Symantec: Employee IP Theft is Common
February 11, 2013
of employees who left or lost their jobs in the last 12 months kept
confidential corporate data and 40 percent plan to use it in their new
jobs. The results show that everyday employees' attitudes and beliefs
about intellectual property (IP) theft are at odds with the vast
majority of company policies.
Employees not only think it is acceptable to take and use IP when they
leave a company, but also believe their companies do not care. Only 47
percent say their organization takes action when employees take
sensitive information contrary to company policy and 68 percent say
their organization does not take steps to ensure employees do not use
confidential competitive information from third-parties. Organizations
are failing to create an environment and culture that promotes
employees' responsibility and accountability in protecting IP.
"Companies cannot focus their
defenses solely on external attackers and malicious insiders who plan to
sell stolen IP for monetary gain. The everyday employee, who takes
confidential corporate data without a second thought because he doesn't
understand it's wrong, can be just as damaging to an organization," said
Lawrence Bruhmuller, vice president of engineering and product
management, Symantec. "Education alone won't solve the problem of IP
theft. Companies need data loss prevention technologies to monitor use
of IP and flag employee behavior that puts confidential corporate data
at risk. The time to protect your IP is before it walks out the door."
- Employees move IP
outside the company in all directions, and never clean it up.
Sixty-two percent say it is acceptable to transfer work documents to
personal computers, tablets, smartphones or online file sharing
applications. The majority never delete the data they've moved
because they do not see any harm in keeping it.
- Most employees do not
believe using competitive data taken from a previous employer is
wrong. Fifty-six percent of employees do not believe it is
a crime to use a competitor's trade secret information; this
mistaken belief puts their current employers at risk as unwitting
recipients of stolen IP.
- Employees attribute
ownership of IP with the person who created it. Forty-four
percent of employees believe a software developer who develops
source code for a company has some ownership in his or her work and
inventions, and 42 percent do not think it's a crime to reuse the
source code, without permission, in projects for other companies.
- Organizations are
failing to create a culture of security. Only 38 percent of
employees say their manager views data protection as a business
priority, and 51 percent think it is acceptable to take corporate
data because their company does not strictly enforce policies.
- Employee education:
Organizations need to let their employees know that taking
confidential information is wrong. IP theft awareness should be
integral to security awareness training.
non-disclosure agreements (NDAs): In almost half of insider
theft cases, the organization had IP agreements with the employee,
which indicates the existence of a policy alone—without employee
comprehension and effective enforcement—is ineffective¹. Include
stronger, more specific language in employment agreements and ensure
exit interviews include focused conversations around employees'
continued responsibility to protect confidential information and
return all company information and property (wherever stored). Make
sure employees are aware that policy violations will be enforced and
that theft of company information will have negative consequences to
them and their future employer.
technology: Implement a data protection policy that
monitors inappropriate access and use of IP and automatically
notifies employees of violations, which increases security awareness
and deters theft.
it comes to trade secret theft by mobile employees, an ounce of
prevention is usually worth ten pounds of cure," said Dave Burtt,
founder of Mobility Legal P.C. "We consistently see departing employees
who don't understand their obligation to keep trade secrets secret, but
are just as often faced with companies whose own procedures are sorely
lacking when it comes to protecting valuable IP. But everybody loses
when a mobile employee steals trade secrets- the company who invested in
the IP, the employee who took it, and the organization that receives it,
even unknowingly, who most often is on the hook for defending the
litigation that follows. Before employees exit, dust off agreements they
likely haven't looked at in years, figure out all of the places the
employee has stored sensitive company information and get it back, and
ensure that employees understand their continuing obligations not to use
or disclose company trade secrets."