Survey: Most CEOs Exfiltrate Intellectual Property When Leaving
When a nation-state such as China steals the intellectual property (IP) of American companies and government, we collectively cry foul and talk about the need to better secure our IP and other data.
But what about when corporate leadership is stealing that information? It is a data theft crime that happens more often than you think. According to new research by Code42, 72 percent of CEOs have admitted to taking valuable intellectual property with them when they left a job.
“In this scenario, CEOs (insider threat) have transferred company IP illegally (data exfiltration), so I’d view this more as data exfiltration,” said Jadee Hanson, chief information security officer at Code42.
Who Owns IP?
We don’t usually associate CEOs as an insider threat, but clearly that’s what’s happening. Yet, it appears that data security executives are looking the other way. It may be because they don’t want to think the worst of their former colleagues (but would they be so forgiving of a low-level manager doing the same?), but it also could be another reason.
“Our research revealed that three-quarters of CEOs say, ‘it’s not just corporate data, it’s my work, my ideas,’ and 70 percent of business leaders agree,” said Hanson. “I believe that because of this feeling of ownership over their work, people may not view taking data and IP as theft.”
Preventing intellectual property theft isn’t easy. As Hanson pointed out, the strongest security perimeter and most costly tools for external detection do no good when the threat is internal.
“That’s why one of the most significant takeaways from our research is that it is crucial for data security executives to have visibility to the movement of data and files across their organization,” she added.
Lack of Visibility
However, visibility is an issue for most companies. The study found that 73 percent of security and IT leaders believe that some company data only exists on endpoints, while 80 percent believe their company is at risk if data/work/ideas are stored on endpoint devices without a copy being held in centralized storage. This lack of visibility makes it easy for CEOs, or anyone inside, to access data without being caught. If you can’t see your data, how do you know if someone is accessing it without authorization?
Addressing Insider Threats
One takeaway from this research is that organizations need to step up their game in addressing insider threats, especially when it involves corporate leadership. Hanson advised that companies need to be vigilant not only within their own hallways but within the industry as a whole.
“CISOs and their teams need to include ongoing employee education as a crucial component of their data security strategies,” said Hanson. “The data security study showed that three-quarters of CISOs believe they can enhance their security strategies by combining prevention and recovery together, so there’s definitely an awareness that strategies need to improve.
Four best practices that Hanson said all CISOs should be doing day in and day out include:
- Be proactive with your data security as soon as you hire employees. Clearly outline their security responsibilities to your company. If employees are terminated due to data security violations, turn it into a teaching moment. Create an anonymous case study to use as part of your ongoing employee education training.
- When employees resign, thank them for their service, hold an exit interview where you acknowledge that they’re trusted, remind them about sticking to company policy and have them sign a document that summarizes intellectual property law and their obligations to protect your corporate intellectual property.
- In terms of technology, it’s critical to have the types of solutions in place that give you visibility to data as it moves throughout your network in real time by identifying all types of files that are moved from a device, who is moving them, and when and where they’re being moved.
- Follow up on all alerts in a timely manner. Communicate with employees about what your alerts are telling you. Whether acts are maliciousness is irrelevant—after all, your job is to protect your intellectual property.
