Issue link: https://securitytechnologyexecutive.epubxp.com/i/107544
COVER STORY "We are playing politically correct — we don't want to single out the Chinese," Kingstone says. "When 80-year-old bluehaired ladies start stealing American secrets, we should start prosecuting and profiling them too." blueprints off the internet," Kingstone says. "Obviously, we are all putting locks on our doors — some with keypads, some with swipe cards, some with biometrics — but the thing you really need to protect, the Achilles' heel of all businesses, is the insider threat. "Somebody who's an employee has the keys to the kingdom — the swipe card, the door code, the registered fingerprint — that's the person, the employee who has not been properly vetted, who can make 10 or 20 times their salary by stealing millions of dollars worth of information from your company," Kingstone continues. "They can do it simply by putting it on a thumb drive that goes in their front pocket." First, organizations must have a detailed vetting process to weed out potential threats. "I hate to say it, but if you get a foreign exchange student who is fresh off the boat, he is working for the Chinese government — he was allowed to come here in the first place because he is working for them," Kingstone explains. "We are playing politically correct — we don't want to single out the Chinese. Well, when 80-year-old blue-haired ladies start stealing American technology secrets, I think we should start prosecuting and profiling them too. Instead, we don't want to make anyone feel uncomfortable, so we put our entire nation at risk." Establishing a Program A strategic response to trade secret theft must start with your organization's senior leadership, Mislock said. That means getting full support and understanding from the C-suite and the board. From there, you as a security executive should spearhead a full trade secret protection policy — with the goal of educating all employees as to why the policy is needed and important; along with periodic evaluation for continuous policy improvement. Here are Mislock's first steps that you as a security executive can take to initiate a strategic trade secret theft mitigation plan: • Identify the process owner: Who owns this process and will lead it in your organization — is it the CSO, general counsel, CISO or someone else? • Establish a steering team: Representatives should include key organization departments, including legal, HR, compliance, audit, security, R&D; and engineering and any other key company stakeholders. • Establish senior-level oversight: This is a body of senior organizational executives who the process owner must report to on a regular basis about progress and policy changes as they become relevant. • Clearly define roles: Every part of the company has a role in enforcing trade secret theft mitigation policies. "Many times companies have good policies and protection standards, but they haven't really done the basic job of defining who does what," Mislock said. "Every single person in your company has a role to play, and those definitions should be in writing." • Establish trade secret risk managers: Each business unit should have one. "It is imperative that the business leaders of a company understand it is their duty to protect trade 10 Steps for Corporate Espionage Prevention The FBI has provided the following 10 baseline steps that business and security executives can take to protect corporate trade secrets: 1. Recognize there is an insider and outsider threat to your company. 2. Identify trade secrets and implement a plan for safeguarding them. 3. Secure both physical and electronic trade secrets. 4. Confine intellectual knowledge to a need-to-know basis. 5. Provide training to employees about your company's intellectual property plan and security. 6. Do not store private information vital to your company on any device that connects to the Internet. 22 7. Use up-to-date software security tools. Many firewalls stop incoming threats but do not restrict outbound data. 8. Educate employees on e-mail tactics such as phishing. Establish protocols for quarantining suspicious e-mail. 9. Remind employees of security policies on a regular basis through active training and seminars. Use signs and computer banners to reinforce security policies. 10. Ask the FBI or other security professionals to provide additional awareness training. SECURITY TECHNOLOGY EXECUTIVE • January/February 2013 www.SecurityInfoWatch.com