IP Theft Goes Far Beyond the Huawei Scandal: How to Stay Safe

Nearly 51% of respondents who experienced an IP theft cited human error as a cause; examples include lost devices, unintended disclosure and tailgating. For instance, in October 2017, an Apple engineer brought his daughter to work — where she filmed the unreleased iPhone X for her vlog. The footage included an iPhone X with special employee-only QR codes and a notes app with the code names of unreleased Apple products. After her video went viral on YouTube, her dad was dismissed from Apple.

Malware Infiltrations

Another common way to steal proprietary data is by planting malicious software on a company's systems; this pattern was reported in 48% of cases. For example, in the period from January 2010 to May 2015, two Chinese intelligence officers and five hackers used a combination of malware, phishing and domain hijacking to steal engine plans and other confidential business information from 13 companies in the U.S., UK, France and Australia. The case is still under investigation but prosecutors already say that the scheme was backed by a Chinese state-owned aerospace company that was working to develop a similar type of engine for use in commercial aircraft and that two Jiangsu Province Ministry of State Security (JSSD) officers planned the attack.

Privilege Abuse

Abuse of privileges accounted for 34% of incidents, making it the third most common IP theft scenario. A Netwrix blog post describes how ex-employees paid insiders to steal intellectual property from a school district in Arizona. Another example hit the news in December 2018, when a Chinese national was arrested for allegedly stealing a billion dollars' worth of battery technology trade secrets from his employer, U.S.-based company Phillips 66, on behalf of a Chinese petroleum firm that had offered him a new job.

Factors that Put Organizations at Increased Risk of IP Theft

Hackers and state-affiliated adversaries stealing trade secrets from big enterprises will undoubtedly continue making the news. The manufacturing industry is especially prone to cyber espionage by state-affiliated actors; according to the 2018 Verizon Data Breach Investigations Report (DBIR), 53% of attacks in this vertical were carried out by state actors.

However, organizations cannot limit their defense strategy to outside attackers. They also need to be able to protect their secrets from those closest to them — their own employees.

Unfortunately, many organizations do not yet understand this reality. Our survey revealed important discrepancies between the threat actors that organizations consider dangerous and those who are actually responsible for IP theft. For example, respondents underestimated the threat from departing/terminated employees; only 25% considered this an important risk but it was a factor in 39% of actual security incidents. More broadly, respondents regard hackers (29%) and hacktivists (18%) as posing the most threat to their IP, when in fact over 60% of actual incidents were caused by their own users and IT team. Perhaps the biggest surprise was that respondents ranked IT staff as the least dangerous threat actor; they were actually responsible for 30% of reported incidents.

The root of this misunderstanding may lie in the following fact: Even if it's an external actor who initiates an attack on your IP, it is often an internal user who opens the door to your network for them, for instance, by clicking on a malicious link, installing an untested software update or letting an expired security certificate go unnoticed.

Apart from being mistaken about who poses the most threat to their business secrets, organizations show a disturbing negligence of security best practices, which puts their IP at even higher risk. Our research found that 44% of organizations do not know or are unsure about how their employees deal with sensitive data, including IP. Only 29% of organizations conduct an asset inventory at least once a quarter, as recommended by security experts, in order to control shadow IT and detect threats to data. Moreover, even though data access rights should be updated every six months to help prevent inappropriate access, 51% of organizations perform such checks less than once a year. One of the most neglected controls is conducting data classification — almost half of respondents perform it only once a year, rarely or never.

As a result, the current level of security organizations have in place is often inadequate for defending against IP theft, leaving them easy targets for malicious insiders and sneaky hackers alike.

How to Reduce the Risk to Your IP

The best way to mitigating the risk of IP theft is to following proven data management best practices. In particular, you should:

• Know where your data resides and what happens to it. Start by determining exactly what sensitive data you hold and who has access to it. Remember, this is not a one-time process. Loads of data is being created, modified and moved daily, so the classification process should be automated to make sure it is consistent and accurate.
• Define and eliminate potential points of compromise. In particular, restrict access to your most critical information on a need-to-know basis and keep it separated from the rest of your network.
• Routinely monitor the activity of your employees. Remember that the threat to your IP often comes from insider actions, whether accidental or intentional. Pay special attention to resigning staff.
• Get HR buy-in. Make sure that HR team alerts you to anything that seems out of whack. For instance, they should tell you if they notice an employee acting strangely and suspect he might be being blackmailed, so you can monitor his activity more closely. Moreover, ensure they notify you before anyone is terminated, so you can revoke their access to IT systems before they have a chance to steal IP or do other damage.
• Provide relevant security training. Teach employees how to identify social attacks and provide an easy way for them to report them. Explain how they should work with certain types of critical information; for example, explain the serious consequences of leaving sensitive content open on their corporate laptops at a café or bar. Tailor the sessions to the employees' roles and level of access to critical assets.

Investing in the right tools can help a great deal in mitigating the risk of IP theft. But remember, common sense is something you cannot buy — only nurture.

*****

Ilia Sotnikov is vice president of product management for Netwrix, a provider of information security and governance software.