By Michael Moberly
Whatever political side you profess to be on, Wikileaks is here and functioning, and there are or will be more Wikileaks-type aggregators, so it’s reasonable to assume companies are in for a very bumpy ride in keeping trade secrets and proprietary information out of the public domain.
For some time there has been significant emphasis on integrating technological capabilities to make pertinent business information available up and down a company’s supply chain, primarily for “efficiency” purposes, the rationale goes. No argument here. These pipelines of information dissemination and sharing often have similar characteristics to conventional “knowledge management” movement in the 80’s and early 90’s, only in a technology-tweaked manner.
From a business perspective, the well intentioned premise of knowledge management and its 2011 technology-enhanced variants lies in the notion that more people (internally and externally) require access to certain information as a tool to help simplify decision-making processes, speed up problem solving, or create greater efficiencies.
In such a global information sharing environment, it should come as no surprise that there might be literally thousands of individuals who have the wherewithal and attitudinal receptivity to become an “insider” risk/threat to a company’s trade secrets. Insiders are often a feisty and persistent lot who come wrapped in many different motives which collectively form, one presumes, their rationale for doing what they do: steal and disseminate and/or sell proprietary or trade secret information. In the private sector such acts are deemed misappropriation or infringement; in the government (classified) arena it’s likely to be called economic espionage when a foreign entity is the recipient.
When insiders are successful, usually not limited to one time, the product of their misdeeds can, and often does, wreak havoc on the targeted company, due to the increasingly inter-twined worlds of business and business transactions.
For businesses today, having individuals well versed in the insider-threat arena, not just on last year’s events, but on current research and proactive/forward-looking execution points, is increasingly essential. When trade secret/proprietary information losses come to light, they generally carry long lasting and costly ramifications to the victim company. Returning to a state of business normalcy following a substantial loss of information assets is seldom easy, swift, or inexpensive and often requires many financial, professional, and trade “fences to be mended,” some of which will remain either irreversibly broken or in a constant state of repair long after the event.
This new breed of insider that’s emerging is more calculating, more stealthy, and an insider’s acts can potentially cause more irreversible, costly, and immediate harm and embarrassment to a company than acts of their less scheming predecessors who largely focused on stealing “hard copies” of documents they could carry out of a building and into the waiting hands a competitor, a foreign intelligence service, or their new employer as very valuable and strategic quid pro quo for a hiring bonus.
So, as this construct of “the new insider” emerges, studies and research conducted by DoD’s Personnel Security Research Center and Carnegie Mellon University’s CERT unit and regularly reported on The Trade Secrets Blog provide important and timely insights.
A particular PERSEREC study has contributed significantly to a framing of “the new insider” and the risks/threats they pose by looking at this phenomenon through a global lens. That study is appropriately titled “Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerability to Insider Espionage.” It identifies some ominous challenges facing governments and companies as they try to address insider risks and threats.
Three interesting takeaways from the PERSEREC’s study are paraphrased below:
1. Fewer employees today, and presumably in the future, are (will be) deterred by a conventional sense of employer loyalty. In other words, they have a tendency (proclivity) to view theft of information assets to be morally justifiable if sharing those assets, they believe, will benefit the world community or prevent armed conflict.
2. There is a greater inclination for employees who are or will be engaged in multinational transactions to regard unauthorized transfer of information assets or technologies as a business matter, rather than an act of betrayal or treason.
3. The value of/market for protected information assets, apparently without regard to if it is a company’s proprietary information or trade secrets or a government agency’s classified information, has elevated to a level that those so inclined, i.e., insiders, recognize the information can be sold for a considerable profit to an ever-widening range of receptive global entities.
So, designing effective policies, procedures, practices and techniques to mitigate, counter, and ultimately defend against insiders’ theft of valuable trade secrets should not be based solely on or unduly prejudiced by anecdotal (internal, external) snap shots in time, or generalized assumptions about one’s ethnic allegiance. Rather defenses to the broad and complex phenomenon of insider threats and theft of trade secrets should be well grounded in the relevant, current, and applied research.
Insider risks are unlikely to miraculously recede or fade away through attrition, terminations, or resignations, etc. Rather they require execution of best practicesthat reflect objective research, not merely plugging yesterday’s leaks. Valuators of IP need to align their due diligence to the new reality. Companies with proactive plans based on modern research add to the value of their IP.