On
While many companies are preoccupied with external cyber threat actors, the insider threat cannot be overlooked. Innovative companies - especially technology and life sciences firms that create and receive sensitive data, like source code and clinical trials data - can learn valuable lessons from cases like this to reduce the risk of damaging data theft by a trusted insider. If companies fail to act, and sensitive data "walks out the door," they may lose the benefits of time and capital invested in developing their products, jeopardize their strategic partnerships, and alienate investors.
Key Takeaways From the Hytera Indictment
Ignorance Is Not Bliss
Insider threats are real concerns and are not going away any time soon. However, far too many companies - especially emerging ones - completely ignore the risk. To be sure, winning teams are built on trust, and innovators need to move quickly to capitalize on opportunities. A common and understandable reaction to proposals to establish controls to manage insider threat risk is that they could harm the business's culture, stifle collaboration, and create drag for fast-moving teams. On the other hand, it makes little sense to invest in infrastructure to guard against incursion by outsiders while ignoring the risk that a trusted insider might steal the company's "crown jewels," compromise its network, or leak sensitive information. In short, it takes only one employee or contractor to wreak havoc on a company when controls are lacking and management ignores the threat. Third-parties - be they competing firms, criminal actors, and foreign intelligence services - are poised to capitalize on this vulnerability, as the
Defense in Depth
The
-
Physical security measures, such as perimeter controls, locks, security guards, cameras, gates, and ID badges;
- Administrative measures, including employee training, codes of conduct, confidentiality agreements, onboarding and offboarding procedures, data minimization and classification; and
- Technical measures, including granting permission to access for file shares and data repositories on a "need to know" basis, data loss prevention tools, network activity logging, internal penetration testing, encrypting data at rest, locking down removable media and third-party file sharing services as vectors for data exfiltration.
Operational responsibility for these controls cuts across corporate roles and functions. An effective insider threat mitigation program can only succeed if an integrated approach is championed by management and executed collaboratively across teams.
Shared Data, Shared Responsibility
When companies collaborate and share data they must consider whether adequate insider threat risk controls are in place. Frequently, emerging companies will look to form strategic partnerships with larger, more mature players. The emerging companies should expect to answer questions about what they are doing to mitigate insider threat risk, as well as other threats to the confidentiality, integrity, and available of shared data. Likewise, the more mature firms should address insider threat risk as a specific consideration when vetting partnerships and shared-data arrangements.
Action and Reaction
As difficult as it may be to fathom that a trusted employee might steal trade secrets, companies should have a plan for dealing with this possibility. An effective plan should cover how an internal investigation should be conducted (and by whom), how and what evidence should be collected and preserved, whether and when to notify law enforcement about situation, and what legal actions may need to filed mitigate the harm (e.g., an emergency restraining order). Developing an insider threat response playbook - and testing it in a simulated exercise - can make the difference if the worst-case scenario presents itself.
Conclusion
With vast amounts of capital being invested in emerging companies and steep competition among firms for talent, insider threats will continue to pose serious challenges to securing proprietary data and trade secrets. While there is no "magic bullet" to prevent insider threats, companies of all sizes should proactively develop, implement, and maintain appropriate physical, administrative, and technical security controls to reduce the risk of insider threats and protect valuable company information. Or, to tweak a familiar riddle: If an employee steals trade secrets, and no one is around to hear it, does it make a sound?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
NY 10018
Tel: 6175701329
Fax: 6175231231
E-mail: JScalzi@goodwinlaw.com
URL: www.goodwinprocter.com
© Mondaq Ltd, 2022 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source