Neil Miller looks at the challenges of internal intellectual property protection

Your organisation's intellectual property (IP) is at risk from internal theft if the relevant security measures and prevention cultures are not implemented correctly or effectively.

Ask yourself how many times your employees have e-mailed confidential proposals, sales presentations or client marketing information to their personal internet accounts so that they can work from home. And now ask yourself what happens to that confidential information when an employee is made redundant, sacked, or is employed by one of your competitors.

IP theft, sometimes known as economic or corporate espionage, has increased in recent years through the growth of electronic communications. You only need to think about the ease of buying new listening devices or bugging technology from high street gadget shops to realise that it is a real security issue. And all too often, the characteristic indicators of a problem are not identified until significant losses have been incurred. Organisations cannot afford to be unaware of these indicators.

Why do employees steal from their employers? Sometimes they are cajoled into giving away corporate secrets unknowingly. However, the following list highlights some of the more common reasons for revealing confidential IP to unauthorised third parties:

- personal profit
- sense of pride and ownership of a particular project or client
- to secure a job with a competitor
- extract revenge against former employers
- naively talking shop with colleagues at other companies
- going abroad with insecure laptops which contain proprietary information.


There are many examples. A successful information technology employee starts developing a product that builds upon his former company's IP technology.

An employee of a private medical firm threatens to put the medical data of patients on the web if her bonus is not paid. A successful salesperson leaves his long-time employer with a customer list, only to start using it to sell similar services in his new job. A disgruntled employee sells valuable confidential information to a competitor after being sacked.

The reality of this form of fraud or security breach is outlined in a recent study conducted by computer forensics firm IBAS, which stated that nearly 70% of business professionals have stolen some form of corporate IP from their employer when leaving a job.

Controls

Whatever your asset, protection from internal theft is extremely important if your organisation is to be successful, profitable and reputable. And senior management has a responsibility to protect an organisation's IP, just like any other corporate asset.

You first need to implement a security culture that is understood by both senior managers and employees. This can be achieved by good communication, awareness and discipline, and will give employees an appreciation and understanding if they are being targeted or blackmailed by criminal groups.

The following controls should be integrated to complement existing security measures to assist in protecting valuable information.

pre-employment screening The first and most important step in combating unethical activity and fraud is to avoid recruiting or promoting deceitful candidates. Screening programmes that verify the integrity, reliability, ethics and financial standing of a candidate are a necessity of 21st-century business life.

Recent money-laundering legislation, corporate governance and compliance regulations have made it increasingly important for commercial organisations to verify the integrity of the people they employ and those with whom they conduct business. Knowing your staff is as important as knowing your customer. For example, my own company has developed new online investigative software called proScreen: Integrity, that checks the integrity of new employees and their CVs.

ip awareness and employee training New employees can be a frequent source of leaks. One objective of training should be to familiarise employees with the concept of IP and its value, and to inform them of their obligations and the consequences of unauthorised transfer of confidential information.

agreements and contracts One of the most effective measures against IP theft is to implement a non-disclosure agreement for employees and external contractors to sign on employment and again on termination, stating categorically that they have not taken any corporate property with them. This is a significant deterrent against taking IP.

A non-competition agreement or contract on termination of employment will stop an employee from working at a competing company, usually for a set period of time. It will also prevent a former employee from soliciting his former customers.

employment termination If an employee resigns, is made redundant or sacked, make sure access to computer networks and databases, phone and e-mail accounts is stopped. This is especially important in cases of dismissal, when employees may seek revenge.

legal action If you need to go to court to stop someone using your IP, the court may well ask how you went about protecting it. Many businesses are powerless in a legal fight against the theft of IP because they had not taken the necessary precautions.

internal monitoring This should include monitoring information on the internet, chat rooms, trade boards and e-mail systems and filtering outbound and inbound traffic for specific client-owned phrases, such as passwords.

In some cases, companies have banned camera phones, PDAs and other hand-held devices because of their ability to make theft so easy.

Your IP is just as an important an asset as your employees, and both should be equally protected. An increase in security culture and awareness, together with a good understanding of the reasons for theft of IP, will assist in combating IP theft.

Neil Miller is a director at Commercial Security International Ltd (CSi), Tel: 020 7553 7960, E-mail: neil.miller@comsec-international.com