Nearly half of all reported instances of intellectual property (IP) theft involved trusted insiders, according analysis conducted by the Verizon RISK Team, who issued a report with new findings gleaned from the company’s 2012 Data Breach Investigations Report
Once an employee is showing signs, increased monitoring of their email and web surfing habits may be advisable.
Jeffrey Carr, security consultant
In the Verizon DBIR Intellectual Property Snapshot, (.pdf) the researchers found that while the majority of breach events were executed by external actors, 46% of all events which culminated in the loss of proprietary data involved an employee, highlighting the challenges enterprises continue to face in protecting sensitive information from insider threats.
“The take-home message here is that protecting IP from ‘them’ is an incomplete and inadequate strategy. Understanding that ‘we’ are sometimes our own enemy—and sometimes the enemy targets its own —is important to building good policy and practice for defending the crown jewels,” the report states.
What defines the insider threat?
Most often insider threats materialize in the form of employees who are experiencing higher than average levels of distress, a sign management should be on the lookout for, according to security consultant Jeffrey Carr.
Intellectual property protection
Intellectual property theft often involves collusion between attackers and malicious insiders, according to a study of 85 breaches conducted by Verizon.
“A company's defensive posture to confront the insider threat needs to include management training in observing early warning signs of employee stress such as financial problems, marital problems, poor job performance, etc. Once an employee is showing signs, increased monitoring of their email and web surfing habits may be advisable. Most companies' employee agreements include provisions for this level of monitoring as long as the employee is using company assets,” Carr said.
The impetus for the theft of intellectual property by an employee can include a combination of factors including greed, moral ambiguity, or temptation fueled by unfettered access to valuable information.
“Insider threats are motivated by self-interest and influenced by personal preferences, social context and local culture. As Prospect Theory predicts, trusted insiders are hungry for the possibility of personal gain by stealing IP. Like any other crime, a person needs a combination of means, opportunity, and intent in order to steal intellectual property,” said Danny Lieberman, CTO of Software Associates, a software security consultancy based in Israel.
Defending against the insider threat
One of several technologies available for protecting IP from theft by insiders are Identity Access Management (IAM) tools, which allow companies to control access to sensitive data by assigning legitimate user accounts with variable degrees of permissions for certain databases, applications, and systems. IAM software offers a measure of protection, but it has its shortcomings, according to Lieberman.
“IAM is the most basic security countermeasure for mitigating the risk of insider security breaches, but paradoxically IAM can also provide the means for trusted insider theft of IP. Insiders typically have knowledge of how the system works, the business processes, the company culture and how people interact. They know who administers the rights management systems and who grants permissions. With the right knowledge and social connections, access to sensitive data can be obtained even if it was not originally granted by design in the IAM system,” Lieberman warns.
Another available solution involves implementing Information Rights Management (IRM) tools which use cryptography to protect information contained in sensitive documents and communications from unauthorized access both within as well as outside of an organization’s network.
But IRM also has some drawbacks as well, as it requires the organization to always know in advance which information it specifically wants to control and protect by way of the IRM system. “IRM mitigates the vulnerability of means to an extent, but does nothing to lessen the threat posed by opportunity. Once rights are granted by the IRM system – the user is trusted and has access to the controlled document,” Lieberman said.
A more comprehensive strategy for the protection of intellectual property against misappropriation by trusted insiders is the deployment of a Data Loss Prevention (DLP) solution, which can prevent unauthorized access and the transfer of sensitive corporate data, as well as issue alerts if any attempts are made at either.
“DLP is a data-centric security control, agnostic to permissions controls and applications. Agent DLP runs on the user PC, whereas network DLP runs in the enterprise network. DLP enables the organization to monitor information flowing in and out of the company in order to detect and prevent information leaks. Compared to other solutions, DLP actually mitigates all three vulnerabilities – means, opportunity and intent, since it measures movement of data to unauthorized destinations and is independent of any rights management,” Lieberman said.
Even with basic controls in place, the risk of sensitive data loss by way of trusted insiders will persist. “Insider threats are a serious problem, with no good off-the-shelf solutions,” Carr added.
The Verizon report recommends enterprises make a concerted effort to practicepre-employment screening of employees, enforce separation of duties, and regulate user network privileges in addition to implementing monitoring systems in order to prevent the theft of intellectual property.
About the author:
Anthony M. Freed is an information security journalist and editor who has authored numerous feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. You can also find him tweeting about security topics on Twitter @anthonymfreed.