Skip to main content

5 Security Flaws That Leave Corporate Counsel Blindsided by IP Theft

Author David Huberman

A common frustration for legal teams dealing with IP theft by employees is that it almost always ends up feeling like you’re left cleaning up after the parade — blindfolded.

Often, legal doesn’t find out about suspected IP theft until the consequences appear. A competitor brings a copycat offering to market. Regulators call to tell you there’s been a breach. Your security team catches something suspicious in an annual review. Or you read your company’s name (and all about the IP theft) in the morning headlines.

It doesn’t get any better when the after-the-fact investigation is hampered by the lack of visibility that allowed the theft to go unnoticed. The best (or only) option is often to hire an outside forensics firm to help figure out what happened, an extremely expensive recourse.

If you can figure out that an employee removed IP from your company, if the employee in question has already left, then your ability to “fix it” is limited. With states and courts limiting the enforceability of non-compete clauses, it’s harder than ever to prevent your IP from reaching a competitor if you are not alerted before a departing employee has started with the competitor.

Wouldn’t it be nice…

It would be great if legal wasn’t the last to know — if you were alerted while there was still time to prevent trade secrets from being exposed?

It used to be that companies could count on conventional, policy-based security tools to stop or block data exfiltration. But modern collaboration culture continues to make the policy-based approach less and less effective.

The traditional concept of a secure digital perimeter is long gone. Worker mobility and flexibility depend on cloud-based productivity and collaboration apps. And the reality is that businesses must accept some level of risk in order to compete in markets today; you simply cannot afford to let risk mitigation slow down the business, limit agility or stifle the collaboration and innovation of workers. And as data portability and user creativity increase, the policy-based prevention approach just can’t keep up.

Remote work trend amplifies IP risks, legal frustrations

Collaboration culture has been increasing IP risk for the last decade, but that risk took a sharp upturn in the first half of 2020. Well over half of U.S. knowledge workers are now working remotely — and experts predict many will remain remote as the future of work is reimagined.

These remote workers are connecting, collaborating, sharing and working in new ways. But legal and security teams know all too well that employee ingenuity and adaptability also increase the risk of workarounds and other risky behaviors.

5 reasons corporate counsel gets blindsided by IP theft

Since they’ve been around for over 20 years, it’s clear that the conventional, policy-based data loss prevention (DLP) and Cloud Access Security Broker (CASB) tools won’t protect IP on their own. Yet many companies continue using these tools as the foundation of their IP protection strategy. Here are five reasons that relying on policy-based tools alone will ultimately leave you with the familiar frustration of cleaning up after the parade:

1. Traditional security tools were designed for compliance —  not IP protection

Traditional policy-based security tools like DLP and CASB were originally built to address compliance requirements for regulated data like protected health information, credit card numbers, credit card numbers, etc. These tools rely on rigid rules to protect highly structured data types that are relatively easy to define, locate and build authorized-use policies around.

But now, many organizations are using these tools to protect IP — and IP rarely fits inside neat, tidy boxes like structured data. For example, IP may exist as a Word or Excel doc, or a CAD file. But a company doesn’t need to protect all Word documents — so how do they define which ones are valuable?

This takes them down the exhausting, expensive path of data classification. But because IP is constantly emerging and evolving, data classification becomes a never-ending task — and, let’s face it, you end up leaving new IP unprotected.

And that’s not the biggest problem: Businesses can’t simply lock down IP. In most organizations, the most valuable IP exists as living, breathing files that need to be edited, iterated, shared and advanced (think of source code, design files, go-to-market strategies, etc.). Limiting collaboration and innovation is a more serious risk to the business than valuable data leaving the organization — especially if you can quickly detect, investigate and respond to data theft.

2. Lacking visibility into off-network activity

Most traditional security tools are built to work within the relative digital perimeter of a LAN or VPN. This has been increasingly problematic for years with gradually growing remote workforces and cloud-based productivity and collaboration tools. But with well over half the workforce now working remotely — and only 10% consistently using a VPN — off-network activity is now an immense blind spot for many organizations. Security teams cannot monitor most day-to-day employee activities (even those involving movement of IP).

3. No way to parse Mirror IT

You probably know about the risks of shadow IT — unsanctioned app usage has become an even bigger problem as employees figure out new ways of working in this “next” normal. Savvy security teams are using leading CASB tools to help block unapproved sites and limit the usage of unsanctioned web-based apps. But there’s a less well-known problem called “Mirror IT”: situations where employees have both personal and professional accounts for apps like Gmail, Google Drive or Slack.

In these cases, CASB won’t help — after all, these are sanctioned sites and apps. And while DLP can tell you that a user moved a file on Google Drive, it can’t make the all-important distinction of whether that file moved to a personal or professional Google Drive account.

Smart security teams can piece together this answer, but that takes time — all while a potentially valuable file may be exposed. With remote workers living their socially distanced professional and personal lives via many of the same apps, this data security blind spot — and resulting slow investigation — is a growing risk.

4. Policy-based tools are difficult to fully apply

We’ve already talked about why conventional policy-based tools struggle with the unstructured data that makes up most IP today. But there is a more fundamental problem with the policy-based approach: You need to tell policy-based tools what to look for — what data, what users and what actions.

In the modern enterprise, in collaboration culture, these “whats” are evolving daily. This makes building effective policies incredibly complicated, and a never-ending challenge. So, it’s no surprise that a recent Forrester survey found that most companies with policy-based tools aren’t fully using their tools’ capabilities because they’re too difficult to build and administer.

Instead, most companies are only focusing their policy-based tools on users they see as the highest risk. Unfortunately, risks don’t always come from where you expect — and you can’t think of everything.

This limited approach leaves you exposed to all the risks you did not predict — which, if we’re honest with ourselves, is an awful lot of them. Worse yet: policy-based tools don’t know when they’ve been “beaten.” So, when a risk does go undetected by a policy-based tool, security and legal don’t find out about it until (much) later. Sound familiar?

5. Conventional tools look for exfiltration — but not infiltration

All of the problems we’ve covered so far focus on data exfiltration. But legal teams know that data infiltration and the risk of contamination of your own IP presents a major risk as well — not to mention a big headache for legal teams. If someone steals IP from a former employer and brings it to your company, you will need to ensure the IP is removed from your own systems and products. Here again, conventional security tools like DLP and CASB provide no assistance. The data actions that trigger alerts/blocking come from data leaving the company; they’re not designed to monitor or alert on new data coming into the company.

New ways of working require new data security strategies

The current reshaping of “normal” in modern workplaces presents major opportunities to reimagine and redefine everything from when and where we work, to how we protect and support work, wherever it’s happening.

Legal teams have the chance to partner with security, HR and other stakeholders to determine what risk looks like in the new world of work. It’s clear that, for almost every organization, this new landscape will be more cloud-based, collaborative and faster moving.

Businesses need to reexamine data security strategies to make sure they’re considering the way we work today — and not limited by tools designed for the way we worked before. This means considering all users (not just the ones someone thinks are risky), all files (not just the files you flagged months ago), and all the ways users move data today.

About the Author

As General Counsel, David Huberman leads Code42's legal affairs worldwide, including commercial transactions, licensing, intellectual property, general corporate matters, governance and litigation. David brings nearly 20 years of experience negotiating complex transactions, forging strategic relationships, and handling a broad range of legal and regulatory matters for private and public companies.

Profile Photo of David Huberman
Follow on Linkedin More Content by David Huberman