Insider threats

Having read a multitude of articles and recommendations for mitigating insider threat issues involving intellectual property, we are struck by set of common threads across the suggestions:  Develop and implement policies, manuals, procedures and programs; develop and implement technical solutions; review and audit what you have. 

While no doubt this will aid in preventing, deterring and even identifying the those responsible, the challenge we see facing the business community is: do all businesses have the expertise and/or the resources to assess, develop and implement these?  Further, if they do identify someone in their organization who has “misappropriated” their information, can they really expect any support from law enforcement or the court systems? 

Those of us who have spent any time working within the security community are very well aware of the limited resources available within the Federal Criminal Justice Investigative agencies whereas they must use an estimated monetary valuation of loss, or as in the case of credit card system breaches – potential loss – before they are willing to commit resources to investigate. Further, these agencies are often also limited by the U.S. Attorney’s offices that, again, due to limited resources, are unwilling to prosecute.   

While legislators have passed a multitude of statutes to aid in the protection of our economic interests pertaining to data systems – non-physical assets and privacy – frequently any course of action is still determined by the concept of monetary loss and treated as if someone was stealing or damaging physical assets, or as in the case of the Stored Communications Act (SCA), creating a statue that has been described as dense and confusing to even legal scholars.

This challenge is further aggravated by a growing social trend around entitlement and the belief the information should be free. Let’s not forget the music and movie industry’s ongoing battle with counterfeit, infringement and theft. Current methodology suggests to the victims that if two people steal the same information, only the one that is smart enough to monetize to a high level it will be prosecuted or is worth the investment of a civil action. 

Troubling also, are the terms of use policies of many social networks and data services have, which are in essence binding contracts with their users, many of whom are your employees. Most of these started out as individual consumer services, often for free, have now aggressively targeted business to increase revenues. These have now become integrated into business’s branding and marketing strategies, and whole jobs are built totally around managing these activities and using them to communicate with customers, suppliers, candidates and employees. Who owns this information? Why do these companies provide free software to interconnect to your employee’s contact lists? Do you believe that it is to “improve your employee’s user experience?” We bring this up because most of these organizations take the legal position that the individual who sets up the account is the owner. This means for those companies that issue computers, phones, tablets, network IDs, email accounts on company domains, and pay for any of these services, your employee can set up accounts using your company’s assets and email, with LinkedIn, Apple iCloud, Dropbox, Google, etc., and engage in business communications. If the company wishes to recover that information upon the employee leaving the organization, it must obtain a court order. Case law on these issues is still evolving, which means that business seeking civil relief will be out on the bleeding edge of the legal system. 

One of the common paragraphs found in employee manuals involves the ownership of information stored on systems and equipment owned or controlled by the company, but placed there by their employees. Overall, these policies state the information is the property of the organization.   Many also limit or outright exclude the use of company assets for personal purposes to the degree that it may be grounds for termination. Under vicarious liability actions, if a court finds a reasonable expectation that a property owner had or should have had knowledge of a risk, then often there is a finding against that owner. We don’t believe that it is unreasonable that if a third-party service provider enters into an agreement with an individual using a company identity or asset, that they don’t have some obligation when approached by officials of that company. Basically, why are we making it so difficult for the victims? 


About the Authors: Jerry J. Brennan is the founder and Chief Operating Officer of Security Management Resources (SMR Group), the world’s leading executive search firm exclusively focused in corporate security. Lynn Mattice is Managing Director of Mattice and Associates, a management consultancy focused at the development and alignment of Enterprise Risk Management and Business Intelligence Programs, as well as Intellectual Property Protection and Cybersecurity.