Is there a bounty on your intellectual property?
It’s more likely than you think. Earlier this month, news broke that FBI agents investigating a case of corporate cyber theft seized a handbook revealing what China was willing to pay to “individuals or entities who can provide certain technologies.”
Nation-states have been using cyber hacking to actively target valuable intellectual property, or IP, for years. However, what may be startling to the public is that state-sponsored IP theft is so organized and methodical; criminal hackers receive catalogs of the most-wanted technologies, referred to as “collection requirements,” each with associated bounties.
For business, university, and research lab leaders, it begs a couple of questions: Do any of your employees have such handbooks? And if they were stockpiling and exporting sensitive data, would you know before it was too late?
This most recent cyber theft report is a classic example of what we call the “insider threat,” a term encompassing cyber problems that originate from authorized users of a network. It also demonstrates the increasingly sophisticated tactics bad actors use to steal corporate IP. The employee in this example was accused of smuggling highly sensitive technical documents by placing an encrypted file into the coding of a digital image of a sunset. He then emailed this image to a personal address.
According to the criminal complaint, both federal investigators and corporate IT experts said this was the first time they had seen these types of sophisticated tactics (known as steganographic exfiltration) used to steal corporate IP. This incident is a good reminder that the insider threat—indeed, all cyber threats—continue to adapt and evolve to defeat security measures.
Not all insider threats to your IP are malicious. Some are employees who practice poor cyber hygiene, such as visiting unsafe websites, clicking on links in emails from people they don’t know, or plugging outside USBs into their work computers without confirming those devices aren’t compromised. Any of these activities could introduce a virus or malware into your system, undermining the stoutest network protections.
But sometimes insiders can go rogue, prompted by dissatisfaction, jealousy, greed, or other factors. Earlier this summer, Tesla CEO Elon Musk wrote in a company email that an employee had admitted to “quite extensive and damaging sabotage of our operations.” The employee was upset he had not received a promotion, Musk wrote.
A knowledgeable insider using a new generation of hacking tools could steal terabytes worth of valuable IP in a matter of minutes. This is why, according to Raytheon’s 2018 Study on Global Megatrends in Cybersecurity, IT professionals across the globe are more worried about malicious or criminal insiders (36%) than they are about nation-state attackers (30%) or hacktivists (27%).
A primary step every organization should take to address insider risks is to implement a clear set of policies governing technology usage. For example, not every employee should have access to sensitive IP files. Your IT teams should know which sections of your networks are off-limits and monitor for attempts at inappropriate access. Employees should also be trained and reminded about risky online work behaviors, and how their actions could impact the company.
In addition, organizations need to increasingly take a user-centric approach to cybersecurity. A data-centric approach, which limits who can access what information, may stop unauthorized visitors from downloading sensitive files. But a user-centric focus uses artificial intelligence and other technologies to help identify early-warning signs that an employee has gone rogue and may be trying to collect a bounty on your IP. These programs flag aberrant user behaviors, such as stockpiling documents or sudden changes in the way an employee types on a keyboard, which could indicate that someone has hijacked their credentials.
Your employees and your IP are likely your organization’s most valuable assets. With the help of some proactive policies and technology, you can prevent one asset from stealing the other and hurting your organization’s value, reputation, customers, and employees.
Thomas A. Kennedy is the chairman and CEO of Raytheon, a defense and cybersecurity company.