Is Stolen IP Walking in the Door With New Employees?

Are your former employees walking out the door with your intellectual property? And worse, is your new hire putting your organization at risk by bringing in IP stolen from a former employer? A new global survey by Symantec and The Ponemon Institute finds that half of employees who left or lost their jobs in the past 12 months kept confidential corporate data, and 40 percent say they plan to use the data in their new jobs.

In October and November of 2012, The Ponemon Institute surveyed 3,317 individuals in the U.S., U.K., France, Brazil, China and Korea. The median age of respondents was 35, and the average headcount of respondents' organizations was 7,000.

The Ponemon Institute reports that more than half of employees admit they email business documents from their workplace to their personal email accounts and 41 percent say they do it at least once a week. The same percentage says they download IP to their personal tablets or smartphones.

How Workers View IP and Company Documents

"The majority of employees who transfer work documents outside don't really understand that it's wrong," says Tim Matthews, senior director of the product marketing with the Data Loss Prevention (DLP) Group at Symantec. "A lot of people end up Gmailing stuff home to themselves so they can work on it from their home computer. And we know, for instance, that one-fifth of home computers are infected with malware."

One of the reasons for this issue, according to The Ponemon Group, is that most employees don't believe it's wrong to transfer corporate data to their personal devices or cloud-sharing apps.

"A third say it is OK as long as the employee does not personally receive economic gain, and about half justified their actions by saying it does not harm the company," the survey finds. "Others blamed the companies for not strictly enforcing policies and for not proactively securing the information. These findings suggest that employees do not recognize or acknowledge their role in securing confidential company data."

Moreover, many employees may have a cavalier attitude toward company-owned data because they attribute ownership of IP to the person who created it, according to the survey.

"When given the scenario of a software developer who re-uses source code that he or she may have created for another company, 42 percent do not believe it is wrong and that the person should have an ownership stake in his or her work and inventions," the survey reports. "They believe that the developer has the right to re-use the code even when that developer does not have permission from the company. These findings portray today's knowledge workers as unaware that intellectual property belongs to the organization."

Stolen IP Creates Potential for IP Contamination

Not only is that a problem for the organization that just lost the IP, it's also potentially a big problem for the organization that hires a worker that brings stolen IP to his or her new role.

"It creates the potential for IP contamination," Matthews says. "It's not just a security or business loss issue. Now you have a potential lawsuit on your hands."

Employees aren't solely responsible for the problem, Matthews notes. He says organizations are failing to create a culture of security. The Ponemon Institute finds that only 38 percent of employees say their manager views data protection as a business priority, and 51 percent believe it's acceptable to take corporate data because their company does not strictly enforce policies.

"Simply put, companies don't do anything," Matthews says. "And because there's no action taken--there's no policing--pretty soon people feel they can get away with it because companies don't care. Companies don't put any time into actually policing their intellectual property."

How to Deal With Insider IP Theft

Matthews offers three recommendations for dealing with the threat of insider IP theft:

Educate your employees. Organizations need to educate their employees about IP security and help them understand that taking confidential information is wrong. IP theft awareness should be an integral part of security awareness training.

Enforce nondisclosure agreements (NDAs). In nearly half of insider theft cases, the organization had IP agreements with the employee, according to Symantec, but those agreements either weren't understood by the employee or weren't enforced by the company. Organizations need to include stronger, more specific language in their employee agreements. Additionally, exit interviews should include focused conversations around the employee's continued responsibility to protect confidential information and return all company information and property. The employee needs to understand that policy violations will be enforced and could result in negative consequences to them and their future employer.

Deploy monitoring technology. Implement a data protection policy that monitors inappropriate access and use of IP and automatically notifies employees of violations. This will increase security awareness and deter theft.

"When it comes to trade secret theft by mobile employees, an ounce of prevention is usually worth ten pounds of cure," says Dave Burt, founder of Mobility Legal P.C.

"We consistently see departing employees who don't understand their obligation to keep trade secrets secret, but are just as often faced with companies whose own procedures are sorely lacking when it comes to protecting valuable IP," Burt says. "But everybody loses when a mobile employee steals trade secrets--the company who invested in the IP, the employee who took it and the organization that receives it, even unknowingly, who most often is on the hook for defending the litigation that follows."

"Before employees exit," Burt adds, "dust off agreements they likely haven't looked at in years, figure out all of the places the employee has stored sensitive company information and get it back, and ensure that employees understand their continuing obligations not to use or disclose company trade secrets."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about DLPSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts