Protect Intellectual Property from Corporate Insiders

By Pamela Babcock Jan 23, 2012

Subtle clues from co-workers could be signaling a risk of theft of intellectual property (IP) by your employees.

In December 2011, two experts in psychological profiling and employee risk management released the report Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall. Their research examines theft of sensitive, proprietary IP and other critical data and the individual and organizational factors that give rise to such theft.

Study co-author Eric D. Shaw, Ph.D., a clinical psychologist and president of Consulting and Clinical Psychology Ltd. in Washington, D.C., said he hopes that the study will “raise awareness, reduce anxiety and open organizations to new ways of dealing with this issue—especially new forms of dealing with detecting disgruntlement and designing and enforcing better IP agreements.”

In addition, he hopes that it leads to better awareness training targeting co-worker reporting.

“Right now, co-workers will report overt and flagrant signs of IP theft, but they will not report our risk indicators—the issues that tend to be associated with theft ahead of time—like disgruntlement, psychological issues and financial stressors,” Shaw said.

Attorney Anuj Desai, an associate in Arnall Golden Gregory’s intellectual property and technology practice team in Atlanta, said he typically sees a reactive approach to protecting IP.

“This issue stems from both organizational and technological flaws,” Desai said. “Correcting the problem requires both a culture of protection and enforcement, as well as implementation of reasonable security measures that are current.”

Methodology and More

The report was commissioned by Symantec Corp. in Mountain View, Calif., and co-authored by Harley V. Stock, Ph.D., a board-certified forensic psychologist and managing partner with Incident Management Group Inc. in Plantation, Fla.

According to the report, IP theft costs U.S. businesses more than $250 billion annually. Frequent perpetrators were current or former employees or partners such as customers, contractors, vendors and joint venture partners.

The report was based on a review of cases, surveys, incident reports and investigations. The authors noted that the study is limited because such theft is likely underreported. Shaw said that the best data come from successfully prosecuted cases and might be biased toward more severe instances.

Likely Candidates

The study noted the following indicators and behaviors of employees most likely to steal intellectual property:

They often work in technical positions. Male employees, with an average age of 37, who work as engineers, scientists, managers and programmers commit most IP theft. A large percentage had signed IP agreements, which illustrates that policy, without employee comprehension and effective enforcement, is ineffective.

Usually, they already have a new job. About 65 percent of employees who committed insider IP theft had already accepted positions with a competitor or had launched their own company. About 20 percent were recruited by an outsider who targeted the data, and 25 percent gave the stolen IP to a foreign company or country, the study found.

They typically rely on technology to steal information they’re authorized to access. Internal IP thieves typically take data they know, work with and often feel entitled to. Most (54 percent) used a network—e-mail, remote access channel or network file transfer—to steal data. Most insider theft was discovered by nontechnical employees, such as co-workers reporting suspicious behaviors.

Trade secrets are the most common IP stolen by insiders. They were stolen in 52 percent of cases, followed by billing information, price lists and other administrative data (30 percent), source code (20 percent), proprietary software (14 percent), customer information (12 percent) and business plans (6 percent).

Key patterns precede departure and theft. The employee might be unsatisfied with his or her job, have psychological issues or be stressed over finances. Being passed over for a promotion and other professional setbacks can also facilitate theft.

Important Implications for HR

The vast majority of IP thieves steal material within three weeks before or after giving notice. Shaw said HR should confer with IT security about planned layoffs and upcoming staff departures so that additional safety measures can be implemented.

“I have frequently come across scenarios where HR knows of massive layoffs but IT security does not, so we have high-risk situations where a large group of unhappy people with active remote access to IP are on the network,” Shaw said.

In addition, the study revealed flaws in IP agreements. In the study, almost all IP thieves signed such agreements, “and they turned out to be worthless,” Shaw noted. Shaw said employees should renew their IP “vows” regularly, especially as they near the end of their tenure.

Lastly, he noted that there have been increased levels of internal and external collaboration in IP theft.While there is obviously a class of IP thieves who are extremely susceptible to “pitches” from outsiders, Shaw said there’s “a group of insiders that have begun to collaborate with other insiders to pull off these crimes.”

More Recommendations

The report made several other recommendations for combating IP theft:

  • Build a dedicated team of HR, security and legal professionals to create policies, drive training and monitor problem employees. Companies should have workplace response teams that include occupational health workers and forensic consulting services before a crisis occurs, said Stock.
  • Evaluate whether your organization faces an increased risk because of factors like low morale, competition, remote offices, use of subcontractors and cultural, political and language differences.
  • Consider pre-employment screening to mitigate the risk of hiring a problem employee.
  • Remember that training and education are essential, because policies and practices that aren’t recognized, understood and adhered to won’t work well.
  • Continue to evaluate your program. “Without effective monitoring and enforcement, compliance will lapse and insider risk will escalate,” the study said.

Pamela Babcock is a freelance writer based in the New York City area.


Job Finder

Find an HR Job Near You
Post a Job

HR Professional Development Education in a City Near You

SHRM Seminars are coming to cities across the US this fall.

Find a Seminar


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect