26 Intellectual Property Experts & Business Leaders Reveal the Biggest Misconceptions Companies Have About Insider IP Theft
When it comes to cybersecurity, insider threats are a significant concern for businesses but insiders can also put your intellectual property at risk. Employees may already access to your company’s IP, something that can make it easier to steal your company’s trade secrets and other IP. That said, there are several misconceptions companies have about insider IP theft, such as:
- It won’t happen to our company.
- Our trade secrets aren’t valuable enough for someone to steal.
- IP theft is only committed by disgruntled employees.
- Traditional cybersecurity technology can fully protect your IP.
- IP theft is only carried out by individuals.
- IP theft requires sophisticated hacking and only occurs after-hours.
- …and more.
The truth is that every business is at risk of insider IP theft, and it probably won’t happen the way that you think it will. In fact, insider IP theft could be happening right now, under your nose, and it can have devastating consequences. Understanding the common myths surrounding insider IP theft and how it actually works is crucial for protecting your company’s valuable intellectual property from theft, whether it's from inside or outside threats.
For more insights into these and other common misconceptions have about insider IP theft — and what you should know to ensure your IP is adequately protected — we reached out to a panel of intellectual property experts and business leaders and asked them to answer this question:
“What's the biggest misconceptions companies have about insider IP theft?”
Meet Our Panel of Intellectual Property Experts & Business Leaders:
Read on to learn what our panel had to say about the biggest misconceptions you might have about insider IP theft — and what you should know to protect your IP.
Joel MacMull
Joel MacMull is the Chair of Mandelbaum Barrett P.C.’s Intellectual Property Brand Management and Internet Law Practice.
“There are a few misconceptions that businesses have regarding insider intellectual property theft…”
The first, and beyond the naïve take that it doesn't happen to us, is the idea that intellectual property theft does not occur in connection with soft goods. Not so. There has been a marked increase in counterfeiting activity in the apparel industry during the pandemic, as consumers increasingly turned to online retailers, in some cases exclusively, for their purchases.
Online sales, of course, are easy venues for the sale of counterfeit merchandise. And, in some cases, as has been shared with me by my clients, the counterfeiters have been former employees. Employees have access to marketing budgets, sales demographics, and often original artwork, often making them ideal entrants into the counterfeiting space.
One reason for the recent explosion in counterfeiting is a decrease in budgets. As supply chains have tightened, revenues have dropped, impacting intellectual property enforcement budgets both domestically and overseas. Consequently, as fewer resources are devoted to overall brand protection, counterfeiters, employees, or otherwise, become more cavalier and less concerned with the consequences of their actions.
This is particularly true where the counterfeiters are present employees and have access to insider information concerning where a company's enforcement efforts will be concentrated, in turn avoiding markets or channels of trade where the company's focus lies.
Craig R. Smith, Esq.
Craig is a trial attorney who helps clients protect and defend their inventions in complex intellectual property litigation. Craig has represented technology companies of all sizes, from Fortune 500 companies to start-ups, including entities such as Webasto, MIT, and Bose in intellectual property litigation throughout the country and the world.
“Some companies believe that intellectual property theft…”
Happens to other companies, but not to them.
They are shocked when one of their own employees steals company secrets. When companies think it cannot happen to them, they tend to be less vigilant in performing background checks on new employees, monitoring access to IP and trade secret information, and educating employees on protecting IP and reporting suspicious activity.
Morshed Alam
Morshed Alam is the Founder & Editor at Savvy Programmer.
“The biggest misconception companies have about insider IP theft is…”
That it only happens to big companies with valuable trade secrets.
In reality, any company with any type of confidential information is at risk. Insider threats can come from employees, contractors, or even business partners who have authorized access to your systems and data. The best way to protect yourself is to be aware of the risk and take steps to mitigate it. Some things you can do include:
- Educating your staff on the importance of data security and what constitutes a breach
- Restricting access to sensitive information on a need-to-know basis
- Implementing strong physical and IT security measures
- Monitoring employee activity for signs of unusual or unauthorized use
Rob Bartlett
Rob founded WTFast in 2009, and as CEO, he has continued innovation and commercialization of WTFast's emerging technologies. He focuses on research, spurs the development of new solutions, and makes connections with new partners and investors.
“Most assume most insider IP theft is intentional, but that’s not the case…”
Most IP theft is inadvertent, with employees either accidentally or thoughtlessly keeping an old employer’s IP on their personal computer.
While, for the most part, the information isn’t misused, it still is a serious liability for the former employer since that information could fall into the wrong hands if the ex-employee's computer is ever compromised. While the risk is small for each individual case of inadvertent IP theft, that danger is compounded when strict workplace policies aren’t enforced for employees’ personal laptops and there is a continuous, steady stream of leaking IP.
James Jason
James Jason is the Founder and CEO of Notta AI, a SaaS company that provides automated software that converts audio to text in a matter of seconds.
“The biggest misconception companies have about insider IP theft is…”
That they don't have the time or resources to protect themselves.
Many companies think that they are too small to be targeted by malicious attacks, or they think it won't happen to them. First of all, every company is a target. No matter your size or industry, chances are that you'll face some form of insider IP theft.
For example, you'd be surprised how many small businesses still use floppy disks! But the good news is that there are ways to protect against insider IP theft in any company, regardless of size and industry. A good software program can monitor and track data transfers, preventing and detecting insider IP theft.
Mike Chappell
Mike Chappell is the Founder of Formspal, an online platform that supports communities and individuals regardless of their gender, age, nationality, or religion by offering high-quality legal forms online.
“High-level security technology, such as SIEM, is frequently misunderstood as being capable of detecting and preventing IP theft…”
Technology is unable to distinguish human behavior from logs and system events. From logs, you can't learn enough about people's aims and motives.
Did you know that dissatisfaction plays a significant factor in many cases of IP theft? When an insider request is denied, it typically produces unhappiness, which lowers motivation to engage and decreases loyalty. Negative emotions are difficult for machines to detect as a threat, and businesses routinely ignore these red-flag behavior warnings.
Perhaps most importantly, intellectual property theft is undetectable until the data has been stolen. To put it another way, the opportunity window can be quite small. That's why it's so important to pay close attention to potentially harmful behavioral signals.
Kristen Bolig
Kristen Bolig is the CEO and Founder of SecurityNerd.
“One big misconception about IP theft is…”
That it's only done by a single person.
Instead, the theft can be initiated by an outside person who recruits insiders who have access to the IP. Sometimes several insiders are recruited until the proper access level is reached.
It's rarely ever stolen to be sold, either. It's usually stolen to be given to rival corporations or foreign governments.
Josh Nelson
Josh Nelson is the CEO of Seven Figure Agency.
“The biggest misconception companies have about insider IP theft is…”
That insider risk is just a training issue.
Training is only one part of the equation. Yes, security training is required to make employees aware of security standards, but more transparency and better technology are also required. Humans make judgments primarily based on three factors: time, risk, and reward.
I'd want less security policy awareness training and more instruction and openness aimed at making staff more risk-aware. Do they fully comprehend the dangers of transferring business data from their endpoint to their private Dropbox account? Do they realize the dangers of sharing data on Google Drive? Will they second-guess opening a browser and uploading that company strategy document to their personal productivity cloud app?
Employees who are aware that file activity such as this is being monitored are less likely to engage in risky behavior. The mere understanding of the company's and their own danger is a powerful deterrent. Of course, we'll need the technology to accomplish it, and we'll need it to do so without disturbing employee productivity or violating privacy.
Chun-Kai (CK) Wang
Chun-Kai (CK) Wang is Co-Founder & CEO of a mobile gaming studio called Kooapps. Kooapps has made over 30 titles, including Snake.io, Pictoword, and Stacky Bird.
“In case of IP theft, many people might point their fingers at the IT administrators as…”
They have the access to all the computers and servers of a company. But this is a misconception. According to many sources, in most IP theft cases, most of the current employees with access to IP steal the IP.
It’s generally believed that the insiders steal the IP to sell it. But some may steal it to benefit it by taking it with them to a new job, to start a business on their own, or to benefit a foreign organization or government.
With the perception of what we see in sci-fi movies, many believe that IP theft happens after business hours and that it requires high-tech hacking. IP theft happens during office hours and, in many cases, during the time of resignation.
Edward Ratner
Edward Ratner is the Founder and CEO of Edammo Inc.
“The biggest misconceptions companies have about insider IP theft are…”
1. People believe that IP thefts happen only during after-hours and that doing so requires sophisticated hacking.
Most IP theft happens around resignation, and it’s a quick job. In most documented cases, IP theft happens during office hours and within one month of resignation. Many steal IP slowly over time and commit their theft during resignation.
2. It’s generally believed that intellectual property theft is typically executed by an individual or a single person.
IP theft can be initiated by someone who might not have access to IP themselves. They can conspire with others who have access to IP to steal it. This can also be done to benefit a foreign organization or government. For example, a Chinese EV company Xpeng stole some of Tesla’s IP to benefit itself.
Michael Miller
Michael Miller is the CEO of VPN Online, one of the fastest-growing media companies in the cyber-security space.
“The biggest misconception companies have about insider IP theft is…”
That it's a problem that can be solved with technology alone.
While it's true that perimeter security measures like firewalls and data encryption can help to protect against outsiders, they're not enough to stop an insider who's determined to steal company secrets.
The best way to combat insider IP theft is to take a comprehensive approach that includes both technology and people. For example, employees should be given regular training on security best practices, and companies should consider implementing employee monitoring software to help identify potential threats.
By taking a multi-pronged approach, companies can better protect their valuable IP from both external and internal threats.
Wojciech Syrkiewicz-Trepiak
Wojciech Syrkiewicz-Trepiak is a Security Engineer at Spacelift.io.
“Companies in almost every critical infrastructure sector have been victims of insider IP theft…”
Insider threats fall into two categories: negligent and malicious acts that put business-critical data at risk. Malicious threats arise from current or former employees, business partners, or contractors who have access to inside information about the company's data, IP, security practices, and computer systems.
There are some common misconceptions companies have about insider IP theft, such as IT administrators being the biggest threats as they hold the key to the IP kingdom. However, this cannot be further from the truth. According to a somewhat older study done by the Insider Threat Division of CERT, there is no observable case in their database that shows IT administrators stealing IP.
Another misconception is in regards to malware/phishing being the main issue with insider risk. While it may be partially true as the problem creates space for many gray areas, the likelihood of an employee emailing themselves files using their email account or uploading sensitive files to a random app is bigger than them clicking on a malicious link.
Eric Florence
Eric is a Cybersecurity Analyst at Security Tech. With a strong commitment to online security and digital freedom, Eric is working hard to deliver the content and analysis his audience is looking for. His other passions include web development and finding new ways to use VR.
“The biggest misconception regarding intellectual property theft is…”
That it requires intense hacking, and that the thieves are stealing it to sell it.
Overwhelmingly, IP theft is perpetrated by an insider to start a competing business or take it to an existing competitor. While IP is stolen via hacking and/or sold on occasion, it is much less frequent than an employee taking it to compete with the company.
Greg Kelley
Greg Kelley is one of the founders of Vestige Digital Investigations, a leading U.S. Electronic Evidence Experts company specializing in Digital Forensics, Cybersecurity, and ESI services. As the CTO, Greg leads Vestige's Digital Forensic and E-Discovery services.
“The biggest misconception is…”
That insider IP theft only happens when employees leave.
What companies need to realize is that it starts, innocuously, almost the moment an employee joins an organization. The use of BYOD devices (personal smartphones or tablets) or the use of shadow IT (personal Dropbox or OneDrive) leads to employees putting company data on platforms that are not under company control.
This placement of data is done for legitimate reasons, allowing employees to work from home or in other remote locations. The issue, however, is when that employee leaves, all of that data is now outside of the company.
Sometimes this theft is caught, and sometimes it isn't. Oftentimes a forensic examination looking for this theft after an employee leaves a company is only done in certain circumstances, or the scope of analysis is restricted to the last six months. Companies instead need to consider how to control their data on BYOD devices and control the use of shadow IT.
Trevor Larson
Trevor Larson is the CEO and Founder of Nectar, an employee recognition HR software company that helps teams and businesses of all sizes unlock the power of employee recognition.
“A worryingly high number of companies still appear to believe…”
That only senior staff with access to board-level secrets pose a risk.
The reality is that any staff member — no matter their position within the company — can be an insider threat. Internal IP theft is a serious problem and one that all businesses need to be aware of.
In fact, a lot of corporate espionage attempts target lower-level employees in the hope that they will have less security awareness and be easier to dupe.
Jeremy Clifford
Jeremy Clifford is the founder and CEO of Router CTRL, one of the fastest-growing websites in the technology market. Jeremy’s been working in the technology market as a network specialist and engineer for almost 20 years now.
“When it comes to insider IP theft, companies often have a lot of misconceptions…”
They may think that only disgruntled employees can be responsible for stealing company data or that the threat is only from overseas hackers. However, these are not the only threats that businesses face.
Many companies believe that most insider IP theft results from malicious intent. In reality, most incidents of insider IP theft are unintentional, often the result of carelessness or ignorance. Employees may not realize they're violating company policy by downloading sensitive data to a personal device. For example, they may not know that sharing confidential information with a third party is against the rules.
Often, companies are more concerned about malicious insiders than they need to be. Yes, these employees can pose a serious threat, but malicious insider IP theft is also relatively rare. The vast majority of insider IP theft is committed by employees who don't realize they're doing anything wrong.
Insider IP theft can be prevented with the proper training and right policies in place. By educating employees on what constitutes confidential information and what doesn't, you can help them avoid accidentally violating company policy.
People also think that insiders only steal trade secrets or confidential information. In reality, insiders can steal a wide range of intellectual property, including patents, trademarks, and copyrighted material. While trade secrets may be the most valuable type of IP, they're not the only kind worth protecting. Any type of intellectual property can be a target for theft, so it's essential to have security measures to protect all of your company's IP.
Sebastian Schaeffer
Sebastian Schaeffer is the co-founder and CTO at Dofollow.io.
“I'm always astonished when I speak to CEOs and other senior executives about the biggest insider IP theft risks to their companies…”
And they are of the impression that it's primarily disgruntled employees that are responsible. In reality, the vast majority of insider IP theft is carried out by well-meaning employees who simply don't understand how their actions could expose their company to serious risks.
There are several reasons why this misconception persists. I think part of it has to do with the fact that we all tend to view cybersecurity through the lens of Hollywood movies and TV shows. We assume that attacks are sophisticated, highly coordinated operations carried out by elite hackers who have all the time in the world to plan their attacks.
In reality, most insider IP theft is carried out by employees who have legitimate access to the company's systems and data. They may not be trying to steal anything, but their actions can have serious consequences. For example, an employee might email themselves a copy of a sensitive document so they can work on it at home. Or they might download a free software tool that turns out to be malicious. Or they might even leave a laptop unattended in a coffee shop with sensitive files open and unencrypted.
Eric McGee
Eric McGee is a Senior Network Engineer at TRGDatacenters. A major part of his role entails monitoring the security of company networks and developing network security protocols.
“The biggest misconception companies have about insider IP theft is…”
That it's a rare occurrence.
In fact, it's estimated that up to 80% of all intellectual property theft occurs from within the company. This can be attributed to a number of factors, including the fact that employees often have access to sensitive documents and information, as well as a desire for advancement or higher status at their current job.
Another common misconception is that insider IP theft only happens when someone leaves a company or retires. As mentioned above, it can happen while they're still employed there — and many companies are unaware of it until they find out through an audit. It's important for CIOs and other company executives to educate themselves on these risks and take steps to protect their company's assets before it becomes too late.
Ben Richardson
Ben Richardson is a Senior Software Engineer at SecureW2, a passwordless authentication provider.
“The biggest misconception I’ve come across is…”
That insider IP theft is always malicious.
From my experience, even well-meaning employees can contribute to insider IP theft. Many of these employees don’t realize that what they’re doing is jeopardizing the company.
For instance, research shows that more than 50% of employees believed it was acceptable to take documents home from work if they were related to personal projects — but in reality, this practice could be devastating for your business. This is why it’s essential to educate employees about what constitutes confidential information, how to handle such information, and what the consequences are when they fail to follow those rules.
Yang Zhang
Yang Zhang is the CEO of Plasmic.
“I've noticed some corporate leaders discussing insider IP theft as if…”
It's solely done with malicious intent or for profit.
Good employees don't necessarily 'go rogue' and commit IP theft. Sometimes it happens without them realizing it.
There are the standard hacks that lead to a loss of your IP — the phishing and spoofing attacks that employees fall victim to. Yet sometimes these bad actors aren't malicious hackers working from unknown locations. They can also be people the employee is acquainted with, friends even, who want access for their own opaque reasons. Even simple curiosity or online clout may be enough for them to try to use their ‘in’ at your company to steal.
You really need to educate employees on the 'why' of your IP protection efforts. Public cases of IP theft at other companies that have risked operations make good case studies for this. No company leader wants to imagine what would happen if their business fell victim, but helping employees understand those potential costs is important. IP theft is seldom perpetrated by just one person, but all it takes is one person to break the process chain to thwart an attempt.
Ouriel Lemmel
Ouriel Lemmel is the CEO and founder of WinIt, a LegalTech solution helping consumers fight their legal battles.
“The biggest misconception companies have about insider IP theft is…”
That IT administrators are the biggest threat.
People think that because of their in-depth knowledge of technology and their high-level access, IT admins are the prime suspects in IP theft. However, there is no real evidence to support this claim. The bigger threat is actually from employees like engineers, programmers, and salespeople who already have authorized access to that intellectual property.
John Tian
John is the Co-Founder of Mobitrix, a U.S.-based iPhone solution provider for data transfer and iOS system errors, etc.
“The biggest misconception companies have about IP theft is…”
That it's an individual act.
The truth is that most IP theft is committed by insiders who work in groups, so companies should focus on their security policies and management systems rather than focusing outwards only.
Another common belief is that hiring a specialist is the only way to combat IP theft. However, the best way to prevent IP theft in a company is to hire two or three new employees at a time who are cybersecurity experts and have some expertise in preventing insider attacks.
Additionally, companies tend to believe that insider IP theft, such as when a former employee steals intellectual property, is rare. This misconception can lead businesses to fail to take preventative measures and overlook warning signs, making it easier for hackers to steal sensitive information.
Daniel Hofmann
Daniel Hofmann is the CEO of Hornetsecurity. Daniel Hofmann has been an independent entrepreneur and security industry influencer since 2004. In 2007, he founded Hornetsecurity and developed services for secure email communication, including spam and virus filters.
“Insider IP theft is the unauthorized disclosure, use, or sale of a company’s confidential information or trade secrets by someone who has access to it…”
This can include employees, contractors, vendors, or customers. Insider IP theft can result in significant financial losses for a company, as well as damage to its reputation.
There have been several high-profile cases of insider IP theft in recent years, including:
- In 2018, a former Tesla employee was arrested for stealing trade secrets from the company.
- In 2017, a former Google employee was arrested for stealing trade secrets from the company.
Common misconceptions companies have about insider IP theft include the following:
- One of the biggest misconceptions companies have about insider IP theft is that it only happens to large businesses. In reality, any company can be a target, regardless of size.
- Additionally, companies often believe that insider IP theft is only committed by disgruntled employees. However, anyone with access to sensitive information can be a potential thief, including contractors, vendors, and even customers.
- Another misconception is that insider IP theft can be prevented by simply implementing security measures, such as access control lists and data encryption. While these measures can help deter and detect theft, they are not fail-safe.
How can companies protect against this?
There are a number of steps companies can take to protect themselves from insider IP theft, including:
- Educating employees about the importance of protecting sensitive information and the consequences of theft
- Implementing security measures, such as access control lists and data encryption
- Regularly monitoring and auditing employee access to sensitive information
- Investigating any suspicious activity or unauthorized access to sensitive information
- Taking disciplinary action against employees who engage in IP theft
Consequences of insider IP theft
The consequences of insider IP theft can be significant, both for the targeted company and for the individual who commits the theft.
Companies can suffer financial losses as a result of insider IP theft, as well as damage to their reputation. Additionally, the stolen information may be used to compete against the company or sold to others. In some cases, companies may be forced to shutter their business entirely.
Individuals who engage in insider IP theft can also face a number of consequences. They may be subject to criminal charges, which can result in fines and jail time. Additionally, they may be sued by their former employer and be ordered to pay damages.
Insider IP theft is a serious problem that can have significant consequences for both companies and individuals. Companies need to be aware of the risks and take steps to protect themselves, such as by educating employees and implementing security measures.
Paul Tracey
Paul Tracey is a cybersecurity expert and the Founder & CEO of the managed security service provider firm, Innovative Technologies. He is also a cybersecurity educator, national speaker, and the author of Delete the Hacker Playbook.
“As employers, we all want to believe that we have…”
Done sufficient due diligence, that our employees are brought into our company culture and mission, that overall people are honest, and that insider IP theft is highly unlikely to happen — especially in a small to medium-sized business. To misunderstand or underestimate the financial motivations behind insider theft is the best way you can open yourself up to this type of activity.
You do not need to have a substantial gripe with your company to feel the financial pressures of today's world. The belief that the main reason that data is stolen is for competitive advantage from an employee leaving to start their own company is just wrong.
There are billions of dollars being spent to acquire this data, and there is a ton of money to be made by selling it. This risk is amplified by a larger number of employees resigning as we saw during the pandemic. IT departments need to be on alert for this type of activity and have a plan to detect/respond when appropriate. This issue will continue to increase in the future, and having an effective and efficient program in place is the best way to defend against it.
Volodymyr Shchegel
Volodymyr Shchegel is the VP of Engineering at Clario, a cybersecurity company and app aimed at making cybersecurity accessible to all.
“Companies need to realize that even with the most sophisticated cybersecurity system in place, there is no accounting for human motivation and behaviors…”
Cybersecurity always has a human element, so preventing insider IP theft starts with giving employees a structured, fair outlet for grievances and creating a positive work environment.
It sounds cheesy, but it’s just true — disgruntled and vengeful employees are almost always perpetrators of insider IP theft. Meanwhile, IT management and administration (who are generally more financially secure in their roles with room for advancement) rarely steal IP despite having the most access to sensitive data.
In short: a solid cybersecurity plan must be bolstered by creating a work environment where employees feel they can advance and are treated fairly to reduce any vengeful motives that can serve as a catalyst for these attacks.
Viputheshwar Sitaraman
Viputheshwar is a tech consultant for the likes of Fortune 100 corporations and award-winning startups (i.e., Inc. 5000, Forbes 30u30, and Thiel Fellowship alums). He is also a serial startup founder and the youngest American to raise venture capital.
“The general consensus is that (at least for now), startup founders should not forgo traditional IP protection in favor of NFTs…”
However, NFTs can offer stopgap protection while you wait for the USPTO to grant you formal protection. For instance, a SaaS startup could use NFTs to limit and track the distribution of their software (i.e., to control licensing agreements with smart contracts).
NFTs can be part of your IP strategy, but they cannot entirely replace it. After all, the NFT in itself isn’t necessarily valuable on its own (it’s just data: a unique, digital representation of a physical or digital item).
A patent, however, is universally valuable as it is protected by both U.S. and international IP laws and enjoys the protection of global treaties — one huge legal advantage that NFTs may not ever share.
Too many companies make the mistake of thinking that they’re too small to be a target of IP theft, that insider IP theft is only carried out by disgruntled employees, and that it requires sophisticated hacking techniques, among other misconceptions. Being aware of the insider risks to your intellectual property is crucial for taking appropriate steps to keep your valuable IP secure.
