We have seen it the movies, read about it in best selling novels, and heard about it in the news. The employee steals company data and uses it for unintended purposes, sometimes for good, sometimes for evil. From the movie Office Space, where a change in management brings a reduction of labor, which inspires three co-workers to upload a virus into the companies database. The purpose of the virus is to steal tiny fractions of cents left over from complex interest percentage calculations and send them to an anonymous bank account. To the idea of the movie Paycheck, where the main character is a reverse engineer specialist, who is hired by companies to steal a competitor‘s latest tech designs to copy and make a competing product.
These examples of movies are humorous and often a break from reality. What they also show is how simple misguided actions could manifest into huge problems for companies. Do we have examples of this happening in the world of business of today? Of course, the actual details often pale in comparison to the excitement we find in the movies. A modern example is the ongoing lawsuits between Apple and Samsung and sometimes Google over the intellectual property of smart devices and the patents on the technologies inside. Is there a likely chance that the information technology that these giant corporations are suing each other over was misappropriated, lost, stolen, or sold by careless or greedy employees?
We have been researching articles associated with the risk management of intellectual property loss and how it affects companies. Many of the articles we have come across speak of former employees stealing precious data and running to a competitor offering the stolen data for a chance to climb the ranks in the new company. Other examples tell of employees moving intellectual property to personal devices, so they can take their work home. In the business world today, the demand for increased productivity of employees is a primary driver for these employees to „do what it takes“ to get ahead and keep their jobs.
A survey conducted for Symantec, by Ponemon Institue in October of 2012, revealed startling statistics about employees misuse and abuse of company intellectual property as well as their beliefs on the companies policies regarding IP.
The findings suggest employees openly move company IP wherever it suits them, such as a personal computer, smart phone, tablet, email or file sharing in the cloud. This is often done because the employee is unaware of the risk, but also because the consequence, if any, is minimal. Over half of the employees surveyed believe removal of corporate data doesn’t harm the company and why should they, when over 50% believe the company doesn’t strictly enforce its policies.
When these employees leave the company the IP is not returned or collected, nor is it honestly disposed of by the departing employee. In fact, over 40% of the survey respondents admit they plan to use the IP in their new jobs. This can be especially problematic, when 42% of those surveyed believe they have ownership of their work, such as the source code they created. The new employer is exposed to risks and lawsuits, and may not even know the employee stole the IP from her previous employer.
This inadvertent or intentional disregard of company IP policies could become a major problem for businesses of all sizes. As we all know, phones are lost, computers get stolen, and we upgrade our devices without thoroughly erasing the last two years of our personal life. Why do companies allow this to happen? How do we stop it or at the very least control it better?
According to the ISO 27002 15.1.2 – Intellectual Property Rights – controls should be put in place to limit or reduce the risk associated with allowing employees to use mobile devices for personal and professional use. Companies must clearly outline the expectations for employees regarding the respect due to intellectual property. The companies continued effort into reminding employees what data is eligible for use outside of company controlled devices and should state in the policies which documents are restricted for use on non-company controlled technology. The “Top Secret” stamp used in the movies comes to mind, when you think about how simple this step could be in promoting a safe use of data.
Continuous monitoring of the protected data through access rights and privileges to files and distribution of said files is another step companies can implement. This may include electronic notification sent to employees and managers when specific data areas are accessed. This would be especially critical to utilize, if the company allowed remote access through VPN’s or cloud based storage.
An elevated level of expectation associated with non-disclosure agreements and the effective enforcement of these signed agreements is a more involved step in the process to further reduce risks. The language included in the NDA needs to be specific and clear to each employee, who is issued the NDA. These should also be reviewed during the exit interview process, to provide the employee with a strict reminder of his obligation to protect the confidentiality of the intellectual property. Collection of all company assets prior to the employee‘s departure, including IP stored on other electronic devices, is a no-brainer. Re-emphasizing the legal aspects and consequences to the employee of the agreement is another important detail of the NDA.
The purpose of this blog was to elevate awareness of the growing problem of employees misusing and abusing access to company intellectual property. Every day hard working people are searching for ways to increase their productivity and maximize work output. The employer must be responsible for communicating the expectations to protect the company IP and enforcing the policies and behaviors desired to maintain quality control. The ISO 27001/ 27002 standards and controls can be used in everyday job responsibilities to maintain the data integrity of the company.