The most costly data breaches are usually those that are created by a malicious insider. These people normally have access to things external hackers generally don’t have access to, like intellectual property, which in turn allows them to get into areas only known to them and to have additional insight as to the areas most vulnerable to attacks.
Company insiders, not outside hackers, are involved in more than two-thirds of all cyber cases involving theft of intellectual property. Moreover, when there is intentional and malicious destruction of data, a corporate insider is frequently responsible. Whether driven by opportunism, greed, a desire for revenge, or a combination of all three, these insiders exploit their positions of trust to obtain access to their organization’s most valued digital assets. Moles, opportunists, contractors, disgruntled employees, and ex-IT personnel—all currently pose a greater risk to corporate intellectual property than state-sponsored hacking and APTs, both in frequency and in damage caused.
Intellectual Property Breach – Toyota Motor Corp.
Fired from a job as a technology contractor for a Toyota Motor Corp. (7203) factory in Kentucky, Ibrahimshah Shahulhameed went home, logged into the company’s computer network and attacked it with programming commands.
It took the automaker months to fix the damage and landed Shahulhameed in prison. He is appealing the conviction.
While attention has been drawn recently to outsiders suspected of attacking companies such as Home Depot Inc. (HD) and JPMorgan Chase & Co. (JPM), Shahulhameed’s case illustrates the growing threat from within. U.S. companies and organizations suffered $40 billion in losses from unauthorized use of computers and the compromised access to intellectual property by employees last year.
Protecting Intellectual Property
- Employees and vendors must be required to sign a code of conduct and confidentiality, and non-disclosure agreements before beginning work.
- Electronically stored confidential information should be compartmentalized and accessible only on a need-to-know basis.
- Immediately revoke a departing employee’s ability to access any proprietary information.
- Conduct an exit interview with the employee and require him or her to attest that he or she is not taking any confidential or proprietary information to a new employer.
- If suspicious activity on the part of the departing employee is uncovered, consider conducting a full-scale investigation of the former employee’s recent conduct.
Even with best practices for protecting intellectual property, companies are still vulnerable to having their confidential information and trade secrets misappropriated. Accordingly, it is crucial that companies not only continuously re-evaluate their practices, but also consult with security and legal experts in each country that they do business to make sure it’s not running afoul of any laws and is protecting its valuable information in a manner that preserves all available legal protections.