By Paul Mitchell.
The senior law firm partner stretched out in his business class seat and contemplated the successful trip he had just had in Hong Kong. He had presented at a major conference, enhancing his reputation and standing within his profession, in the area of corporate governance. And now he was on his way back to Los Angeles, an 11-hour flight and an opportunity to do the work he needed in preparation for a busy week. He pulled down his briefcase from the overhead locker and took out his laptop. He noticed nothing as he booted the device up, he experienced nothing but frustration when the machine would not start. Cursing silently under his breath, he put the laptop back into his bag, pulled out a book and settled down for the long journey.
The following morning he walked into the IT department of the firm and handed over the delinquent laptop. Ten minutes later a wide-eyed, very pale IT technician stood at his door.
“The laptop is not yours.”
“Of course it is, the company logo is engraved on the case,” replied the partner.
“Regardless of that, the laptop is not yours. The laptops have been switched. I hope there was nothing on your machine.”
Of course there had been sensitive and secret information on his laptop. Despite a corporate policy of never carrying unencrypted secret documents on a laptop, this very senior executive had flouted those rules because working with encrypted documents was time-consuming and a ‘pain’.
This very high profile international firm, specialising in IP funding and development for some of the largest global companies, is now facing a massive compensation payout as the laptop contained the total IP of a major client, including design and development details.
When we look at the protection of corporate IP, we need to also consider the protection of the corporation’s reputation and standing. All are irrevocably linked and what compromises one compromises the other.
In a 2010 study, 46 per cent of lost laptops contained confidential data. Only 30 per cent of those systems were encrypted and only 10 per cent had other anti-theft technologies installed. In a study conducted by Intel Corporation, the average value of a lost laptop is in excess of $49,000 with the data breach cost representing 80 per cent in comparison to 2 per cent for replacing the computer. Encryption, on balance, reduces the risk profile considerably and a combination of robust corporate policy relating to IP protection and efficient encryption can reduce the risk profile even further.
The CEO of one of our top 500 companies was holidaying with his family at an upmarket resort in Thailand. His wife and two teenage daughters were going to take advantage of the beautiful weather whilst the executive was going to catch up with some rest and relaxation in between top-level meetings he was conducting with the Thailand government. On the first night, at dinner, his daughter got the waiter to take a family photo on her smartphone. Sitting there while her family chatted around her, she ‘checked in’ on a popular social networking site. Unbeknown to her, she and her siblings were being monitored by people who were looking to compromise their father. When one has 1,230 friends on social media, as was the case with this particular CEO’s daughter, it is improbable that one will know all of them. Therefore, it is very easy for someone with nefarious motivations to gain access to important information such as a person’s location via social media. Over the next 10 days, the daughter provided detailed itinerary and movement details of herself and her family.
On the family’s return home, they discovered that their house had been broken into. Among the items stolen was the desktop computer of the CEO. 12 weeks later, indications that security around sensitive corporate data had been breached were noticed. Millions of dollars in sensitive/secret corporate plans had been misappropriated. The break-in was very clearly planned but was the main objective corporate espionage or criminal activity? Criminals today are very aware that information is often far more valuable than ‘things’. A corporation’s competitors may be quite prepared to buy information, regardless of the source.
This tracking of an executive’s family members is made so much easier with today’s obsession with social media. Many executives are themselves guilty of providing an easily traceable movement pattern courtesy of Facebook and the like. Corporations must ensure that they have, as a part of corporate policy, policy and procedure relating to the ‘new phenomena’ of social media and SMS. This should include guidelines for executive’s family members. Many of the corporations where I provide training, in the area of high-risk region deployment and travel, have grasped the concept that the executive’s family must be part of the security solution rather than a part of the security problem. Consequently, they are now providing training and briefing for executive’s families. Creating guidelines for social media exposure needs to be as holistic.
So many reputations have been irrevocably damaged by overindulgence and lack of forethought using social media. Communication is immediate and in the public domain forever.
However, electronic communication is the area of greatest vulnerability for corporations in the modern global business environment. Corporations large and small, executives, managers and employees share, store and transmit data with the click of a mouse. Much sensitive and secret information is transmitted electronically and reference to it is often made with the ‘new executive communication tool’: the SMS. Email and SMS might provide an unprecedented level of convenience, but these tools also exponentially increase a corporation’s risk profile.
There has been a huge awakening in government and corporate circles with, first, Wikileaks and then US Defense contractor employee Edward Snowden and his exposure of government complicity in various embarrassing and harmful activities, to the exposure to harm and risk created by storage of electronic communication.
If we consider the potential damage, not just to reputations but also to corporate health and financial wellbeing, then it is certainly in the interests of corporations and governments to protect their innermost secrets. Whether they be government secrets or corporate secrets – surrounding product development, marketing, mergers, acquisitions, shareholder benefits, etc – exposure of this information to our competitors has the potential to create lasting and deep felt harm.
A paper published in 2012, Behavioral risk indicators of malicious insider IP theft, made an analysis of the most likely perpetrators of IP theft as opposed to inadvertent loss. When faced with this information, most corporations are at a loss to either explain their risk resilience or mitigate the risk to the benefit of the corporation and its shareholders.
- The majority of IP theft is committed by current male employees. These employees are involved in the operation and development of a corporation’s strategic development and include engineers, scientists, programmers and senior managers.
- Although 65 per cent of employees who commit insider IP theft have already accepted positions with a competing company or started their own company at the time of the theft, about 20 per cent were recruited by an outsider to target the data on behalf of a competitor.
- Three quarters of insiders stole material they were authorised to access. Trade secrets were stolen in 52 per cent of cases.
- The majority of insider Intellectual Property Crimes used the network, email, a remote network access channel or network file transfer to remove the stolen data.
- However, most insider IP theft was discovered by non-technical staff members.
Most corporations and governments now understand the necessity for guarding against external breaches. They employ network security, preventing network intrusion and unauthorised access. They employ firewalls, anti-virus programs, anti-spam and anti-spyware strategies. IT departments have become very adept at creating intrusion prevention systems, and yet the hackers still get in. Even the Pentagon has been hacked on several occasions. The next stage in this ‘information protection strategy’ has got to be ensuring that all documents and information is protected both in transit and at rest. There needs to be a guaranteed audit trail for all sensitive information and there needs to be an alert system when corporate procedure is bypassed or breached. Access to sensitive information needs to be on a ‘need-to-know basis’ and there need to be alerts activated when someone accesses information to which they are not entitled.
Of course, in every company there are people that are considered to need access to all the information on a given project. If this is the case in your company or with your project, there needs to be a carefully constructed audit trail of all emails, documents, attachments and SMSs relating to any specific subject or project. Edward Snowden accessed documents far outside his authorised limits and the USA Government, only recently, stated that they did not know what documents were still exposed.
Some access limits that the company should impose include:
- Do board members need access to all information?
- What about the executive?
- And the project management team, which of them should have access to the total project?
- Does the CFO really need access to all the information? What about the CEO?
- How much data on a project should be kept in any one place?
- Should a total project be allowed on any one person’s laptop?
- Does your company have a policy that all laptops should be cleaned of sensitive information on a daily or weekly basis?
- Is all your sensitive data kept in a securely encrypted and backed up archive?
If you and your executive team have not considered the questions above and do not have an answer, then the beginning of your journey to protecting the IP you are responsible for should start there.
Every time an executive, manager or – in some instances – a project team member sends an unencrypted email or SMS about the sensitive information owned by your company or department, you should think of them as sending a postcard (i.e readable by anyone who sees it). In the days of global communication by Postal Service, the postcard was seen as containing only information that you were comfortable with anyone seeing. So it is with the unencrypted email.
A protected electronic communication system provides secure communication, end-to-end, between authorised parties involved in the conversation. Unauthorised parties must not be able to intercept or read the communication either in transit (on the network) or at rest in your archive or storage. This includes storage on desktop and laptop computers, tablets and smartphones. Merely having an encrypted connection to a communication server (e.g. SSL or TLS) is not a protected communication system. Again, considering the old postal system, this can be seen as securely delivering a postcard to a post box. In the old system, the postal network, including the postman, ensured secure delivery to your post box. Responsibility for what happened to that information in your post box was up to you. So it is with modern electronic communication. Once the communication arrives at the post box it can be vulnerable to interception. We ensure that we eliminate vulnerability by having secure end-to-end encryption.
In the days of horse-drawn stagecoaches, in both Australia and the USA, the mail was delivered hand-to-hand. They recognised the vulnerability of sensitive information. In times of war, all communication is encrypted and nations employ huge numbers of people to decrypt communication from the other side. Before electronic communication, Generals employed trusted soldiers to deliver sealed communications hand-to-hand. The question each executive has to answer is “does my communications system securely deliver information hand-to-hand?”
The questions we really need to be asking are why do we not encrypt all our sensitive information and all communication surrounding it? What do we store?
And lastly, what do we need access to in both the short-, medium- and long-term?
Paul Mitchell is Managing Director of GlobalEdge, an Australian and UK based Company providing State of the Art Training Programs relating to Executive Personal Safety, Security and Risk Assessment in hostile environments, either at home or abroad. Global Edge also provide high-level training programs for the military and police in highly specialised areas of training
Paul can be contacted on +61 433 349809 or by email at firstname.lastname@example.org