Trade Secrets and the Insider Threat: Protection Beyond the Perimeter

By James Pooley
February 23, 2021

“When corporate managers think about information security, the first place they look at is the ramparts, when it’s what’s happening behind the walls that should keep them up at night.”

“We have met the enemy, and he is us.” – Pogo

https://depositphotos.com/338621034/stock-photo-corporate-security-manager-identifies-potential.htmlThe Lord of the Rings trilogy ends in suitably spectacular fashion with a battle scene following the retreat of all the good people to “Helms Deep,” a tall stone fortress built into the recess of a massive rock mountain. Seemingly impregnable, the thick wall facing the invaders contains a small flaw: a drainage outlet about five feet high, large enough to pile in some spiny medieval bombs. That done, one of the bad guys in heavy armor but inexplicably looking just like the Olympic torch carrier, glides between lines of his cheering comrades and dives in with the flame to blow a hole big enough for the army to pour in.

Now, immediately shift your mind’s eye from New Zealand to New York: you are watching the scene from The Big Short where Ryan Gosling’s character overhears at a bar a secret trading strategy to bet against the subprime housing market (you know how that one turned out), and then proliferates it by making a call to a wrong number. And for something too improbable to qualify as a movie idea, consider this real-life drama from 2010: Apple, a company infinitely obsessive about the secrecy of unreleased products, finds out that an employee left an iPhone 4 prototype in a bar. Then (this is true) the same thing happens the next year with an iPhone 5 prototype, with a different employee, in a different bar.

[[Advertisement]]

Protect the Perimeter, or Guard the Core?

The managers of most companies tend to see information security as a Lord of the Rings problem, with the focus on protecting the perimeter. This reflects the popular view. Indeed, from reading headlines about hackers, you might think that cybercrime –malign attacks from evil outsiders – represents the most common way that commercial information is lost. And you would be wrong. It’s not the overlooked vulnerability in the company’s firewall that gets exploited by determined external enemies. Instead, it’s the careless employee who overshares on social media, brags at parties, or leaves a sensitive document in an airport lounge. (Remember traveling on planes?)

According to a 2013 study by Symantec, over half of departing employees believe it’s entirely acceptable to take company data when they go, and they tend to act on that belief. Forty percent have plans to use the information in their new position. This is not necessarily malicious behavior. Many (68%) just think the organization doesn’t care, given a lack of any apparent enforcement. Anyway, if the information is software, 44% believe that because they wrote it, it belongs to them. From my work with clients, I’d say the situation hasn’t changed.

So, it shouldn’t be surprising how often information is lost just because someone sends a sensitive email to the wrong person, or a group text instead of a private exchange, or because an employee decides that the company’s VPN is just too much trouble.

Nevertheless, when corporate managers think about information security, the first place they look at is the ramparts, when it’s what’s happening behind the walls that should keep them up at night. According to a 2017 Gartner report, businesses spend 62% of their security budgets on defending the network, compared to 18% for the “endpoint” devices in the hands of users.

All of this is not to say that we shouldn’t be guarding the perimeter against hackers, who are everywhere and apparently never sleep. Fortunately, the tools available to detect and react to cyberespionage are constantly improving, and despite the occasional disasters (most of which can be traced back to – ahem – human error), we seem to be staying slightly ahead in the cybersecurity arms race.

An Endless Supply of Human Folly

But clearly the more serious and pervasive threat is from insiders. Unlike the hackers who are trying to break into our systems, these are people that we trust with access to sensitive information, because we have to. Given the complexities of the globalized, digital economy, we have no choice but to share our secret data with employees, not to mention the anonymous employees of supply chain partners, all of whom stay connected remotely through multiple devices, and being human, can get easily fatigued or distracted.

Naturally, these risks are amplified as we have shifted to mostly remote work, where insider threats are dispersed and managers can’t always see them, including the subtle cues of individual behavior that might flag a problem. But increasingly, some of the same kinds of technologies that protect us against malicious outsiders are being developed to address the internal threat.

As we have observed before in this space, trade secret problems come in many different dimensions and circumstances, but all of them share a common feature: somebody did something stupid. Try as we might to create policy frameworks, management structures and training programs, the supply of human folly seems inexhaustible.

Machine Learning and Artificial Intelligence as a Possible Solution

The current hope is that machines will be the match for our failings. Artificial Intelligence (AI) has developed a reputation as aspirational, having fallen short of previous predictions. But it’s certainly much improved, and its ability to recognize patterns and make nuanced judgments provides reason for hope that it can be applied to predicting and managing human behavior.

That said, to deploy intelligence you have to first know some facts. And this is where Machine Learning (ML) comes in. While humans constantly demonstrate an inability to learn from their mistakes, for example by continuing to build houses in flood zones and forests, machines are terrific at it. They don’t get defensive when criticized, and like your dog, they just want to know what makes you happy.

So, combining ML’s talent for education with AI’s capacity for analytics and executive thinking seems an ideal way forward. And indeed, industry has stepped up and created some interesting possibilities. Perhaps inevitably, the security vendors seem to be innovating mainly in the area of new acronyms and other jargon designed to reinforce how much you don’t know. But stay with me for a moment and I think you’ll get a sense of where we’re headed.

An Alphabet of Defenses

Once upon a time there was plain old Data Loss Prevention (DLP) software, which sort of did it all and had a nice generic name. Now we have UAM, which stands for User Activity Monitoring, tools that gather data at its most granular, like individual screen captures, text messages and even keystrokes. UAM also sucks up data from DLP applications, as well as from systems engaged in Security Information and Event Management (SIEM) and User and Entity Behavioral Analytics (UEBA – which, wait, is now called SIEM 2.0). Got all that? No?

Okay, here’s a simpler explanation, through an example. We all deal with authentication by passwords, as well as the more annoying two-factor authentication, in which we wait for a code to be delivered to another device. With a process called Risk-Based Authentication (RBA, sorry), the system doesn’t only verify identity. Using a combination of AI and ML to create a baseline understanding of user behavior, it also examines context to search for anomalies and create warnings or blocks against dangerous behavior. It can examine emails from supposedly trusted sources to see if they align with previous messages, looking for very subtle differences in syntax and diction that might indicate a phishing scam.

So, while we’re sitting in front of our computer at home, far away from the office, we have the comfort of knowing that we’re not really on our own, that we have someone watching over us, protecting us against ourselves, and preserving the information assets that make this job possible.

In the final moments of The Lord of the Rings, despite the breach of its fortifications. Helms Deep was saved by the extreme heroics of its defenders. In business, the workforce may look a bit more like the careless traders in The Big Short. They could use some reinforcements.

Image Source: Deposit Photos
Author: PantherMediaSeller
Image ID: 338621034 

The Author

James Pooley

James Pooley is a former Deputy Director General of the World Intellectual Property Organization (WIPO). Jim has a private law practice in Silicon Valley where he specializes in trade secret litigation and counseling.

For more than 40 years, Jim represented clients in high-stakes trade secret and patent disputes. His broad litigation experience, combined with his service as an international diplomat and business executive, make him uniquely qualified to serve as advisor, co-counsel, expert or ADR neutral (he is a panel member of FedArb) in trade secret disputes, and to consult with companies about trade secret management. His most recent book, Secrets: Managing Information Assets in the Age of Cyberespionage, is available here.

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author as of the time of publication and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com. Read more.

Discuss this

There are currently 1 Comment comments. Join the discussion.

  1. Paul F Morgan February 24, 2021 10:37 am

    Excellent point. Someone once humorously suggested “Invisible Fence” collars for scientists who cannot resist publicly bragging about their work before needed patent applications could be filed, thereby destroying the protection value of the products they were being paid to develop. Especially, foreign patents. The response was that it would require too high a voltage to be effective for such scientists. [Obviously, internal education and draft reviews of papers was needed.]

Post a Comment

Respectfully add to the discussion.

Name *
Email *
Website