“Somebody who’s an employee has the keys to the kingdom — the swipe card, the door code, the registered fingerprint — that’s the person, the employee who has not been properly vetted, who can make 10 or 20 times their salary by stealing millions of dollars worth of information from your company,” Kingstone continues. “They can do it simply by putting it on a thumb drive that goes in their front pocket.”
First, organizations must have a detailed vetting process to weed out potential threats. “I hate to say it, but if you get a foreign exchange student who is fresh off the boat, he is working for the Chinese government — he was allowed to come here in the first place because he is working for them,” Kingstone explains. “We are playing politically correct — we don’t want to single out the Chinese. Well, when 80-year-old blue-haired ladies start stealing American technology secrets, I think we should start prosecuting and profiling them too. Instead, we don’t want to make anyone feel uncomfortable, so we put our entire nation at risk.”
Establishing a Program
A strategic response to trade secret theft must start with your organization’s senior leadership, Mislock said. That means getting full support and understanding from the C-suite and the board. From there, you as a security executive should spearhead a full trade secret protection policy — with the goal of educating all employees as to why the policy is needed and important; along with periodic evaluation for continuous policy improvement.
Here are Mislock’s first steps that you as a security executive can take to initiate a strategic trade secret theft mitigation plan:
• Identify the process owner: Who owns this process and will lead it in your organization — is it the CSO, general counsel, CISO or someone else?
• Establish a steering team: Representatives should include key organization departments, including legal, HR, compliance, audit, security, R&D and engineering and any other key company stakeholders.
• Establish senior-level oversight: This is a body of senior organizational executives who the process owner must report to on a regular basis about progress and policy changes as they become relevant.
• Clearly define roles: Every part of the company has a role in enforcing trade secret theft mitigation policies. “Many times companies have good policies and protection standards, but they haven’t really done the basic job of defining who does what,” Mislock said. “Every single person in your company has a role to play, and those definitions should be in writing.”
• Establish trade secret risk managers: Each business unit should have one. “It is imperative that the business leaders of a company understand it is their duty to protect trade secrets,” Mislock said. “If you relegate this to just one area of the company, it will not get done.” You need managers who are educated in what to look for, because they are the first people who will notice red flags and unusual behavior.
• Identify the crown jewels and protect them first: This was outlined earlier in this article.
• Establish a dedicated investigative team: The group should be aware of all threat analysis, and investigations should not be performed on an ad-hoc basis.
• Educate your employees: Establish a corporate or global-level education program. “There has to be a steady drip of education and awareness training of what is a trade secret and how the organization protects them,” Mislock said.
• Create a written policy: The policy should present an overview of trade secret protection requirements, and it should include crucial information such as: the definition of a trade secret, including how it is classified in the organization; why the policy is important to the organization; employee responsibilities (both incoming and outgoing); visitor management practices; and audit and compliance procedures — at a bare minimum. Most importantly, Mislock said, it should be clearly stated that employee compliance with the policy is a condition of employment.
• Deploy IT protection tools: The FBI warns of “international spies and hackers probing online security systems” as a major vehicle for trade secret theft. There is no ‘silver bullet’ IT tool, but data encryption is a must, Mislock said.