By Phil Russo
Using today’s technologies, trusted staff, within a few short minutes, can copy, a company’s documentation, contracts ,ideas and even entire client database, that may have taken years and millions of dollars to develop. Once this information has been duplicated onto another device the staff can readily pass off the captured Intellectual property to a willing competitor or alternatively use that information to build a business in direct competition without the original company knowing their IP has been stolen, until all is seemingly too late.
Intellectual property theft typically occurs when an employee is seeking other employment or planning their own business venture by copying their current company data onto USB thumb-drives or Cloud services or by using third party email accounts such as Gmail to send protected data offsite to be stored for later access. It is very easy to complete costing the offending staff member nothing more than the simple cost of a USB thumb-drive and a few moments of indiscretion.
Often when I speak to clients about Intellectual property theft instantly they think ‘Intellectual property theft’…it’s a theft so Police will deal with it…but that would be a common misconception. Police do not readily deal with such matters, rather such occurrences need the attention of a Computer Forensic Investigator.
As a computer and mobile phone forensic expert I am seeing this new trend in IP theft constantly. Unfortunately the discovery of such behaviour is usually not until after the fact and the damage has already been done requiring triage and reactive damage control. It almost seems the acceptable process or work right, that when leaving their current work position they take with them the current company secrets to share with their next employee.
To combat such behaviors, some companies clumsily try to reduce this risk by walking resigned staff out the door, denying them access immediately to computer systems. In fact this is often too late. Typically the downloading of valuable company data has already occurred at least 2weeks prior or more (in once instance I recall an offender had stolen the data over 6 months prior).
I have also seen an attempt to curb the problem of stealing data by USB by super gluing the USB ports on every company computer. This attempt was not effective either. Normal processes and security measures may eliminate some of the low hanging fruit ways of theft but the more determined employees may consider it more a challenge to circumvent traditional IT security measures, these employees will often come up with very inventive ways of extracting electronic documents. In once such inventive and interesting case the offending staff member used a retail pair of sunglass that had a USB mp3 player built into them as the device to complete the IP theft.
Similarly to USB, the use of Gmail and other such free email accounts or Cloud network accounts easily facilitates IP theft. These vessels introduce further complexity of jurisdiction, passwords and privacy laws into the equation for post investigation and often requiring the necessity of lawyers and court orders to access evidence after the fact. In these instances, the forensic analysis of digital evidence in proving the use of USB and email accounts is essential in any such court action dispute.
Today, mobile phones, (especially smart phones), can be quickly used as either a storage device or a camera and record important information. It may sound a little high tech and spy like, taken from the pages of a James Bond novel, but these nefarious acts are completed in such fashion daily. Within such investigations, the forensic analysis of such a device proves its worth, as not only may prove the time and date a photo was taken but what geophysical location it was taken from.
In one instance I was engaged to investigate where a renowned chef was leaving his current restaurant employer. Her employee believed she had taken IP such as restaurant schedule plans, client information and other culinary secrets that they had developed and therefore all deemed as the company’s intellectual property. During this investigation, I completed a forensic review of the office computers finding not only data supporting evidence that information had indeed been whisked away (pun intended), but similar information from other from previous restaurants where this person had previously worked also was evident .
Another case, a multinational company lost a number of key senior personnel over a four month period. A competing company is soon formed and the clients from the original company are being contacted directly. After a court search order was granted a computer forensic analysis was conducted on the premises of the newly formed company. I discovered an elaborate plan involving past and current employees of the original company. Evidence included emails, skype conversations, dropbox folders, USB data transfers, had all played a part in this litigious jigsaw. Clear evidence was identified of intellectual property theft including the client data base and even in-house developed sales forms and ordering systems. This was worth millions to the original company and when presented with the forensic evidence an arrangement was made to compensate accordingly.
A third case example, an employee left a company to work for a competitor. This person was IT savvy. Before resigning from his original job he had a hidden false company employee account added to a mailing list which had access to all new incoming quotes. When he left the first company he took with him the access credentials to the mailbox account. As an employee at the new company, he was still able to download his old company’s emails. These emails contained quotes for business proposals which he was able to successfully underquote, time and time again, winning the work.
Digital forensics has traditionally been used to assist lawyers in acquiring and interpreting computer artifacts as evidence in a court ready admissible fashion. Computer Forensics is a niche area that your usual computer security person should not dabble in as they are not experts and hold no certifications and therefor may not be eligible to present as experts in court. Even the basic process of collecting digital evidence in a non forensic process , eg switching on a computer can alter or destroy such evidence and may become inadmissible. Computer forensics investigators are trained to counter such difficulties.
Often the discovery of IP theft is not until many months after the fact. This often presents other difficulties in conducting an investigation, as to facilitate the forensic analysis process requires physical access to the offender’s computer or mobile phone. These devices may no longer be viable as that company asset may have been distributed to other staff members, returned to a computer lease company or even sold off.
Typically after an intellectual theft the forensic process is protracted and expensive. Coupled together with ongoing lawyer and court fees, the client is soon presented with a decision to make – is it all worth it? After all, not every company’s secrets are worth millions if stolen. Often then initial investigation is an emotional reaction and then when realized, the case is dropped.
However with the use of proactive forensic technologies, there is a better and far cheaper alternative that if implemented correctly and may reduce the risk. The use of forensic network traffic interception, forensically journaled offsite mail depositories and proactive forensic acquisition strategies that will significantly reduce risk exposure to companies and small business alike are available at a fraction of the cost. Some insurance companies may even offer Cyber policies.
Securing your information is becoming increasingly difficult and with the focus of some newer privacy legislation, the older and more traditional security ways may prove ineffective as it seems the rights of the employer are becoming weaker while the employee’s rights continue to grow. Whatever your thoughts on this, if you are running a business be aware there are potential large risks to your company. Without proper attention there is little risk to the perpetrator whilst being tempted with a big reward by stealing your IP.
