Rudy Diaz
Allied Universal Risk Advisory and Consulting Services
Vice President Investigations Practice | Global Services
I have spent the last 27 years helping companies protect their IP, brands, and reputation from those that would seek to unfairly, unethically, or illegally profit from their innovation. The last three decades have taken me from the streets of Guangzhou and the favelas of Sao Paolo to the center of Ciudad del Este, the tech parks in Hyderabad, and even the steps of the Kremlin. During that time, I have supported just about every vertical market you can imagine to include Tech, Automotive, Pharma, Foodstuffs, and Entertainment. It has brought me face to face with some of the most sophisticated and organized transnational criminal operations all focused on one thing: unauthorized knowledge transfer for illicit gain.
Yet, none of that compares to the risks and current threats that enterprises face internally, from within their own ranks, since the onset of the global pandemic of 2020. For the past 30 years, companies have focused on those traditional external threats that reverse-engineered the innovation of others, counterfeited their products, or compromised their channels to divert goods to a more favorable market. Little attention was paid to the slow but steady knowledge-transfer benefiting bad actors, competitors, or even nation states. This pandemic has forced companies to look inward to truly recognize the two sides of the same coin: an enterprise’s greatest asset is its employees, and they can also be its greatest threat.
In my current role here at Allied Universal® Risk Advisory and Consulting Services, I lead our Investigations Practice where I evangelize to our client base the virtues of business enablement by helping them maintain open market access and increase market penetration through a programmatic approach to protecting their innovation. I espouse the necessity of protecting “ideas” and collaboration through zero-trust architecture, content & design registrations, and processes for the validation and verification of the integrity of the aforementioned. I underscore the value of force multiplication through education and awareness of an enterprise’s employees, consumers, suppliers, distributors, and local authorities. Additionally, I buttress this with a global cadre of eclectic professionals who are experts at rooting out unfair and illicit competition in both developed economies and emerging markets. Our biggest differentiator is our global reach, which is guided by local knowledge. We offer both technology and our own innovative approach to hardening an enterprise’s intellectual property with relevant metrics that can define and consistently demonstrate value.
However, all of the activity in the diatribe above can be undone by one, well placed, disaffected employee or contractor with access and means to divert innovation from within.
Interestingly, in May of 2016 the Department of Defense issued a change to the National Industrial Security Operating Manual (NISPOM). What followed was a mad dash to comply with the new requirement as the Defense Counterintelligence and Security Agency (DCSA), known as the Defense Security Service at the time, was charged with enforcement. To be clear, this development was squarely focused on protecting the US Government’s intellectual property from a contractor’s organization as they recognized the growing concern of this unauthorized knowledge transfer.
I lived through that implementation, and what struck me at the time was how most viewed this as an exercise strictly focused on protecting classified information. Few were ready to extend this philosophy or process beyond the government requirements. But something kept gnawing at my conscience; if good ole Uncle Sam was concerned that internal employees or contractors had the potential to abscond with classified information, would the same risk hold true for the greater enterprise’s trade secrets and intellectual property?
In fact, during the five years leading up to that government requirement in 2016, I had seen a steady rise in disaffected employees diverting intellectual property from their cubicles and running off to competitors or, on several occasions, to a nation state. However, I saw a slow adoption across all industries recognizing the threat; that is, until the pandemic hit last year.
Overnight, the majority of the global workforce transitioned to working remotely. Armies of employees were provided the tools necessary to continue their productivity from home, which included laptops, comfortable chairs, and in some cases standing desks. But not much thought was given to how best to secure intellectual property.
Policy-based security controls work great in an environment that fosters compliance (within the confines of an enterprise). But what happens when an overwhelming number of employees now work from home but most collaborate using applications or tools that aren’t necessarily vetted by an enterprise’s security apparatus? Data Loss Prevention (DLP) tools have been around for some time; but their utility is limited when a good chunk of the workforce may not utilize a VPN.
What happens when teams are forced to collaborate and innovate off-line? The enterprise immediately assumes more risk, diminishing its ability to discern when data is exfiltrated, or the reverse, when corrupted data infiltrates for the purpose of passive collection. This lack of transparency created by the mobile work force has made it easier for disaffected employees to maliciously steal trade secrets and intellectual property.
As a new normal evolves from the effects of the pandemic, I suspect a number of employees will continue to work remotely, and most will do so ethically and operate within their respective standards of business conduct. However, the role of today’s security practitioner is “trust but verify” and, as such, embracing the elements of an effective Insider Threat Program is essential to mitigating threats from within.
To protect an enterprise’s intellectual property effectively, we can no longer continue to look externally; rather, we must look inward and implement a cross-functional program that identifies potential threats while still respecting the dignity and privacy of the employee and contractor populations who are essential to realizing the fruits of the enterprise’s innovation.
Disclaimer
The views and opinions expressed in this blog are those of the author(s) and do not necessarily reflect those of Allied Universal.