Insider Theft of Intellectual Property

Insider Theft of Intellectual Property

Insider Theft of Intellectual Property

REPLACE name

CSIA 303 Foundations of Information System Security

Introduction

Advances in technology and social media networking have provided even the smallest of businesses with the opportunity to extend their business boarders and create a more diverse customer base. While a great asset for the company, this increased visibility is accompanied by increased risk and vulnerabilities as it pertains to preserving the company’s mission, purpose, and goals. In enabling the ability to conduct business online by collecting personal information through a network, accepting online payments, and implementing a password protected portal, small businesses open themselves to previously unknown risks and can suffer great loss at the hands of a malicious individual. Such a breach causes loss not only in the realms of finances and privacy, but also in the sense of the company’s reputation and reliability. This loss is even greater when it happens because of someone on the inside. Fortunately, systems exist that can aid in the protection of confidentiality, integrity, and availability while protecting against risk.

Security Threats and Vulnerabilities

According to Egan (2004), the most common security threats and attacks that occur within a network come in the form of a worm, Trojan, or virus. Each presenting with its own set of dangers, these three entities have the ability to infiltrate an entire system and shut down a business in a relatively short period of time if they go undetected. Having a information security system in place that not only identifies the risk but eliminates it is key. In addition, the following elements must be addressed in order to provide the highest quality of service to customers:

Confidentiality – When collecting sensitive data, whether it be from customers or employees, it is the responsibility of the company to protect that information from being placed into the hands of a malicious individual. It is it the company’s responsibility to protect the consumer’s/employee’s privacy.

Integrity – Refers to maintaining the consistency, accuracy and trustworthiness of data over time (Fitzgerald, 2012). It is imperative that data be protected by an authorization code/password given only to a select few individuals.

Availability – Ensuring that the company’s network is running at all times, providing customers and employees with efficient service while protecting against malware.

Non-repudiation – An unique and personalized data signature that denies an individual the capability of saying that they did not perform a specific action (McCullagh & Caelli, 2000).

Authentication – Service that provides proof that a particular individual performed a specific action

Authorization – Determines who has access to what according to role, title, job responsibilities, etc.

Risk – The function of the likelihood that a threat will occur (Elky, 2006).

A well thought out and effectively implemented information security program can assist in addressing the key elements listed above while also protecting against malware.

Recommended Technologies

Insider theft of intellectual property is a loss many companies may experience at one point or another. One of the major reasons that this theft occurs is the lack of policy surrounding appropriate interactions on the company networks as well as poorly defined consequences that will result from engaging in particular actions (Fitzgerald, 2012). There are two very effective ways to combat this:

Issue-specific policies. The greatest way that companies can safeguard their assets against insider theft is to create issue-specific policies that address the ways in which employees communicate as well as access authorizations, sharing restrictions, and external storage devices that are allowed on the system.

Automated risk assessments. Another way in which companies can safeguard against insider theft is through software that identifies, assesses, monitors, and eliminates system attacks and threats. This type of software is available to small businesses at an affordable rate and provides vast protection.

In addition to the above, the NISTIR 7621 (NIST, 2009) suggests installing commercial spyware and virus scans onto network computers and having them run automatically on a consistent basis both to assess risk and search for updates. Additionally, employee home systems and laptops should be secured with firewalls in order to ensure security of information outside of the office.

Impact

By implementing issue specific policies and automated risk assessments, small business safeguard their ideas, customer base, and future inventions. Billions of dollars are lost and company information is compromised annually as a result of insider theft (Cappelli, Moore, & Trzeciak, 2012). By planning ahead and anticipating the risks involved with conducting business through technology, small business can save themselves from great loss and potential extinction.

References

Cappelli, D.M., Moore, A.P., & Trzeciak, R.F. (2012). The CERT guide to insider threats: Insider theft of intellectual property. Pearson Education, Inc.: Upper Saddle River, NJ.

Egan, M. (2004). Executive guide to information security: Threats, challenges, and solutions. Pearson Education, Inc. : Upper Saddle River, NJ.

Elky, S. (2006). An introduction to information system risk management. Retrieved from: https://learn.umuc.edu/d2l/le/content/27177/viewContent/1532342/View 

Fitzgerald, Todd. (2012). Information security governance simplified: from the boardroom to the keyboard. [Books24x7 version] Available from http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=47187.

McCullagh, A., Caelli, W. (2000). Non-repudiation in the digital environment. Risky Monday. 5(8). Retrieved from: http://pear.accc.uic.edu/ojs/index.php/fm/article/view/778/687National Institute of Standards and Technology. (2009). Small business information security: The fundamentals (NISTIR 7621). Gaithersburg, MD: Department of Commerce.