The Newberry Group Blog

Archived Categories

Sort By: Title   |   Blog Date
Thursday, September 01, 2016

Technical Considerations for IP Theft - Part 6 in a 6 Part Series

(scroll down for parts 1-5)

Technical Considerations for IP Theft

Over the past 5 blogs, I have talked about IP theft and focused on two cases; one case that was done correctly and one case, which in my opinion could have been done better. Now I get to the question that organizations always ask after they have been through an IP case… Can IP theft be stopped or at least reduced?

Short answer is, no, theft of IP (intellectual property) can’t be completely stopped, but you can greatly reduce the ways that data is taken and the amount of data that is taken. On top of that, you can get alerted earlier that IP is being taken. There is no technology that is going to provide a silver bullet to solve all of your problems. To be honest, solving the problem does not even start with having the appropriate technology in place. It starts with those words that most people in IT hate; Policies and Procedures. Without strong, consistently enforced policies and procedures, putting in expensive monitoring technology could be a waste of time and money.

Review Your Policies

Most companies have at least some policies in place, but let’s be honest, how often do they get updated? How often is the employee handbook reviewed with employees? Do they just have to hand you a piece of paper saying they read it? How well versed is IT in the polices that are out there? Has IT seen these policies and agreed they are enforceable with the current technology that is in place? Is an after action review held after every incident of IP theft so policies and procedures can be reviewed and updated? Do you have policies in place that address BYOD (Bring Your Own Device), Cloud or Social Media? Or is it still not mentioned? If the answer is no, to any one of those questions – you may already have unwittingly made it easier for people to get away with stealing IP.

Policies are pretty easy. They are NOT paragraph after paragraph of bloated legal language. Policies need to be short and to the point. It is my opinion that a policy should be no longer than 3 sentences. With that being said, most policies can be written with one sentence. Think of this as a policy “Any device that connects to the corporate network will be monitored” or “ABC Company allows employees to use their own phone for work as long as they sign the BYOD agreement”. These are  both short and to the point. There is no question what they mean, however the meat of a policy is in the procedure that is attached to that policy. A policy may stay the same for years, but the procedures for that policy may change often. These procedures can be very detailed and in a lot of instances, are written based on the type of technology that the organization has in place to enforce the policy.

Now let’s jump to that new hire. Did they get a handbook or at least some corporate documentation when they started? While I am not an HR specialist, I have learned over the years that certain paperwork needs to be given to an employee or your IP theft case could potentially get thrown out. Some of the key documents that every employee needs to be given on the first day of their employment are:

  • Acceptable Use Policy
  • Email and Internet Usage Agreement
  • Confidentiality Agreement
  • Proprietary Information Agreement

And when an employee leaves:

  • Return of Company Property Document (Employee signs at departure)

Most of these documents are self-explanatory, but there are a few things that I want to highlight. Work with your legal counsel so the documents confer the message that the employee has “no right to privacy” and that the company has the “right to monitor”. Without these two statements, many types of technology that you could use to detect theft of IP would be an invasion of privacy in the workplace, and your case could potentially get thrown out. We also recommend that companies go one step further and create a logon banner for the computer or when a device first attaches to their network that states there is no right to privacy and they will be monitored. In addition, it is important that the policies also state that data is company property not just devices like so many people initially think.

Another important step is to make sure that you have a termination plan which ensures that everyone who leaves the organization, either voluntary or involuntary is handled the same way: access to all their accounts are shut off, devices that are the property of the organization are returned, and the return of company data and documents is verified. Suggestions for inclusion into the termination plan:

  • Creation of a “Return of Company Property Document” which would be  signed by employee upon termination or resignation and verified by IT,
  • Outline when IT is notified of an employee’s departure,
  • Outline when IT shuts off all access to all accounts the employee has access to.

You would be surprised how often this step is skipped because HR doesn’t tell IT right away when someone leaves.

  • Outline the creation of forensic images of all the electronic devices and network shares, including hard drives, corporate email, USB devices, home and public network shares,
  • Determine when you will ask for and create forensic images of any BYOD item that the employee was allowed to use while employed, this would be outlined in the BYOD agreement,
  • Determine a place to store all images which is a secure and fault tolerant location,
  • Outline who will wipe their work hard drive,
  • And after the drive has been wiped, when to re-install the corporate standard “gold” image.  If you don’t have a “gold” image, we suggest one be created and be used moving forward.

After you are done with the creation of a termination plan, it is time to create a forensic readiness plan. This plan is designed to outline, depending on the employee that leaves, what if any forensics investigation will be done on the employee’s devices that they returned, which were imaged during the termination process.

The last thing that needs to be in place is a corrective action and reporting plan. This plan is created with help from your human resources (HR) folks. Once you put technology in place to detect the theft of IP, it will also pick up “other issues” inside the organization that will need to be handled. IT and HR need to make sure that everyone is treated the same, no matter who they are. If you are not consistent in the ways you treat employees, you could face a wrongful termination claim in the future. Consistent enforcement of this plan will hopefully prevent that from happening.

Corporate security as a Tootsie-Pop[i]: IP Theft Detection Technology

Now that you have gotten your policies and procedures in order, it is time to think about what technology you might want to have in place to help with the detection of data leaving. I refer to corporations and their security as a Tootsie-Pop, you know with the hard crunchy shell and a soft gooey center.

Corporations spend millions to keep people out that don’t belong, with firewall and IDS/IPS devices. While these types of devices are very important for all organizations to have in place, they forget that sometimes, the largest danger is from within the organization, the trusted employees. I call this Internal Threat Management. 

For years, Internal Threat Management has been a manual process. Just as I outlined in my previous blogs, a corporation thought that they might have a problem for various reasons and they sent the devices for us to look through for signs of IP Theft. This manual detection process is a good start, but with anything that is manual there is a chance that something can get missed or the employee is technically savvy and was able to cover their tracks.

As technology has gotten more advanced, we are moving Internal Threat Management into a world where corporations are starting to be able to automatically prevent data from leaving. This advanced technology makes things easier to demonstrate corporate compliance, instills confidence in the organization, and most importantly, saves time and money. A lot of people for simplistic reasons, call this data loss prevention.

When you dig into data loss prevention, there are actually two main areas, Device Control and Network Content Monitoring.

Our first recommendation of technology to put in place is Device Control. Most employees that take IP with them on departure do so by using USB drives. Device control allows you to know what external devices have been hooked up to the system. Depending on the technology chosen, you will be able to:

  • See what files/folders have been copied on/off the device,
  • Allow or deny specific devices depending on a list of variables,
  • Make copies of all files that have been copied into a “safe area” so that they can be later viewed for investigation reasons (note: don’t make this the “C Drive” as it is easy to wipe),
  • Make devices read only,
  • Allow coping/moving of files based on a list of variables (i.e. block MS Word files, but allow photos),
  • Block coping of files based on keywords.

For example, a client of ours which has device control in place, upon the departure of an employee will pull up the device control logs for that employee to see what actually happened prior to the employee leaving. Those logs are then compared to the Return of Company Property Document to help with validation that all devices and IP has actually been returned.

Previously, I mentioned reverse IP theft, which is when a new employee brings that stolen IP from a previous employer in to use at your company. Another advantage of Device Control is that it can be setup so that it detects data coming onto your network, giving you a warning that reverse IP theft may be happening.

Network Content Monitoring is another type of technology we highly recommend to put in place to detect IP theft. This technology is a lot like an IDS/IPS device in that it watches network traffic. However, this technology watches traffic going in both directions for actual content. Meaning it is looking for readable text and looking for key words or concepts. Depending on the technology, it can also be setup to block content. We do not recommend that companies block. Blocking is very dangerous, as critical time sensitive documents may inadvertently get blocked due to content, so be very careful if you turn on blocking and be ready to respond to angry employees 24/7 when there are emails that don’t get sent.

For content monitoring, we highly recommend that you work with a 3rd party to monitor these logs so that no one with a potential conflict of interest is monitoring the logs. In addition, depending on the technology you choose, you might also identify HR related issues that need to be addressed which will call for utilizing your corrective action plan. Note: It is very important to have your updated policies and procedures in place before you turn on network monitoring. It will save time and headache in the long run.

Lastly – remember to do an after action report on every investigation of theft of intellectual property, no matter the result  After action reports (AAR’s) are formal documents that are essential in evaluating performance, identifying areas of improvement within your policies and procedures, and proposing adjustments and recommendations for your policies, procedures, and implemented technology.

As you can see, stopping IP from leaving your company is not as easy as flipping a switch. It takes many moving parts to make the system work properly. Having HR, IT, and Legal all involved is necessary for it to be successful along with the proper technology and forensic services.

Newberry Group provides an array of solutions that can assist an organization in minimizing the loss of IP. Some of these include:

  • Security Program and Policy Development. Newberry aligns your business practices with contemporary risk models and effective governance to protect and support sustained growth. We provide recommendations for your team to implement, or we can manage and guide the process of establishing best practices in your organization.
  • Forensic Analysis of new and departing employee activity. Through our New Hire Program and Departing Employee Program we analyze digital evidence to determine what data is coming in to and out of your organization. Just as you are concerned with theft of your IP, you should also be concerned with IP that has been stolen from a competitor that is brought in.
  • Forcepoint’s SureView Insider Threat detects suspicious activity, whether it is a hijacked system, rogue insider, or simply a user making a mistake. It ensures that your intellectual property or regulatory compliant data is not compromised.
  • ForeScout CounterACT for Network Access Control (NAC) is an automated security control platform that lets you see, monitor, and control everything on your network—all devices, all operating systems, all applications, all users. ForeScout CounterACT lets employees, contractors, and guests remain productive on your network while you protect critical network resources and sensitive data.
  • Forcepoint’s TRITON AP-DATA and AP-ENDPOINT extends data security controls to enterprise cloud applications and to your endpoints. Safely leverage powerful cloud services like Microsoft Office 365, Google for Work and, as well as protecting your sensitive data and intellectual property on Windows and Mac laptops, both on and off-network.

For more information about these products or any others that we offer, contact us at and we will be glad to have a discussion about what is best for you.

[i] Tootsie-Pop is a registered trademark of Tootsie Roll Industries and

Posted by: Jeremy Wunsch
 | permalink

Leave a comment
*First Name  *Last Name 
*Email Address
*Type the code below into the textbox.