Preventing Corporate Espionage: Investigations, Data Analyses and Business Intelligence Presented by Keith Barger and Audra A. Dial March 19, 2014 2014 Kilpatrick Townsend & Stockton LLP
Protection of IP Assets To qualify as a trade secret, an asset must derive economic value from not being generally known and be subject to reasonable degrees of protection. Securing confidential information is equally important. IP assets that do not rise to the level of trade secrets can still be protected as confidential information through NDAs and possibly through statutory protections. 2
Perceptions of the Current Threat The highly publicized stories of leaked or stolen personally identifiable information (PII) in the form of credit cards, Social Security numbers and so on. Increased awareness is resulting in the institution of laws, regulations and industry standards resulting in organizations investing millions in controls to prevent and detect hacks. 3
The Less Publicized Threat Cyber-criminals, state governments, organized crime and hackers have and increasingly continue to target IP. Estimates show that IP theft costs U.S. businesses billions of dollars a year, while robbing it of jobs and lost tax revenues. The threat from emerging economies is of particular concern, as laws in those jurisdictions can be lax and enforcement more difficult. 4
Awareness of Risks Competitors conducting corporate espionage Launching social engineering ploys Departing employees who remove IP Leaks through social media/email/mobile devices/ removable media Bribery of employees Hacking Dumpster diving 5
Increasing Awareness Economic espionage or IP theft conducted by insiders, competitors or combinations of the two are the most tangible, common, and destructive threats. Attacks originate from a variety of sources such as an employee, a member of the management team, a corporate board member, third-party contractors or a collaborative partner in a joint venture. 6
Securing Your Companies Intellectual Property Educate employees about what your organization considers its most valuable assets. Identifying what your valuable assets consist of and where they reside is no easy task and can be found in multiple forms: Structured and unstructured Amorphous and concrete Capture in whole or in part across multiple documents Entire databases As simple as a thought or idea discussed during meetings 7
Prioritize Then Act Conduct a risk and cost-benefit analysis. Map your company s assets and determine what information, if lost or stolen, would have the greatest impact. Then consider which of those assets are at highest risk of being stolen. Identify it: Label confidential information. If your company data is proprietary, put a note to that effect on every log-in screen. Take precautions to protect information before it is compromised. 8
Prioritize Then Act Secure your organization s valuable information: Physical and digital protection is a must. Control access where sensitive data is stored. Track and limit access. Monitor the movement and who has possession of valuable information throughout your organization--whether it s the server farm or the musty paper archive room. Educate your employees: Humans are often the weakest link in the defensive chain. Education must be ongoing and practical. 9
Prioritize Then Act Devise the appropriate level of protection: Inhibiting data and information sharing, critical to today s collaborative environments, can adversely affect your organization. Yes, having a small amount of the crown jewels trade secrets that are protected by encryption or data masking, two- or three-factor authentication and embedded access controls may be appropriate. Audit the protection of your information and protect the most valuable 1-2% at the highest level. 10
Protection Strategies Apply a range of technologies: An essential tool is data loss protection (DLP), which helps track, identify and protect confidential and sensitive information for data that is stored, in use or in motion. In addition to DLP, you need to be able to monitor your two biggest communications channels (Web and e-mail) for outbound data and stop it in its tracks if necessary. Identity and access management tools are increasingly useful for ensuring that data doesn t fall into the wrong hands, and using security information and event management software with a solid log management tool can help you identify suspicious behavior and follow it all the way through to remediation of the threat. 11
Protection Strategies In terms of data, the highest risks to the loss or theft of trade secrets stem from mobile devices, cloud services and SSL traffic. SSL accounts for up to 50% of Web traffic, and criminals know that most IT security systems do not inspect it. Most anti-malware security solutions don t look out for such attacks decrypting SSL traffic coming into a network. This is also not something that s always covered by DLP. As services such as Gmail move to automatically send all traffic to SSL, this will only become more of an issue. Understand encryption and apply it judiciously. 12
Protection Strategies: USB Storage Risks: Low cost; easily concealed; portable; zero configuration; plug and play with any computer. Mitigation: Disconnect USB ports; confiscate keys and copiers; ban possession or limit to on-site use only. Monitor important file activity/transfers. 13
Protection Strategies: Laptops Risks: Create immediate access outside company; physical removal not necessary; quick transaction; can make it look like normal online activity. Requires an accomplice (knowing or unwitting) person or machine to receive data; likely to leave audit trail. Mitigation: Use products to inspect and prevent transactions. Ban hard-to-control apps like IM (But some companies can easily ban IM; others will have a user revolt!). Monitor applications and file transfer activity. The challenge here isn t the mechanics of preventing or stopping the loss of trade secret theft, but the balance of productivity and openness with the need to secure. 14
Protection Strategies: Mobile Devices Risks: Pictures of notes, whiteboards, labs, other sensitive data. Discreet; can capture handwritten data; portable; concealable; physical removal unnecessary. Mitigation: Ban mobile device cameras from use on premises. Where appropriate, search bags upon entry and/or departure to sensitive areas. Employees should report unusual behavior involving mobile devices. Many companies already ban mobile device cameras, especially in research areas or at sensitive meetings. Searches should start with visitors and extend to employees working in high-risk environments. 15
Protection Strategies: Departing Employees Create mirror images of hard drives. Don t taint potential evidence. Don t redeploy too quickly. Prepare an incident instruction memo. Understand modern methods of trade secret misappropriation and build defenses against their abuse. Make sure employees understand that, on computers, delete doesn t actually mean delete. Create a litigation response team. Be ethical, no matter what. 16
Protection Strategies: The Exit Interview Remind employee of confidentiality agreements previously executed and explain that the obligations are ongoing. Use a checklist! Do you have any company documents or materials at home? Have you returned all flash drives that contain company information? If doubtful, consider requesting the employee sign affidavit or certification. Must have ability to inspect or wipe mobile devices before employee separates! 17
Contact Information Keith Barger, Managing Director BDO Consulting 713.576.3477 kbarger@bdo.com Audra A. Dial, Partner Kilpatrick Townsend 404.815.6307 adial@kilpatricktownsend.com @audradial 18