Research Indicates CEOs, Other Execs Routinely Steal Company IP

New study concludes that even the strongest data security policies and perimeters are no match for human emotion and behavior.

Insider.Threat

Security professionals have always contended that the weakest link in any security system isn’t the hardware or software—it’s nearly always a human or humans who interact with it.

A new study from information security vendor Code42, released July 24, bears witness to this once again, only this time the research reveals a rather disturbing trend: That a majority of CEOs and other business leaders, whose responsibility it is to oversee the protection of their enterprise’s most valuable assets, engage in exactly the type of risky behavior that jeopardizes their businesses' intellectual property.

Such are the foibles of humanity--only this particular type of foible can be extraordinarily devastating to a business enterprise if allowed to continue with impunity.

Knowingly Flouting Data Security Best Practices

In fact, Code42’s researchers found, a high percentage of executives admit to have knowingly flouted data-security best practices and company policies by doing one or more of the following:

  • taking intellectual property upon leaving their previous employer;
  • keeping a copy of their work on a personal device, outside the relative safety of a company server or in a company cloud;
  • clicking on questionable links, putting their data at risk from malware; and
  • downloading unsanctioned software.

Some of the conclusions of the study were:

  • Even the strongest data security policies and perimeters are no match for human emotion and behavior.
  • Without visibility to employee endpoints, IT can’t protect valuable company data. Yet, they’re expected to.
  • Despite the expense and effort of setting up security perimeters, CISOs and CEOs are planning for data breaches—stockpiling cryptocurrency and paying the ransom when they happen.
  • While companies know that prevention-only strategies don’t work anymore, most haven’t yet evolved to meet the new challenge.

IP Theft Widespread?

What were the most surprising aspects of this survey for Code42, outside of how widespread this IP theft practice is?

“I don’t think anybody in this industry should be particularly surprised about how widespread IP theft is by departing employees, but it is startling that Code42’s data security research uncovered that so many CEOs would admit to taking information,” Code42 Chief Information Security Officer Jadee Hanson told eWEEK. “I think the reason they walk away with their company’s IP and likely will continue to do so is that people feel entitled to their own work, so they probably don’t consider it stealing.

“And maybe they don’t even realize they’re stealing it because they aren’t knowledgeable enough about IP policies and regulations. If that’s the case, then I’d consider that to be alarming, too – if anybody, executives need to know the rules backwards and forwards.”

A couple of other findings in particular struck Hanson as surprising.

“It’s staggering that so many executives are stockpiling cryptocurrency to pay ransom,” Hanson said. “Our study showed that many executives have already paid a ransom, which is a very dangerous practice. For one thing, it enables and emboldens cybercriminals. From my standpoint, it shows how important it is for organizations to enhance their security plans beyond just prevention. A robust security program needs to include prevention and detection with a large focus on visibility across the environment.”

Nearly Two-Thirds of Respondents Breached in last 18 Months

As a CISO, Hanson said he found it startling that 61 percent of the respondents have been breached in the last 18 months.

“I expected the proportion of impacted companies to be high, but I did not expect that over half of the research respondents would have been impacted in that short timeframe,” Hanson said. “Securing your company’s information is not an easy job; it's important that focus be applied to not only prevention, but detection and full visibility as well. Being in security means that bad things will happen. When they do, you want to make sure you are positioned with the right visibility and recovery tools and services to bounce back.”

So what can infosec execs do about this? They are definitely caught in the middle.

“Infosec execs need to be proactively aware of what's going on in the industry and within their own organization,” Hanson said. “They need to be serious about educating their employees and turning them into data advocates.”

Code42’s data security study showed that three-quarters of CISOs believe they can enhance their security strategies by combining prevention and recovery together, so there’s definitely an awareness that strategies need to change. Four best practices that all CISOs should be doing every day, according to Hanson, include:

  • Take a proactive stance on data security beginning as soon as you hire employees by outlining their security responsibilities to your company. If employees are terminated because they didn’t meet their data security responsibilities, create an anonymous case study to use as part of your ongoing employee education training.
  • When an employee has submitted his/her resignation, reply by thanking them for their service, conducting an exit interview where you acknowledge that they’re trusted, remind them about adhering to company policy–and have them sign a document that summarizes IP law and their obligations to safeguard your corporate IP.
  • In terms of technology, have the type of solution in place that gives you visibility to data movement throughout the network in real time by identifying all types of files that are moved from a device, who is moving them, and when and where they’re being moved.
  • Follow up on all alerts in a timely manner. Communicate what you saw with the employee. It really doesn’t matter if it was a non-malicious or an actual malicious act. At that point, you’re just protecting your IP.

About the Data Exposure Report

The security, IT and business leader portions of the research for this report were conducted by Sapio Research, an independent research consultancy based in the United Kingdom. The survey was completed, via online response, during February 2018.

The research surveyed 1,034 security and IT leaders, including CSOs, CTOs, CISOs and CIOs, as well as 600 business leaders, all with budgetary decision-making power. All respondents came from companies with at least 250 employees. A total of 61 percent of the business leaders and 58 percent of the security and IT leader represent companies with more than 1,000 employees.

To check out the study, go here.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor of Features & Analysis at eWEEK, responsible in large part for the publication's coverage areas. In his 13 years and more than 4,000 articles at eWEEK, he...