Home > Articles > Security > Network Security

This chapter is from the book

Mitigation Strategies for All Theft of Intellectual Property Cases

The intent of the MERIT models is to identify the common patterns of each type of insider threat over time based on our analysis of the cases in our database. We have found that the models suggest key mitigation strategies for you to defend yourself against these types of threats. We therefore propose countermeasures based on expert opinions in behavioral psychology, organizational management, and information security.

Your insider threat mitigation strategies should involve more than technical controls. An overall solution should include policies, business processes, and technical solutions that are endorsed by senior leadership in HR, legal, data owners, physical security, information security/information technology, and other relevant areas of the organization. It is critical that all levels of management recognize and acknowledge the threat posed by their current and former employees, contractors, and business partners, and take appropriate steps to mitigate the associated risk. It may not be realistic to expect that all intellectual property exfiltrated by insiders will be stopped before the information leaves your network, but it is realistic to expect that you can implement countermeasures into your infrastructure and business processes to allow you to detect as many incidents as possible, thereby minimizing the financial impact on your organization.

The remainder of this chapter describes potential countermeasures that we believe could be effective in mitigating insider theft of intellectual property.

Exfiltration Methods

We begin this section by providing more in-depth details of the technical methods used by insiders to steal IP in our database. Methods varied widely, but the top three methods used were email from work, removable media, and remote network access. Table 3-3 describes the primary methods of exfiltration.

Table 3-3 Exfiltration Methods

Exfiltration Method



Insiders exfiltrated information through their work email account. The email may have been sent to a personal email account or directly to a competitor or foreign government or organization. Insiders used email attachments or the body of the email to transmit the sensitive information out of the network.

Removable media

Common removable media types were USB devices, CDs, and removable hard drives.

Printed documents

Insiders printed documents or screenshots of sensitive information, and then physically removed the hard copies from the organization.

Remote network access

Insiders remotely accessed the network through a virtual private network (VPN) or other remote channel to download sensitive information from an off-site location.

File transfer

The insider was at work, on the company network, and transferred a file outside of the network using the Web, File Transfer Protocol (FTP),18 or other methods. Although email could potentially fit this category, we thought that email should be considered separately due to the large number of crimes that used email.


Insiders exfiltrated data by downloading IP onto a laptop at work and bringing it outside the workplace. For example, one insider was developing an application for his company on a laptop and later purposely leaked the source code. In other cases the insiders simply downloaded sensitive files onto their laptops for personal or business use later.

We dug a little deeper into those methods to determine where our mitigation strategies need to be focused—on the host, the network, or the physical removal of information—and found that more than half involved the network, 42% involved the host, and only 6% involved physical removal.

Network Data Exfiltration

Data exfiltration over the network was the most common method of removing information from an organization, used by more than half of the insiders in the database who stole IP. Removal methods included in this category were email, a remote network access channel (originating externally), and network file transfer (originating outside the network).

About one-fourth of the insiders used their work email account to send the IP outside the network, either sending IP to their personal email account, or directly emailing the IP to a competitor or foreign government or organization.

For example, an insider in one case sent customer lists and source code he had written from his work email account to his personal email account. During this time, he was being recruited by a competing organization. He accepted the competitor’s offer and took the customer lists and source code to his new job to help him get a head start there.

In another case, an insider asked his superiors for confidential data about their product costs and materials. Two months later, he accepted a new job with a competitor. The original employer warned him against taking or distributing any of its proprietary information. However, the insider emailed internal business information from his work email account to two of his new supervisors before he started at the new company.

Interestingly, almost half of the cases involving email exfiltration also involved another type of exfiltration. This suggests that if you suspect an insider is stealing information you should check other communication channels for similar activity. Most frequently, the additional exfiltration path involved stealing information on a laptop, but use of remote access channels and theft of printed documents each happened a few times in combination with theft via email.

The second most frequent network exfiltration method was remote network access. As in the MERIT model, many of these cases occurred immediately before resignation or shortly after acceptance of a new job at a competitor. In more than one-third of these cases, the remote connections were established after normal work hours; in almost one-third of the cases, the time of exfiltration was unknown.

During the remote sessions, insiders downloaded sensitive documents to their remote computers. In one case, an insider and a coworker were employed as contract software developers for the victim organization. Their contracts were periodically renewed when modifications to the software were needed. Each time their contracts ended, the victim organization neglected to disable their remote access to the network since the organization knew they would be contracted again in the near future. However, at one point both insiders suddenly claimed that the programs they developed belonged to them, and requested that the organization cease using them. The company continued to use the applications, and the insider and accomplice were able to remotely access and download the proprietary source code they claimed to own.

The least common method of network data exfiltration was transferring data outside the network through outbound channels such as FTP, the Web, or instant messaging. These crimes were all perpetrated by more technically skilled insiders. Examples include the following.

  • A computer programmer at an investment banking organization submitted his letter of resignation to his manager. He then used a script that copied, compressed, and merged files containing source code, and then encrypted, renamed, and uploaded the files using FTP to an external file hosting server.
  • An insider transferred trade secrets and source code to a password-protected Web site using standard HTTP. The insider intended to start a side business with the company’s stolen IP.
  • An insider who failed to receive a raise and whose request for transfer was rejected submitted his resignation and downloaded proprietary information from his organization for potential use in a new job. He used FTP to transfer the data to his home computer.

What Can You Do?

Most cases that involved use of the network to perpetrate the theft involved email and remote access over VPN. Given that several cases involved email to a direct competitor, you should consider at least tracking, if not blocking, email to and from competing organizations. Our cases did not explicitly show sophisticated concealment methods, such as use of proxies19 or extensive use of personal, Web-based email services. However, we did find that insiders periodically leverage their personal, Web-based email as an exfiltration method. You should carefully consider the balance between security and personal use of email and Web services from your network.

As mentioned, most insiders steal IP within 30 days of leaving an organization. You should consider a more targeted monitoring strategy for employees and contractors when they give notice of their exit. For instance, check your email logs for emails they sent to competitors or foreign governments or organizations. Also check for large email attachments they sent to Gmail, Hotmail, and similar email accounts.

Further, you should consider inspecting available log traffic for any indicators of suspicious access, large file transfers, suspicious email traffic, after-hours access, or use of removable media by resigning employees. Central logging appliances and event correlation20 engines may help craft automated queries that reduce an analyst’s workload for routinely inspecting this data.

Host Data Exfiltration

Host-based exfiltration was the second most common method of removing IP from organizations; close to half of the cases involved an insider removing data from a host computer and leaving the organization with it. In these cases, insiders often used their laptops to remove data from the organization. We had difficulty determining the exact ownership and authorization of the laptops used. However, we do know that about one-sixth of the insiders who stole IP used laptops taken from the organization’s site during normal work hours. Half of them transferred proprietary software and source code; the other half removed sensitive documents from the organization.

In one case, the insider worked for a consulting company and stole proprietary software programs from a customer by downloading them to a laptop. He attempted to disguise the theft by deleting references to the victim organization contained in the program, and then attempted to sell portions of the program to a third party for a large sum of money.

Another case involved an insider who accessed and downloaded trade secrets to his laptop after he accepted an offer from a foreign competitor. He gave his employer two weeks’ notice, and continued to steal information until he left.

By far, the most common method of host-based exfiltration in the database was removable media; 80% of these cases involved trade secrets, and the majority of those insiders took the stolen trade secrets to a competitor. The type of removable media used varied. Where information was available, we determined that insiders most often used writable CDs. Thumb drives and external hard disks were used in just 30% of the cases. However, the type of removable media used has changed over time. Insiders primarily used CDs prior to 2005. Since 2005, however, most insiders using removable media to steal IP use thumb drives and external hard drives. This trend indicates that changes in technology are providing new and easier methods of stealing data from host computers.

In one case, an insider resigned from his organization after accepting a position at another organization. He downloaded personal files as well as the organization’s proprietary information onto CDs. Despite signing a nondisclosure agreement, the insider took the trade secrets to a competitor.

In a similar example, an insider received an offer from a competitor three months prior to resignation. He lied about his new position and employment status to coworkers. Only days before leaving the organization, he convinced a coworker to download his files to an external hard drive, supposedly to free up disk space. He came into work at unusual hours to download additional proprietary information onto a CD. Finally, he took this information with him to his new position at a competing organization.

What Can You Do?

It is unlikely that the victim organizations in our database prohibited removable media in their daily computing environments. You should consider carefully who in your organization really needs to use removable media. Perhaps access to removable media is a privilege granted only to users in certain roles. Along with that privilege could come enhanced monitoring of all files copied onto such devices. In addition, understanding who requires removable media and for what purposes can help you to determine what may constitute normal and healthy business use, and to monitor for usage patterns that deviate from that. Inventory control, as it pertains to removable media, may also be helpful. For example, you could allow use of removable media only on company-owned devices prohibited from leaving your facility. Organizations requiring the highest-assurance environment should consider disallowing removable media completely, or allowing it only in special situations that are carefully audited.

Finally, recall the 30-day window in our theft of IP cases. Can you log all file transfers to removable media? You might not have the resources to review all of those logs (depending on how restricted your use of such media is). However, if the logs exist, you can audit them immediately on the hosts accessed by any employee who has announced his resignation. This would provide one quick mechanism for detecting IP that might be exfiltrated by an employee on his way out the door.

Physical Exfiltration

Only 6% of the theft of IP cases involved some sort of physical exfiltration. We found that physical exfiltration usually occurs in conjunction with some other form of exfiltration that would have produced a more obvious network or host-based observable event.

Exfiltration of Specific Types of IP

Once we determined what kinds of IP were stolen and how, we determined what methods of exfiltration were associated with the different types of IP. Several interesting findings surfaced. In particular, business plans were stolen almost exclusively through network methods, particularly using remote access. Conversely, proprietary software and source code involve a much higher use of non-network methods. This may be due in part to the volume of data associated with different asset types. Software and source code files are often large, but business plans are usually smaller documents that are easier to move over a VPN or as an email attachment. Enumerating the most frequent methods by which particular assets are exfiltrated may help steer monitoring strategies with respect to computers that house particular types of assets or are allowed to access given assets over the network.


Some insiders attempted to conceal their theft of IP through various actions. These cases signify a clear intent to operate covertly, implying the insiders may have known their actions were wrong. In one case, an insider was arrested by federal authorities after stealing product design documents and transferring them to a foreign company where he was to be employed. After being arrested, he asked a friend to log in to his personal email account, which was used in the exfiltration, and delete hundreds of emails related to the incident.

Another case involved an insider who used an encryption suite to mask the data he had stolen when moving it off the network.

Trusted Business Partners

Trusted business partners accounted for only 16% of our theft of IP cases, but this is still a complicated insider threat that you need to consider in your contracting vehicles and technical security strategies.

For example, a telecommunications company was involved in a lawsuit, and had to hand over all of its applicable proprietary information to its attorneys, which it did in hard-copy form. The law firm subcontracted with a document imaging company to make copies of all of the information. One of the employees of the document imaging company asked his nephew, a student, if he would like to make a little extra spending money by helping him make the copies at the law firm. The nephew realized that he had access to proprietary access control technology that the telecommunications company used to restrict its services based on fees paid by each individual customer. He felt, like many others, that the company unfairly overcharged for these services, so he posted the information online to the Internet underground. This basically released the telecommunications company’s “secret sauce,” and now it was easy for members of that community to obtain free services. When the post was discovered, law enforcement investigated the source of the post and traced the activity back to the student.

It is important that you consider these types of threats when drawing up contracts with your business partners. Could that scenario happen to you? Do you write legal language into your contracts that dictates how your confidential and proprietary information can and cannot be handled?

It is important that you understand the policies and procedures of your trusted business partners. You establish policies and procedures in order to protect your information. When you enlist the support of a trusted business partner, you should ensure that their policies and procedures are at least as effective as your safeguards. This includes physical security, staff education, personnel background checks, security procedures, termination, and other safeguards.

In addition, you should monitor intellectual property to which access is provided. When you establish an agreement with a trusted business partner, you need assurance that IP you provide access to is protected. You need to get assurances that access to and distribution of this data will be monitored. You should verify that there are mechanisms for logging the dissemination of data, and review their procedures for investigating possible disclosure of your information.

These are just a few recommendations. We detail eight recommendations in Chapter 9, Conclusion and Miscellaneous Issues, regarding trusted business partners.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020