While recent news implies that corporate spies, whistle blowers or unethical raiders steal proprietary data from far too many organizations, the reality is that even more often, the culprit is actually the insider, a trusted member of the team. In fact, recent surveys such as the Insider Threat Spotlight Report show that nearly half of the organizations surveyed have seen an increase in insider attacks over the last 12 months, with the biggest threat coming from managers with access to sensitive information.

Having - and enforcing - an Acceptable Use Policy will help prevent malicious or inadvertent misuse of corporate data.
Having – and enforcing – an Acceptable Use Policy will help prevent malicious or inadvertent misuse of corporate data.

While some of these (NSA contractor Edward Snowden) might be malicious, deliberate insider attacks (see NSA contractors Edward Snowden and even more recently, Harold Thomas Martin), other employees who share proprietary data with outside sources or take it with them to their next place of business might simply be unaware that it doesn’t belong to them. That’s either because they haven’t been trained on their organization’s Acceptable User Policy (guidelines on how network, website or systems maybe be used) or even worse, the organization doesn’t even have one in place.

So assuming your organization has implemented an Acceptable Use Policy, how are you communicating it to your employees? Do they truly understand that what they’re working on belongs to you ­ their employer? Do they know what you have a right to monitor their work computers and/or smart phones, including all communications transmitted by corporate electronic resources (i.e. email, text, social media, cloud computing)? Do they know how devastating it could be for the organization if the data gets into the hands of a competitor? Do they know that you are monitoring them for any anomalies in their behavior ­ and how?

Communicating this information with your employees ­ at any level – is a huge step towards preventing any unintentional insider-caused losses, as well as making more malicious attacks less frequent ­ or at least more difficult to accomplish, as they know they’re being tracked. Prevention saves time and money while creating awareness that builds professional and ethical behavior.

Since it’s better to communicate now rather than pick up the pieces afterwards, let’s delve deeper into what might need to be openly and regularly communicated across various departments, who each have access to different information.

  • Sales

A sales associate might have worked for your organization for two or three years, they are on the inside and are acutely aware of what makes you unique to your customers. They understand what sells and know the competition. They’re aware of pricing, cost and value. This person often feels that their contacts are theirs. When they leave, they are likely to stay in the same business‹to seek out the competition, and they see your customers as relationships that they’ve built and are entitled to retain. Not true. Help your sales team understand from day one that these relationships are the intellectual property of your organization. Contracts may spell out that relationship, so reviewing these regularly is important. With someone whose job is to talk to hundreds of prospects and customers, you can’t leave this to unwritten ethics rules.

  • Information Technology

IT staff hold your organization’s IP in their hands, daily. Behind the scenes, implementers and maintainers of your infrastructure contribute and interact with this data. If your offerings are software, apps and tools, it’s even more critical that engineers understand the sensitive nature of information and data, and how it should not be shared with any unauthorized third parties.

  • Financial

Those in the business side of your enterprise certainly traffic in sensitive data, with profits, costs, payroll and vendor relations at their fingertips. Obviously, much of this info needs to remain private, even within the organization. Publicly traded companies have their own set of rules for disclosure. While ethics in this role might be more built in than most, insider threats exist, and these employees need to be intimately familiar with what they can share ­ and with whom, and then sufficiently monitored.

  • Human Resources

HR teams regularly evaluate employees, review contracts, recruit, hire and fire, and unfortunately, they are not immune to the temptation of leaving your organization and taking your best practices with them. In the hands of a competitor, the effect on your HR operations could be dramatic, especially as labor markets tighten. Contractual relationships with employees are important, but if your HR is driven to litigate against every fire, you’ll find company culture can become negative very quickly. Instead of having to make a detailed, legal case for every person you let go, an ounce of prevention is certainly worth more than a pound of cure.

Manage expectations with HR staff, make them sensitive to the company and arm them as defenders of the brand, instead of big brother looking over everyone’s shoulder. This team is key to the wellness of your team ­ a huge source of insider threat intelligence that you likely aren¹t using. Failure to manage, guide and inspire HR will have a long-term negative effect.

  • Managers and Directors

While you might think that your senior staff ­ including managers and directors ­ are beyond reproach, or at least know what IP they can¹t take off site, they might need to be reminded a time or two. In fact, privileged users with more access and oversight often feel even more attached to the IP they oversee. Like those they manage, it is critical to manage expectations. If they are more aware of the tools used to monitor staff, such as user behavior analytics, they can see their own role in protecting company IP as that of guardian, and not as big brother. Indeed, that perception is critical to building trust and rapport within your organization.

The bottom line is that you need to explicitly communicate your Acceptable Use Policy to each member of your organization. Manage expectations and openly ensure everyone understands their personal responsibilities. Knowing what’s required of each of us, with clear intent, builds trust and can help prevent the loss of valuable IP.