Xiaolang Zhang walked into his job at Apple on a day last April when he was supposed to be on vacation. The CCTV cameras caught him leaving with a large box containing a Linux server, circuit boards, and cables, but otherwise no one paid any attention.
What he carried out the door included “copious pages” of intellectual property from his time on Apple’s autonomous car project. It is not known how much, if any, he transmitted to his new employer, a Chinese startup. Apple’s suspicions were raised by the “evasive” way he later tendered his resignation, and the misadventure culminated in FBI agents searching Zhang’s home and eventually arresting him trying to board a plane to Beijing.
We hear all the time about employees leaving for a competitor, and taking trade secret data with them. A 2009 Ponemon Institute survey found that a whopping 59% of employees who had left their jobs in the previous year had taken company information out the door.
Less discussed is the matter of mergers and acquisitions, and the perfect storm they create around insider threats.
First, even the specter of M&A activity produces anxiety in the workforce. The possibility of layoffs, relocations, or reassignments can put employees into survival mode, looking out for number one by hoarding intellectual property that will, if nothing else, serve as work samples in a future job hunt.
Second, a lot of dust can get kicked up when combining operations between two different companies. While changing infrastructure, migrating responsibilities, and acclimating employees to new policies or processes, it can become much more difficult for even careful observers to know what normal activity looks like. The lack of a new baseline can allow abnormal activity to slip by undetected.
Finally, the kicker: there are ways to mitigate these problems, but only if you start before they become problems in the first place.
Lock It Down
The first way to protect your company’s intellectual property is to lock it down to the greatest extent that will still allow your employees to be productive. Organizations must consider these core access control principals every time they grant access to data:
- Least Privilege – employees only have access to what they need to perform their jobs
- Separation of Duties – build checks and balances to prevent a single rogue employee from having the “keys to the kingdom”
- Rotation of Duties – periodically rotate access to put fresh eyes on the situation and prevent long-term abuses
This can certainly be taken to extremes, and devolve into a maze of employees asking each other for fragments of information. To avoid that, start with the simple approach of granting access only after asking, “Why should this employee have access to this information?”, rather than “Why shouldn’t they?” Role-based access controls can only be effective if the organization guards against “access creep,” where new permissions get added but old ones do not get taken away. We’ve all seen coworkers who still have a line into information from a previous role in the company, just because their access was never turned off. In fact, the 2009 Ponemon study mentioned earlier reported that 20% of employees surveyed still had network access over a week after they had left the company entirely!
Monitor, Not Just Collect
Even more recent than the case of Apple’s insider is the story of Hongjin Tan, a scientist for the petroleum company Phillips 66, who attempted to take a trove of intellectual property to a new employer in China. His unusual network activity, and the fact that he had been downloading proprietary files to multiple personal USB drives, was only discovered AFTER his resignation prompted a closer look. In a remarkable statement from the US Attorney’s office announcing a criminal complaint, it was stated that “The value of the trade secrets in this case is estimated to be more than $1 billion dollars.”
The story mirrors Apple’s experience. Apple’s sudden scrutiny into Zhang revealed that his activity on their network had “increased exponentially compared to the prior two years of his employment” as he prepared for his departure. The fact that Apple could compare Zhang’s recent network activity to that of his previous two years means they were collecting the activity data all along.
Companies must be careful not to mistake “collecting activity data” with “monitoring.” If the data is not being regularly reviewed and compared against a baseline of expected, normal behavior, or if the baseline is too generic to provide actionable results, the collection becomes only an after-the-fact tool, as it did for both Apple and Phillips 66.
Companies should consider tools such as User Behavior Analytics, which uses algorithms to spot behavioral anomalies and point security analysts in the direction of compromised credentials and other potential misuse.
A steady history of baseline employee activity will also help the company navigate the uncertainties that can accompany a merger or acquisition. It will provide a more reliable starting point for establishing the new normal when the aforementioned dust gets kicked up while integrating operations.
Train Like a Champion
Security professionals know that the weakest point in any organization’s security program is the people. The people, who are perhaps the company’s largest expense, also spend their days interacting with the critical data that is foundational to the company’s competitive edge. They must be mobilized to provide added security eyes and ears in the course of their daily business.
In the case of Phillips 66, coworkers were aware of Tan having traveled to China to interview with a competitor. At Apple, no special notice was taken of Zhang carrying a box of equipment out of the building when he was supposedly on vacation. In fairness, both of these activities can be completely benign, but should serve as data points in employees’ broader charge to be on the lookout for suspicious behavior. Such data points can only be expected to raise a red flag if employees have been receiving regular security awareness training telling them as much.
A long-term security awareness campaign can educate employees and supervisors about potential security concerns that individually appear small, but which can aggregate into a legitimate problem.
“Of all the words of mice and men, the saddest are, “It might have been.” – Kurt Vonnegut
The theme among these three strategies is that they represent a marathon, not a sprint, to adequate security. Companies exploring a merger or acquisition activity would be well advised to check in on how successfully they are fulfilling these goals. The adequacy, or lack thereof, could certainly come to light during M&A due diligence, but if an employee rumor mill has already started to kick up dust, it may be too late to contain the problem entirely.
The best course of action, regardless of M&A plans, is to consider your intellectual property to be a temptation to insider theft. Expect that 59% of your employees who depart will try to take something with them. By deliberately planning ahead, you can lessen the blow.