5 Minute Read

People Remain the Weakest Link in the IP Protection Chain. On seemingly regular basis, news reports remind us how remote cyber-attacks, insider theft of digital information, and other high-tech challenges threaten the intellectual property of companies both large and small. Because of the nature of these Information Age threats, it is deceptively easy to conclude that high-tech security systems, coupled with multi-layered security policies, represent the panacea for warding off industrial espionage threats. Internet firewalls, anti-virus software, computer passwords, and security cameras are all indeed necessary for IP protection. They are not, however, sufficient. The truth is, people, and not technology, continue to represent the weakest link in the IP protection chain. The most important component in a company’s IP protection strategy is its staff. An alert and competent staff is an integral component of a strategy to protect your company’s IP; conversely, an inattentive, poorly-trained staff can unwittingly enable the loss of massive quantities of invaluable intellectual property.

Factoring Staff into Your IP Protection Strategy

Companies must strike a reasonable balance between safeguarding their IP while at the same time optimizing their business for maximum efficiency and profitability. A necessary first step is identifying, and categorizing, what IP must be protected. Protecting everything may not be possible, but protecting that which must be protected generally is. Some intellectual property must be safeguarded at all costs (think: the recipe for Coca-Cola). Other IP is important, but its loss would be harmful but not catastrophic to the company (think: customer data or contracts). Where does that IP reside? Who requires access to that IP? What online, physical security, and security policy safeguards currently exist to protect that IP?These are the questions that a company must ask in determining the role its staff must play in safeguarding IP. As part of a comprehensive IP protection strategy, a company’s staff must: • adequately comprehend the threat environment • be adequately trained and proficient in IP protection policies and procedures • know how to recognize and respond to threat indicators and threat situations • be periodically tested and vetted • accept that protection of company IP is a critical core competency

The Importance of Enforcing the Rules: Chinese Industrial Espionage against Motorola

Recent history is replete with examples of how employees’ failure to implement, or properly practice, IP protection resulted in significant IP loss by victim firms. One of the most egregious examples of how staff failures contributed to a company’s loss of IP is the case of Hanjuan Jin, an ethnic Chinese who in 2007 was arrested, and later tried and convicted, for having committed industrial espionage against her former employer, Schaumberg, Illinois-based Motorola. Hanjuan Jin began working for Motorola as a software engineer in June, 1998. There is no evidence to suggest she sought that employment with the intent to commit espionage. However, in 2004 Jin – in violation of Motorola policy – took a “side job” with Lemko, a local competitor to Motorola. Jin began stealing proprietary data from Motorola to ingratiate herself with Lemko. Court documents reveal that what began as unethical behavior by an “opportunistic insider” evolved over the next three years into the large-scale theft of Motorola IP. In 2006, Jin took a one-year, unpaid medical leave of absence from Motorola during which she had access to her VPN, although Motorola policy forbade people on medical leave to perform work or access their network. She downloaded hundreds of documents over the course of her leave. In addition, she took multiple trips to China on Lemko business and to actively seek employment with a Sun Kaisens, a known Motorola competitor and did not disclose the activities of these trips to Motorola. On February 22, 2007, Jin purchased two one-way plane tickets to China. The next day, Jin re-established her employment with Motorola via human resources and her direct supervisor. At midnight on February 27, 2007, the day before she was detained by customs and ultimately arrested several days later, Jin went to her office at Motorola and downloaded and printed two large shopping bags full of documents. As she departed the building, the security guard on duty held the door for her.

How to Ensure Staff Success in Your IP Protection Strategy

The Motorola case study reveals multiple instances where the failure of Motorola staff to implement existing security policies contributed to the ability of Hanjuan Jin to carry out industrial espionage, undetected, for literally years. There are a number of steps companies can take to guard against suffering a similar fate.

Develop and Sustain a Security-Minded Work Culture

It is not enough to develop security policies if no one follows them. Especially overseas, employees may be reluctant to report anomalous or suspicious activities of behavior – especially if both the observer and the suspicious person are non-Americans, and the supervisor is American. “If-you-see-something, say-something” mentality must be deliberately cultivated – and compliance rewarded. Having and sustaining a security-minded workforce that understands and observes security policies requires ongoing effort and commitment.

Develop Adequate Security Policies

On paper, at least, Motorola had fairly extensive security policies and procedures. However, there were a number of steps Motorola did not undertake that might have deterred, or at least reduced, the theft of its IP by Hanjuan Jin and other Lemko employees. For example, Motorola could have disabled all USB ports on company computers, selectively enabled the USB ports with third party software, and/or monitored USB traffic with software. Another measure would have been an automated audit feature on Motorola’s network that would send an alert whenever an employee accessed and downloaded files outside the scope of their area of responsibility.

Implement Effective Security Training

Effective security training is needed for the workforce and for those responsible for ensuring the security of company IP, operations, and personnel. Security policies are only effective if they are actually understood, implemented and followed. Security camera footage from the night of February 26-27, 2007, showed Jin carrying two bags past security without being stopped. The footage shows Jin reentering the building, and then leaving again with her arms full of papers and binders through a door that the security officer held open for her. While an argument could be made that searching the bags of every employee entering and leaving Motorola’s facility during peak hours would have been impractical, one has to wonder why a security guard could not inspect the bags of an employee coming and going in the middle of the night, carrying several bulging bags.

Enforce the Security Policies You Already Have

The Jin case is full of examples of security (and administrative) policies not being followed. According to policy, Jin should not have had access to Motorola’s network during the year she would out on unpaid sick leave. Hanjuan Jin had access to MVP and Compass throughout her time at Motorola, including while on medical leave. Jin accessed the Motorola network remotely 40 times in 2006, including from a Lemko computer. Another fundamental protective measure for companies is to deactivate a user account when the user leaves his or her job. It is also recommended that a company reassess a user's access when the user changes roles within the company. A company's risk can also be lowered by regularly reviewing access lists and determining whether the access permissions are appropriate.

Know Your Employees

Periodic interviews with employees can help establish a baseline of behavior against which anomalous behavior can then be compared. Supervisors are a first line of defense when it comes to the insider threat. A properly-trained supervisor can spot an employee whose behavior is suspicious, or unusual. Even for a trained, professional spy, espionage is extremely stressful. For an untrained “opportunist insider” like Jin, that stress level is magnified. Committing espionage requires the perpetrator to conceal information and behavior – and lie. Jin’s inability to lie convincingly was what prompted an alert Customs officer to detain her before she could board a flight back to China – a one-way ticket she had purchased the week before.

Trust…But Verify

A company should trust its staff, and trust that its staff will know and comply with procedures. However, as the Jin case demonstrates, periodic verification of policy compliance is both prudent and necessary.   Cipher is an innovative boutique consultancy focused on providing strategy consulting services and intelligence technology solutions that help clients make smarter, faster decisions. Our consulting services include IP Protection, Operations Consulting, War Games & Scenario Planning, and CI and Counter-CI Training. Cipher’s Integrated IP Asset Protection Solution is a risk-based, coordinated approach to securing critical IP. Our experience has taught us that successful IP protection strategies are built on the solid foundation of a “Culture of Awareness” within your organization. Our security awareness and counter-intelligence training solutions sensitize employees to the threat, provide them with tools to successfully recognize potential threats, and teach them how—and to whom—those issues should be reported.