• August 30, 2016

IP Traitors: Will Your Employees Sell Secrets?

More than half of employees would sell corporate secrets for cash. 

A recent study by Clearswift found that more than half of employees admit that they would sell corporate secrets if offered enough cash. If these results are an accurate gauge of employee attitudes, employers have much to fear when it comes to guarding precious intellectual property (IP).

Three percent of the 4,000 U.S., European, and Australian employees polled claimed they would sell secrets for just $150. Eighteen percent said $1,500 would be enough to get them to steal IP. For 35 percent, $75,000 would be too tempting to pass up. Ignorance may be partly at work, as many employees don’t fully understand the value of IP. Only 39 percent of U.K. employees recognize that IP could damage their company if leaked, Clearswift says. Unfortunately, the view on this subject extends to the boardroom. The 2015 Clearswift Insider Threat Index, a study of 500 security professionals, found that 72 percent of respondents believe internal security threats are not treated with the same importance as external threats by the board—and, 14 percent say internal threats won’t be taken seriously enough until their enterprise experiences a serious internal data breach.

Insiders have the means to inflict as much harm on the enterprise as any sophisticated cybercriminal ring, and more than one-third of employees in the Clearswift survey say they have access to sensitive information that is above their pay grade. A willingness to steal secrets for financial gain and access to valuable data that is unnecessary to the employee can be a recipe for a security calamity.

Reduce Threats

Enterprises can begin to reduce the insider threat risk by improving access controls over high-risk elements of code. Access control checks can prevent an unauthorized user from gaining access to security-sensitive operations in a program. There are tools available that can retroactively apply new access control protocols to existing code.

Further, training can reduce the ignorance-of-risk factor. Employees may think that selling some seemingly innocuous files will not have an appreciable impact on the enterprise. Training should relate the potential seriousness of these actions and reemphasize the full consequences for those caught stealing data or for aiding and abetting such actions.

CIOs and CISOs can inform other corporate officers and board members about the threat from within to garner support for more action.

Thwart Theft

Another risk mitigation strategy is to use predictive user analytics to detect potentially nefarious network activity. User behavior analytics tools build profiles of employees based on their usage patterns and send out alerts when they spot abnormal user activity. Another class of software, security identity event management (SIEM) tools, can monitor user activity for threat management and rules compliance. Many enterprises already have SIEM tools in their security portfolio that can be applied to guard against the insider threat.

Don’t take any chances with insider threats. By using access controls, providing training, and putting the right tools in place to thwart theft, you can stay ahead of IP security.

Like this story? Learn more about preventing insider threats.