A Q&A with Tim Ryan of Kroll
The second in our ongoing series on IP theft, this Q&A with Tim Ryan of Kroll explores the current situation companies are facing vis à vis data security and intellectual property, and what they can do to better arm against growing threats. A former FBI supervisor for the largest cyber squad in the United States, Ryan is currently the head of Kroll’s cyber practice which handles incident response, breach investigations and risk assessment.
Can you explain the current situation of international IP theft in corporate America? What do companies need to know? Are there any misconceptions or myths that need to be addressed?
The problems we see fall into one of two main buckets. Companies are getting hacked externally by competitors looking for anything from product designs to marketing information or other data. The other threat is from insiders, contractors or employees who move on and take key data such as proprietary algorithms with them. Adding to the complexity of the situation is the fact that a lot of knowledge workers are foreign nationals residing here strictly for employment purposes so all of the legal constraints against taking data—non-compete and nondisclosure agreements–may not apply to them. As we move toward a knowledge-based economy, this poses a real problem. The biggest myth out there is that this is an IT issue—the thief downloaded the information from an IT system so that’s the department that will handle it. Sometimes vendors play into that myth by offering data loss prevention hardware or software with the promise that it will keep theft from happening but we all know that’s just not true. The truth is that for both external and internal threats you need a comprehensive team approach.
Why is this happening? Why now?
This is just a measure of how our economy has changed. We are constantly looking for efficiency through technology and we seamlessly share data across broad geographic areas in the blink of an eye. Those same systems, if not properly controlled, can allow access to that sensitive data. I also think it has something to do with the transient nature of our workplace. We no longer work at a single organization for twenty years. It’s often employees that are further down the food chain that are taking the info from job to job. People in the government know this practice is illegal but in the private sector it can be more amorphous as to what data is proprietary. Often we will get a call from a company when they realize that they unwittingly have another company’s data.
How might a company go about protecting their IP data and systems?
You need to have an integrated team that can deal with a threat. From an external point of view, it’s about IT architecture, governance, response training and risk assessment. Sometimes companies won’t do anything about external hacking because the problem doesn’t escalate from the lower level employees to the C-suite level. We find that there might be a conflict of interest, because IT employees feel it’s their job to prevent leaks so when something happens they don’t want to ring alarm bells. But that’s where a small problem can become a big one.
When you’re talking about internal issues, you need a team with IT, legal, human resources and the chief security officer. Too often companies are surprised to find out that an employee is doing something wrong, so it starts in the very beginning, with hiring practices, vetting every individual with a background check. However, when someone is from a foreign country it can be difficult to access criminal records, so you look at the timeline, you look at their skills, you look at everything very closely. And once they are hired, you limit their access to data. In the FBI employees are re-vetted every five years, and it should be the same for corporations. There also needs to be accountability. We recently investigated a case where an individual started with relatively minor infractions and then progressively got worse. The company documented what was happening but never did anything about it and by the time he was fired he had done something really egregious.
There’s a bigger trend, especially in large defense corporations, to bring in in-house data security, but if you go to medical facilities, financial trading firms and companies in the R&D space, they sometimes haven’t gone far enough and that’s when they get hit. Any organization should think about security solutions, whether it’s hiring someone internally or buying an off-the-shelf product, because the threat is out there and it’s real.
Mr. Ryan mentioned the importance of IP in this new knowledge-based economy, making security paramount for companies whose data is their lifeblood. The recent study by Mandiant, available in the eRisk Hub, underscores the reality of this problem impacting corporate America every day. Many businesses still don’t have an inventory of their IP that needs protection. Having this in place is crucial for strategically protecting these assets. One possibility companies should consider, for example, is whether every system that houses IP needs to be connected to the public internet.