You Suspect IP Theft, Now What?

Changing Attitudes

Changing attitudes is hard to do through security solutions alone. Experts like Stefan advocate employee training, but even with proper training in place and with employees having a clear definition of IP ownership, the problem is too big to leave to education alone.

Too often, Stefan says, organizations don’t really know what an employee’s job entails. So they don’t notice large files being emailed, and they aren’t concerned when the employee accesses information unrelated to the job at hand. In other words, organizational complacency is as much of a problem as employee attitudes.

“Usually, the theft of customer information is about more than just taking along names and addresses,” Stefan said. “A more typical case involves what I call the ‘customer playbook,’ which includes such things as the buying habits of the customer, contract terms, the expiration dates on contracts, and the status of negotiations on deals that haven’t closed.”

Once you dig deeper into the theft, the act looks less vague, and the former employee won’t be able to chalk it up to simply maintaining a relationship. If your former employee continuously contacts your customers close to the end of a contract, you should be suspicious.

Once you suspect IP theft, though, how do you counter it? Is suspicious selling behavior enough? How much evidence is needed to prove your case?

Five Steps to Counter IP Theft

1. Conduct regimented exit interviews. Do more than a verbal interview; also discuss the person’s computer usage.

2. Have an anti-deletion policy and deploy anti-deletion software on network servers.

3. Run forensics and perform audits of email, web and computer usage.

4. Treat a trade secret like a trade secret. Put safeguards in place to protect critical information. For instance, don’t make the mistake of giving every sales person access to the whole customer list. Instead, restrict access to their accounts.

5. Utilize appropriate surveillance, such as monitoring software that tracks employee access to sensitive databases and triggers an alarm for suspect behavior, such as when someone compresses a large file, copies many files, or disseminates critical information.

“When an employee leaves, they usually know they’re going thirty-to-sixty days ahead of time, which is when most theft happens,” Yonowitz said. The company won’t know of the employee’s plans until well after the employee does, meaning preventing theft can be tricky.

“Ideally, you want to head employee off at the pass and not involve customers,” Yonowitz said. “The problem is that most employers are not doing simple things like monitoring email usage. They are not training employees properly. They don’t adequately explain what information belongs to company.”

With the proper systems in place, inappropriate behavior will raise alarms — well before the employer knows of the employee’s intention to leave. If this sounds like Big Brother flexing his muscles, it’s important to remember that surveillance and monitoring needn’t be intrusive.

Simply saving emails can be crucial, but saving email doesn’t mean you need to scrutinize every single one. You simply need to have access to them if a problem arises.

“If you experience an incident, it’s important that your actions don’t destroy the very information you’re trying to protect,” Stefan warned. “If you find a smoking gun, make sure you take the steps so that it will be admissible in court, if it comes to that.”

By logging onto a former employee’s computer, you are “trampling on the crime scene.” Better to just have policies in place to save things like email, browsing histories, and access to key databases and let a forensics expert take it from there.

“Remember, computers house a ton of information,” Stefan said. “When an employee leaves, don’t reformat hard drive and put it back in circulation. If it’s a contentious termination, take the drive out and buy a new one for that PC.” A few dollars spent on a new hard drive could be the difference between winning and losing an IP theft case.