Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
When it comes to intellectual property (IP), it seems like everybody is talking about global enterprises, such as Huawei allegedly stealing valuable technology from T-Mobile and other businesses backed by the Chinese government to get a leg up on the competition. Other recent juicy news hooks feature tech giants like Apple, Tesla and Uber.
But the truth is, IP theft is not limited to kingpins of business. Even if your organization has never appeared in the headlines, you cannot rest easy that no one is interested in acquiring your know-how. In fact, analysis the results of our survey for the 2018 Netwrix IT Risks Report reveals that small and medium organizations are actually more vulnerable to IP theft and cyber espionage than enterprises. Those events just don't make the news.
This article delves further into the survey responses to understand the most frequent patterns for IP theft and explain the key best practices that can help you mitigate your risk.
|Human Errors
Nearly 51% of respondents who experienced an IP theft cited human error as a cause; examples include lost devices, unintended disclosure and tailgating. For instance, in October 2017, an Apple engineer brought his daughter to work — where she filmed the unreleased iPhone X for her vlog. The footage included an iPhone X with special employee-only QR codes and a notes app with the code names of unreleased Apple products. After her video went viral on YouTube, her dad was dismissed from Apple.
Malware Infiltrations
Another common way to steal proprietary data is by planting malicious software on a company's systems; this pattern was reported in 48% of cases. For example, in the period from January 2010 to May 2015, two Chinese intelligence officers and five hackers used a combination of malware, phishing and domain hijacking to steal engine plans and other confidential business information from 13 companies in the U.S., UK, France and Australia. The case is still under investigation but prosecutors already say that the scheme was backed by a Chinese state-owned aerospace company that was working to develop a similar type of engine for use in commercial aircraft and that two Jiangsu Province Ministry of State Security (JSSD) officers planned the attack.
Privilege Abuse
Abuse of privileges accounted for 34% of incidents, making it the third most common IP theft scenario. A Netwrix blog post describes how ex-employees paid insiders to steal intellectual property from a school district in Arizona. Another example hit the news in December 2018, when a Chinese national was arrested for allegedly stealing a billion dollars' worth of battery technology trade secrets from his employer, U.S.-based company Phillips 66, on behalf of a Chinese petroleum firm that had offered him a new job.
|Hackers and state-affiliated adversaries stealing trade secrets from big enterprises will undoubtedly continue making the news. The manufacturing industry is especially prone to cyber espionage by state-affiliated actors; according to the 2018 Verizon Data Breach Investigations Report (DBIR), 53% of attacks in this vertical were carried out by state actors.
However, organizations cannot limit their defense strategy to outside attackers. They also need to be able to protect their secrets from those closest to them — their own employees.
Unfortunately, many organizations do not yet understand this reality. Our survey revealed important discrepancies between the threat actors that organizations consider dangerous and those who are actually responsible for IP theft. For example, respondents underestimated the threat from departing/terminated employees; only 25% considered this an important risk but it was a factor in 39% of actual security incidents. More broadly, respondents regard hackers (29%) and hacktivists (18%) as posing the most threat to their IP, when in fact over 60% of actual incidents were caused by their own users and IT team. Perhaps the biggest surprise was that respondents ranked IT staff as the least dangerous threat actor; they were actually responsible for 30% of reported incidents.
The root of this misunderstanding may lie in the following fact: Even if it's an external actor who initiates an attack on your IP, it is often an internal user who opens the door to your network for them, for instance, by clicking on a malicious link, installing an untested software update or letting an expired security certificate go unnoticed.
Apart from being mistaken about who poses the most threat to their business secrets, organizations show a disturbing negligence of security best practices, which puts their IP at even higher risk. Our research found that 44% of organizations do not know or are unsure about how their employees deal with sensitive data, including IP. Only 29% of organizations conduct an asset inventory at least once a quarter, as recommended by security experts, in order to control shadow IT and detect threats to data. Moreover, even though data access rights should be updated every six months to help prevent inappropriate access, 51% of organizations perform such checks less than once a year. One of the most neglected controls is conducting data classification — almost half of respondents perform it only once a year, rarely or never.
As a result, the current level of security organizations have in place is often inadequate for defending against IP theft, leaving them easy targets for malicious insiders and sneaky hackers alike.
|The best way to mitigating the risk of IP theft is to following proven data management best practices. In particular, you should:
Investing in the right tools can help a great deal in mitigating the risk of IP theft. But remember, common sense is something you cannot buy — only nurture.
*****
Ilia Sotnikov is vice president of product management for Netwrix, a provider of information security and governance software.
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.