Who is Facilitating Insider Threats?
Are enterprises in an impossible situation when it comes to dealing with insider threats?
Having read a multitude of articles and recommendations for mitigating insider threat issues involving intellectual property, we are struck by set of common threads across the suggestions: Develop and implement policies, manuals, procedures and programs; develop and implement technical solutions; review and audit what you have.
While no doubt this will aid in preventing, deterring and even identifying the those responsible, the challenge we see facing the business community is: do all businesses have the expertise and/or the resources to assess, develop and implement these? Further, if they do identify someone in their organization who has “misappropriated” their information, can they really expect any support from law enforcement or the court systems?
Those of us who have spent any time working within the security community are very well aware of the limited resources available within the Federal Criminal Justice Investigative agencies whereas they must use an estimated monetary valuation of loss, or as in the case of credit card system breaches – potential loss – before they are willing to commit resources to investigate. Further, these agencies are often also limited by the U.S. Attorney’s offices that, again, due to limited resources, are unwilling to prosecute.
While legislators have passed a multitude of statutes to aid in the protection of our economic interests pertaining to data systems – non-physical assets and privacy – frequently any course of action is still determined by the concept of monetary loss and treated as if someone was stealing or damaging physical assets, or as in the case of the Stored Communications Act (SCA), creating a statue that has been described as dense and confusing to even legal scholars.
This challenge is further aggravated by a growing social trend around entitlement and the belief the information should be free. Let’s not forget the music and movie industry’s ongoing battle with counterfeit, infringement and theft. Current methodology suggests to the victims that if two people steal the same information, only the one that is smart enough to monetize to a high level it will be prosecuted or is worth the investment of a civil action.
One of the common paragraphs found in employee manuals involves the ownership of information stored on systems and equipment owned or controlled by the company, but placed there by their employees. Overall, these policies state the information is the property of the organization. Many also limit or outright exclude the use of company assets for personal purposes to the degree that it may be grounds for termination. Under vicarious liability actions, if a court finds a reasonable expectation that a property owner had or should have had knowledge of a risk, then often there is a finding against that owner. We don’t believe that it is unreasonable that if a third-party service provider enters into an agreement with an individual using a company identity or asset, that they don’t have some obligation when approached by officials of that company. Basically, why are we making it so difficult for the victims?
About the Authors: Jerry J. Brennan is the founder and Chief Operating Officer of Security Management Resources (SMR Group), the world’s leading executive search firm exclusively focused in corporate security. Lynn Mattice is Managing Director of Mattice and Associates, a management consultancy focused at the development and alignment of Enterprise Risk Management and Business Intelligence Programs, as well as Intellectual Property Protection and Cybersecurity.