- General Patterns in Insider Theft of Intellectual Property Crimes
- The Entitled Independent
- The Ambitious Leader
- Theft of IP inside the United States Involving Foreign Governments or Organizations
- Mitigation Strategies for All Theft of Intellectual Property Cases
- Mitigation Strategies: Final Thoughts
Insiders who steal intellectual property are usually scientists, engineers, salespeople, or programmers. The IP stolen includes trade secrets, proprietary information such as scientific formulas, engineering drawings, source code, and customer information. These insiders typically steal information that they have access to, and helped to create. They rarely steal it for financial gain, but rather they take it with them as they leave the organization to take to a new job, give to a foreign government or organization, or start their own business.
These insider threats fall into two groups. The first is the Entitled Independent, an insider who acts alone to take the information with him as he leaves the organization. The second is the Ambitious Leader, an insider who creates a “ring” of insiders who work together to steal the information. Ambitious Leaders want to steal more than just the information they created—they want the entire product line, or whole suite of source code, for example.
A portion of this chapter was devoted to insiders who stole IP to take to a foreign government or organization. These crimes can be particularly disastrous, since it is much more difficult to recover the information once it leaves the United States. We described the countries involved, the positions of the employees, and the methods of theft.
The most useful pattern we found in modeling these crimes was that most of the insiders stole at least some of the information within 30 days of resignation. That time frame actually encompasses a 60-day window: 30 days before turning in their resignation, and 30 days after. Our mitigation strategies use that time frame; we recommend logging of all potential exfiltration methods, especially emails off of the network and use of removable media, so that you can audit the information when an employee who has access to your critical information resigns. You need to be able to go backward in time when such an employee resigns to make sure he has not emailed your IP outside the network—for example, to competitors, to governments or organizations outside the United States, or to Gmail or Hotmail accounts. You also need to be able to identify information that was copied to removable media during that time frame. Finally, you need to do real-time alerting when such online activity takes place in that period between when the insider resigns and when his employment actually terminates.
The next chapter turns to insider fraud. Insider fraud involves theft as well, but theft of a different type of information: Personally Identifiable Information (PII), credit card information, and other data that could be used to commit fraud. It also includes crimes in which an insider modified information for financial gain, often for pay by outsiders.