Media Room

dedicated, diverse counsel helping you reach your goals

 

Promoting a Culture of Security: Is It the Most Important Step in Protecting Trade Secrets?

 
by John Marsh 17. February 2012 10:00

There is an important article in today's online edition of Forbes entitled "10 Security Essentials For CIOs" by Kristen Lovejoy, Vice President of IT Risk at IBM. While the article is directed at CIOs, its recommendations equally apply to, and and should be used by, outside lawyers, in-house counsel and human resources managers to ensure that the trade secrets within their organization are protected. It is an easy and quick read, but a powerful one.

I won't repeat each of steps that Kristen outlines but I will emphasize the first:  "Build a Risk-Aware Culture." She uses a compelling metaphor to reinforce her point:

"Think of the horror that many experience if they see a distracted parent on a cell phone while a child runs into the street. That same intolerance should exist, at a company level, when colleagues are careless about  security. Management needs to push this change relentlessly from the very top down, while also implementing tools to track progress."

We are inundated by new technology and the growing, and at times seemingly overflowing, risks presented internally and externally by those that might compromise it. That technology, however, has little value if the individuals within the organization do not use it and do not consistently enforce its use by others. 

I could search Bartlett's Quotations or Google for an effective quote about the importance of culture in an organization but I think we all innately know that as human beings, through the process of osmosis, we respond to and are directed by the actions and directives of the organization around us. The actions of senior management and other influencers invariably filter down to others who take notice, consciously or unconsciously, and incorporate that behavior into their own. There are few things more corrosive to an organization than a leader or manager who violates the rules or fails to apply them to his or her own conduct.

Conversely, there is no more effective teaching tool than the actual conduct of a diligent manager or leader. If decision-makers act responsibly, others will invariably follow. Reinforce those actions with formal procedures and education, and you build a culture step-by-step over time. 

It is no different with security. I had the privilege of speaking last May at the American Intellectual Property Association's Spring Meeting with Malcolm Harkins, Intel's Chief Information Security Officer. When Malcolm got up to speak, I expected his presentation to be heavily oriented to the technical protections that a sophisticated company like Intel was using or advocating to others. Instead, Malcolm's primary message was the importance of building and reinforcing a culture of security at Intel.

Take a look at the news this week. Nortel's trade secrets were stolen from senior management over the course of a decade by hackers. Lawyers are increasingly the targets of cyberattacks because they are perceived to be less careful than their clients in their infrastructure. Like it or not, it is now the world in which we live. Focusing on security and envisioning how to make it part of your organization's culture is the first and most important step to protecting trade secrets and confidential information.

 

The Great Debate: Protecting Your Trade Secrets and Managing Personal Devices in a Dangerous World (Part II)

 
by John Marsh 13. December 2011 16:30

In the first installment of this post last week, we looked at the emerging BYOD (Bring your own device to work) movement and the IT community's concerns about security. This week, in Part II of that post, we drill down on those security issues and look at what others are doing to address them.

Security concerns: The first and greatest security concern arises from the complication of retrieving confidential information and trade secrets before an employee resigns or is terminated. If an employee has copied, transferred or downloaded that information into his or her personal device, the risk that everything has not been returned, deleted or destroyed increases significantly. 
 
The second concern is carelessness: in a widely reported story earlier this year, an Apple employee apparently left his unreleased iPhone 5 prototype at a bar, causing understandable angst within Apple.  
 
The third concern, as we noted last Friday, is the fact that mobile devices and employees are increasingly being targeted by cyberthieves. As Symantec reports, one third of data breaches in 2010 occurred through mobile devices. A popular means of penetration is using Trojans that pose as legitimate apps, which are then uploaded to mobile app marketplaces in the hopes that an employee may download and install them into them their phones, which will then in turn allow malicious code to enter into the employer's infrastructure. This means of attack, coupled with the target efforts at individuals because of the ability of crooks to gather information about them through social media, will only likely increase.
 
So what can a company do? The first step before implementing a new policy should be to find out who is accessing the company's servers and what devices the employees are using. Until that audit is conducted, the company literally has no idea who is tapping in to its servers.  Once it understands what devices are being used and by which employees, it can evaulate the type of policy that may fit its business.

Not surprisingly, the degree to which an employer imposes a personal device policy depends largely on what type of “work” the employee will be performing on his or her device.  An employee’s use of his personal smartphone or laptop to access email will likely face little opposition from the employer, so long as the email is accessed through a web-based program such as Webmail. Because Webmail is Internet-based and allows the employee to access their email account from literally any computer in the world, accessing email from the employee’s personal device is of little consequence. The company already has internal security measures in place to protect the access of email on the Webmail server (through, among other things, the use of an https:// address).

Security is of greater concern, however, where the employee seeks to “tap in” to an employer’s exchange or other internal server. If not blocked, that access is easy for the employee, with even the iPhone or Droid default email program allowing access to the exchange server with just the simple input of the employee’s username and password. 

Companies that elect to allow their employees to access exchange servers or other databases which house sensitive or confidential information should consider requiring those employees to download a program or application onto their device which gives the IT department the ability to monitor the employee’s use of the server and “wipe” the device should it become lost or compromised. Of course, employees may be more reluctant to allow their IT departments access to their personal devices, the same ones on which they store photos of their children, their favorite music, and applications which access personal Facebook or Twitter accounts. For personal devices, employees obviously have a greater expectation of privacy than the work-issued laptop that they might also use for personal reasons.

Marisa Viveros, a VP for Security at IBM, recently outlined the following practical steps a company and its employees can take right now to protect their work and personal data:

  • Make sure you protect access to your device with a password or PIN to keep intruders out if the device is lost or stolen.
  • Only download applications from well-known, trusted sites.
  • Make sure you install system updates and run anti-malware as prompted.
  • Back up your data on a regular basis.
  • Have the ability to track your phone and remotely wipe all its data if it is stolen. You can easily find an app that will allow you to do this.

Finally, an employer who wants to err on the side of extreme caution when it comes to protecting its confidential information (including trade secrets) should either: (a) not allow employees to use personal devices for work purposes at all; or (b) require those employees to install on whatever security measures are necessary to protect the information on those personal devices. Its employees might not be happy about being given such an ultimatum, but those employers should also be prepared to offer a work-issued device to the employee if they are expected to be “available” after 5:00 p.m. If you don’t want your employees using their personal devices to access the email exchange server, then you may have no choice but to give them (and pay for a data plan for) a Blackberry or comparable device. 

As they have in the past, employers and employees will eventually figure out how to balance the competing concerns of convenience and security and shape a policy that best fits that company. In the meantime, there will invariably be bumps along the road as they figure out how best to integrate these technological issues into the workplace. (A special shout-out to my colleague Phil Eckenrode, a vocal member of the BYOD community, for his hard work and assistance with this post.)

 

The Great Debate: What to Do about the Use of Personal Devices and Trade Secrets (Part I)?

 
by John Marsh 8. December 2011 11:00

One of the more important debates percolating within the trade secret community, as well as society at large, is what to do about the use of personal electronic devices. The colliding realities of today's 24/7 workplace and the increasing security risks posed by the use of devices outside the protective sphere of a company's infrastructure are bringing this issue into focus.  IT managers and CIOs are not the only ones talking about this issue; national media, including Forbes, the New York Times and the Wall Street Journal, have noted the tension betwen these forces in many recent articles.

To give this topic the attention it deserves, I am going to divide it into two posts. Part I will address the data and issues that are driving this problem to the front of the desks of many in-house lawyers, HR managers, CIOs and IT managers; Part II will address the security issues and what companies are doing, and can do, to reduce or eliminate this security risk.

The Facts Driving the Debate: One thing is clear, and that is that employees want to be able to use their personal devices for work. According to a survey, 35% of IT managers say they are under increased pressure from employees to offer greater flexibility for the use of personal devices. 

The reasons why employees want to use their personal devices for work are straightforward: (1) an individual employee is much more likely to keep up with ever-changing technology, as opposed to the employer, who as a matter of practical economic reality cannot match that pace (on average, companies upgrade their computers and other devices only once every three years); (2) employees, who are going to own their own devices regardless of their employer’s policy, don’t want to have to carry two smart phones, two laptops, etc.; (3) employees are expected to perform more work from home and many times after 5 p.m., so they do not want to be saddled with what they perceive as relatively “outdated” office technology while on (what was previously) their personal time; and (4) employees simply prefer working from a device with which they are comfortable and familiar, a fact reflected in their purchase of that device. These facts are unlikely to change anytime soon.

Those advocating the increased use of employee devices have coined the phrase “BYOD” (Bring Your Own Device) for those companies and firms that allow for greater use of employee devices.  Proponents claim that BYOD benefits the employer as well because it saves the company money, increases employee morale, and allows their employees to be more available after hours. However, as one opponent of BYOD commented, after identifying the legal, security, and logistical problems that accompany employees’ use of personal devices: “BYOD, you say? Better follow it up with BYOB, because you’ll want something to dull the pain.” (See Erik Sherman's recent take in the Wall Street Journal article, "Should Employees be Permitted to Use Their Own Devices for Work?"  John Parkinson presents a nice defense of the BYOD position in the same article, some of which is incorporated above).

The Great Unknown:  Now for the frightening part:  recent research and surveys suggest that few companies and IT departments are adequately prepared – let alone adequately educated – to address the relevant issues head-on. According to a November 21, 2011 Citrix press release, a recent global survey by Citrix revealed that 62% of small and medium-sized businesses have no internal IT controls in place to manage employee-purchased smartphones, tablets, laptops, and other devices.  

Even more alarming, the Citrix survey found that 45% of the IT managers surveyed were unaware of all the devices being used to access their servers.  I am going to repeat that statistic -- nearly half of those IT managers could not identify all of the devices that were accessing their servers.  Probably for that very reason, 57% of IT managers polled are most concerned about the security implications of employees using personal devices to conduct business.

We've confronted the issue and the facts on the ground.  Now, in next week's Part II of this post, we will look at the practical consequences and what companies are doing, or can do, to protect themselves. 

 

Spear Phishing and Whaling: Will Your Employees Take the Bait and Expose Your Trade Secrets?

 
by John Marsh 4. November 2011 16:30

Analysts estimate that companies will spend more than $76 billion this year on cybersecurity; however, the greatest security risk may be posed by their own unsuspecting employees. A danger called "spear phishing" is causing more and more sleepless nights for information technology departments trying to prevent their colleagues from inadvertently compromising their companies' confidential information.  

Spear phishing is an e-mail fraud attempt that targets specific individuals within an organization, seeking unauthorized access to confidential data or trade secrets. Spear phishing attempts are not typically initiated by hackers but by perpetrators specifically seeking financial gain, trade secrets or military information.  In order to succeed, spear phishing really requires three things: (1) The supposed source must appear to be a known and trusted individual, (2) it must contain information within the email that validates that the source is who he/she claims to be, and (3) the request being made seems to make sense to the recipient.

To pull this off, many fraudsters troll for publicly available information on the Internet to build digital dossiers on the employees they target. This process has become known as "social engineering" and in the age of LinkedIn, the details of a potential target's career and responsibilities may be on the web for all to see, and for some to misuse in an email that may sound more credible.

Experts say it is not "technically difficult" to search for websites hosted by a specific provider and obtain e-mail addresses of the registered owners and administrators. With the information in hand, the employees receive a phishing e-mail requesting them to log in to confirm or update some information.  The fraudsters are then able to intercept the username and passwords used to manage the sites.

How serious is the problem? Well, Symantec recently reported that at least 50 companies, many of them in the defense and chemical industries, have been attacked through spear phishing efforts aimed at stealing research and development data. The “Nitro” attacks, as Symantec called them, started in late July 2011, and lasted through September. Two months ago, more than 400 Websites hosted with domain registrar GoDaddy were compromised, redirecting unsuspecting visitors to a malicious site, in an apparent spear phishing attack. GoDaddy admitted that "many" sites hosted on its servers had their Apache configuration files modified to include rules to redirect visitors to another domain. GoDaddy's security team identified approximately 445 hosting accounts that had been compromised and ahd cleaned up the affected accounts within the next day.

Junior or inexperienced employees are not the only ones being duped. In 2008, nearly 1,800 senior executives took the bait of messages masquerading as an official subpoena requiring the executive to appear before a federal grand jury. The emails correctly addressed CEOs and other high-ranking executives by their full name and included their phone number and company name. Recipients who clicked on a link that offered a more detailed copy of the subpoena were taken to a website that informed them they had to install a browser add-on in order to read the document. When they clicked "yes," a back door and key logging software was installed that stole log-in credentials used on websites for banks and other sensitive organizations. This practice of targeting high profile recipients is better known as "harpooning" or "whaling."

How can companies protect themselves?  A recent Wall Sreet Journal article noted that corporate IT "needs a new defense doctrine," quoting RSA's head of identity protection, Uri Rivner. "You need to have security cover inside your organization, rather than your perimeter. You need to understand what your users are doing, and then spot any type of suspicious activity inside." RSA was the subject of a well-publicized spear phishing attack earlier this year; after that attack, RSA purchased a firm called Netwitness that monitors network traffic for suspicious patterns.

Other companies have invested in technology that moves employee-generated network activity (such as that from a personal iPad or iPhone) into a separate network, so that the risk of employees inadvertently introducing viruses into the company's systems are minimized. 

Another approach some companies are using to prevent the unsuspecting disclosure of log-in and passwords is through the use of key codes. This technology, also known as two-factor authentication, provides employees with an algorithmically generated number that can only be used for a limited number of log-ins.  Employees typically enter the key code after their username and password. This safeguard may be particularly useful in protecting information on employees' iPhones, Droids or other similar devices.

Other companies have even gone so far as to stage spear phishing attacks against their own employees to make sure they are alert to these dangers. According to the Wall Street Journal, former hacker Kevin Mitnick has built a new career out of offering training on social engineering and hacking techniques, and running test attacks on companies to help executives and employees understand how vulnerable they are. "There is always a way to manipulate somebody by changing their perception of what is reality," says Mitnick.

At the end of the day, none of these safeguards can replace employee vigilance against the fraudsters trying to dupe them. Companies should consistently remind employees about good practices, such as never emailing a company username and password, even if they think the request is from their supervisor or from their IT department. In short, it comes down to training and reinforcing a culture of security and vigilance.

About John Marsh

John Marsh Hahn Law AttorneyI’m a Columbus, Ohio-based attorney with a national legal practice in trade secret, non-compete, and emergency litigation. Thanks for visiting my blog. I invite you to join in the conversations here by leaving a comment or sending me an email at jmarsh@hahnlaw.com.

Disclaimer

The information in this blog is designed to make you aware of issues you might not have previously considered, but it should not be construed as legal advice, nor solely relied upon in making legal decisions. Statements made on this blog are solely those of the author and do not necessarily reflect the views of Hahn Loeser & Parks LLP. This blog material may be considered attorney advertising under certain rules of professional attorney conduct. Regardless, the hiring of a lawyer is an important decision that should not be based solely upon advertisements.

BlogRoll

Download OPML file OPML