks’ notice” but failed to restrict the access of the individual during those two weeks. Why they don’t simply provide the severance and tell the person to stay home, I will never understand.

Even voluntary separations should be addressed in a policy. Intellectual Property (IP) Theft results in 70% of the incidents costing the company over $100,000.00 and 50% of those incidents costing over $1,000,000.00ii. While these thefts can occur from many locations depending on employee access, it has been found that 70% of the thefts occur in the work placeiii. Faced with these facts, you should decide if the employee should be allowed to continue to work as usual or be subject to a limitation of access.

How will you know if bulk files or documents have been pilfered? The answer will most likely fall to a forensic examination of the employee’s devices and access logs.

The cost of this verification is often the primary stumbling block and why many companies fail to follow up on the actions of suspect employees. A full forensic examination including the imaging and forensic analysis of a single laptop or desktop computer can cost up to $5,000 in some markets. This can be done as a multi-step process, in which an initial a review of common indicators can first be performed to confirm the suspicion. If warranted, a full examination for actionable evidence can then be performed.

At Precision Discovery, we’ve developed a cost-effective program called “Employee Risk Assessment (ERA)” to provide an initial view of the device used by an employee. The process can identify six key areas and provide consultation that can give you a good idea if there is justification for a full forensic examination. Visit our site to learn more about Precision ERA.

If you’d like to learn more about the dangers of IP theft and how to help prevent it, you can check out my e-book Uncovering Intellectual Property Theft: Following the trail of a data thief.






Richard Corvinus, Digital Forensic Examiner

Rich is a highly skill digital forensic examiner who honed his skills through numerous criminal prosecutions while in Law Enforcement. Rich has attained numerous certifications in the field and gives back to one of the organizations from which he received training and certification by volunteering his time to assist others working through the certification process. He loves to use both conventional and non-conventional forensic tools to uncover the facts of the matter being investigated.

Rich Corvinus