Bring your own corporate espionage risks

By Kristin Casler featuring insights by DAVID LONG-DANIELS, Global Co-Chair of Greenberg Traurig LLP's Labor & Employment Practice Group --

So, you’ve let your employees bring their own devices (BYOD) to work. And they’re happy about it. They seem to be more productive and are able to share and collaborate from anywhere. And then one of them leaves for a competitor and takes with him volumes of company documents—all on the personal device you approved. Nothing says “thank you” like stealing corporate information. You’re welcome.

A costly caper

A global survey commissioned by the RSA (the Security Division of EMC ) and Microsoft, called The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk, showed that companies invest heavily on compliance and against accidental leaks.  However, the report said, employee theft of sensitive information is 10 times more costly on a per-incident basis than accidental loss.

Most estimates for the cost of corporate espionage are in the billions. Granted, many of those thefts are by outsiders hacking in. But more and more, the culprits are the trusted employees, often executives. According to an O’Melveny & Myers LLP study, A Statistical Analysis of Trade Secret Litigation in Federal Courts, such actions are growing exponentially. The data show that trade-secret cases doubled in the seven years from 1988 to 1995, and doubled again in the nine years from 1995 to 2004. At the projected rate, trade-secret cases will double again by 2017. In over 85% of trade secret cases, the alleged misappropriator was someone the trade secret owner knew—either an employee or a business partner.

And yet a survey by the Cloud Security Alliance found that nearly 41 percent of respondents do not implement mobile device security software in order to access corporate systems or data, with an additional 24 percent of respondents saying mobile devices are not allowed direct access to corporate systems.

Greedy and vindictive

 David Long-Daniels, Global Co-Chair of Greenberg Traurig LLP’s Labor & Employment Practice Group, knows this situation well; my practice focuses on corporate espionage. Planning for BYOD before you permit it is critical to protecting your interests. You should have policies that address not only what occurs while the employee is employed, but also what happens when the employee departs.

Some companies, he said, have a policy allowing the company to wipe clean the section of a personal device that has access to company files. Others have policies allowing them to wipe the entire device—which, by the way, violates federal privacy laws. And some companies do nothing, and the employee walks away.

It is quite common for an inner-circle executive who is privy to strategic plans to be courted by competitors. These valued employees command a higher salary and are promised promotions and bonuses. They simply download data, contacts, customer information or whatever will help their new company prevail in the market. In a case involving an accounting firm, the departing employees not only transferred all customer data but destroyed it at the company they were leaving.

One former executive had downloaded 12,000 documents into the new company’s computer. Another colleague left with even more documents. They were hired by a competitor to create a new division in the competitor’s company. This happens ALL the time. They know they’re leaving. You don’t.

The prevention is in the planning

The bottom line is that if you are going to have BYOD, plan for it in every phase of employment. There is no point in advocating against BYOD—though that would be the preference. Everyone wants it, so an all-out ban is unrealistic, but good policy and practice are essential. Make certain your BYOD policy is clear and protects company and employee privacy. Employees, who should read and sign the policy, must know which devices are permitted, what they can do with them, and what the penalties are for policy violations. It should include a prohibition of downloading files to home computers.

David Lingenfelter, information security officer for MaaS 360 at Fiberlink, an IBM Company, said the majority of his clients are more concerned about employee privacy with BYOD than with espionage risks.

Use security technology to its fullest

Technological advances permit companies to not only remotely wipe data from a mobile device, they allow them to compartmentalize company and personal data, so that the two never meet, no matter what type of device is used. This “container” concept equally protects company and private data, Lingenfelter said. It also can permit encryption of critical data and access only through authentication, which are vital security defenses.

Generally, Long-Daniels said, executives should avoid sharing too much. Keep your sharing circles small and your documents password-protected. If it is important, don’t email it.

You also need someone savvy in your IT department to keep an eye out for large file transfers. IT needs a way to immediately detect devices out of compliance with company policy—and to automatically respond.

While BYOD is the scary new bully on the block, Lingenfelter cautioned that wayward employees can deliver the same nastiness with a corporate-owned device if they want. It is still up to the company to make sure every aspect of their security protocol is adhered to.