Organizations want to believe that they can trust their employees with intellectual property (IP) security. In fact, to even hint at the idea that they don’t can lead to quite a conflicting conversation. A multi-step interview process, background checks, verifying references, and a thorough vetting process can go a long way toward making sure that the people being hired are going to be trustworthy. But is it enough?
IP theft is a common concern for many organizations, large or small. It’s not just Apple and Tesla that have to worry about these things. The time and resources that you pour into your employees to develop a product demand that you take steps to secure that intellectual property. There are several ways for you to better secure your IP, specifically when it comes to technology. As with most solutions, it’s important to understand that there is no one-size-fits-all approach to take.
The IP Security Paperwork Part
First off, there needs to be a written policy in place, something that all employees must sign and to which they must adhere. The most minimalistic form of such a policy would essentially be: “I won’t steal intellectual property. Signed, [Name].” Consider going a step further, though, to look at typical employee activities so you can make some specific notations in the policy that prohibit other types of behavior. Let’s look at a few examples.
Forbid storing proprietary data on an employee’s device.
If your employees work in an application where all data is stored within the application, and there is no need to save files locally on a laptop, you may be able to include a statement that no proprietary data may ever be stored on a user’s device. This may also be the case if you are exclusively using thin clients where everything the user does is on a server, and the local device is essentially only the keyboard, mouse, and monitor.
Disallow storing IP on any device that can be removed from the office.
Do your employees only use desktop computers in the office, and you have no requirement to be able to access data remotely? Include in the policy that no intellectual property is to ever be present on any device that can be taken outside of the office.
Tailor your IP security policy to the work environment.
Your policy may even vary based on the duties of the employee. Salespeople may need laptops, but your engineers designing the software may not. However, most organizations find it appropriate to prohibit employees from storing or transmitting company information using personal email or personal cloud-sharing accounts. Whatever the case, tailor your policy to your environment. Having the proper written and signed policy in place can make sure that, if legal action does need to take place, there is no grey area.
The Inconvenient Convenience of USB Devices
USB devices are extraordinarily convenient; massive amounts of data can fit on a keychain. While convenient, the ability to store data on a removable device does pose an interesting obstacle. Seriously consider if your employees need to be able to exchange data via a USB device. There are many solutions out there for sharing data securely that don’t require physical devices. If USB storage is not something your employees need, consider implementing a computer configuration that disables the use of USB storage devices.
If you work in the Payment Card Industry (PCI) realm, you may already be familiar with the concept of restricting USB ports when handling payment information, but is payment information the only data you want to keep secure? Implementing a policy to prohibit the use of USB devices not only keeps an employee from potentially misusing such devices, but it also conveys to employees that you take the security of your data seriously.
What if your employees rely upon USB storage?
If USB storage is something your employees rely upon, logging information about the use of USB devices and sending that information to a central location is the next best option. It will give you the ability, should you suspect nefarious behavior, to see what was plugged in when, and it can help you get ahead of the situation.
Consider also providing company-purchased USB devices to employees who need them. If someone is looking to steal corporate secrets, they’re not likely to want to keep it on company hardware as they will want to take it with them when they leave. Requiring that employees return company-owned devices before leaving can help thwart such activity. It also provides you the opportunity to include in your employee contract that only company-issued devices are to be used on company hardware.
If you have your doubts, you can view the USB activity that you’ve logged and see if an employee used a USB device that was not provided by the company. This can be an easy and timely red flag to find. Some endpoint security controls even allow you to prevent users from reading or writing to non-company-owned USB devices.
You Want It All, and I Know
This will certainly vary depending upon what type of platforms your company uses, but whatever you use, look into what capabilities you have to notify IT and/or management when large amounts of files are downloaded at one time. This isn’t a guarantee that all of your data will be safe, but if a disgruntled employee or an employee looking to impress their future bosses thinks that they can quickly grab their last few years of work the day before they leave the organization, you will be aware of it.
As with all alerts, there may need to be some tweaking involved. What constitutes “large amounts of files” is going to vary according to the user role and the type of work that the organization does. A few false flags may occur, but they can be easily disregarded. It’s always worth knowing if something else is going on.
What’s Mine is Mine
For those looking for a solution that can solve a lot of these problems in one fell swoop, a Data Loss Prevention (DLP) solution may be what you need. Each DLP solution is going to vary, but overall, their goal is going to be the same: prevent data that your organization deems important from going places that the organization doesn’t want it to go.
A proper DLP solution can provide insight as to what type of data is where, and what type of access users have. It performs an analysis of the content in your environment and helps you manage access to that content. You can create alerts if files outside of normal activity are accessed or create a report of what activity occurred in the past. It can also provide a central management interface that helps you create policies and helps make sure that employees adhere to those policies.
It’s Not Always a Bad Employee
IP theft is not a problem that only involves disgruntled employees. It can also be the result of a security breach. You can no longer quickly fix a compromised email account by resetting the password. A single employee’s email account can contain a large amount of information that you may not want exposed to the public. Ransomware is continuing to become more commonplace, and the bad guys know that not only do you want your data back, you don’t want the data exposed to the world.
While you may trust your employees implicitly, it is important to understand just how important your intellectual property can be. Security is not only a matter of keeping your systems up and running. Keeping your data safe from deletion, encryption, AND extraction is often just as important. Here at Sikich, we can help with each aspect of protecting your data. If you find yourselves trusting but wanting to verify your employees’ activities, we are happy to help.