Intellectual property (IP) has a value to a business that sometimes cannot be accurately measured, although it is recognised as a valuable asset. 

Considering this, it is surprising that there are still some organisations that do not protect their IP sufficiently from their own workforce.  It is common for a business to take very specific and controlled measures to protect itself and its IP from external threats, but not from the people who have unfettered access to business information.  While an organisation will generally and inherently trust its workforce, there are still some simple steps that a business can take to protect this valuable asset from those employees who breach that trust.

In protecting its IP, a business must balance the needs of employees to have access to the information with a need for the business to secure the information from theft.  The illicit copying of IP by employees leaving an organisation is still a very common problem faced by businesses today.  As some employees seek to increase their worth to other potential employers, the temptation to steal IP and use that to increase their overall worth sometimes proves too great.

Copying and removing large volumes of electronic information from an organisation is becoming easier as the overall general knowledge of computers among the workforce increases and access to extremely large storage devices has become commonplace.  Given that hundreds of millions of pages of documentation can be stored on a device small enough to fit into your top pocket it is easy to see why the protection of IP is so difficult.

It may seem futile to think that a business can protect its information from theft or unauthorised access, but this is not the case.  While it would be naïve to believe that any system cannot be compromised in some fashion, a business can make itself a much less tempting target from internal threats by adopting several preventative measures. 

The threat of internal theft of IP can be minimised by taking several precautions: 

• Implementing some form of document management system, at least for critical and highly valuable IP, which maintains an audit log of who has accessed what and when is important.  When investigating the suspected theft of IP, one of the most common problems is identifying enough information to confirm or allay the suspicion that information has been taken.  Having a system that retains an audit trail identifying who has access to documents and when can help to minimise this deficiency
• Educating employees about the risks and ramifications associated with the unauthorised removal of IP assists in preventing theft from occurring.  Ensuring that employees know exactly what is required of them and what will occur should they remove IP from the business is a key to prevention
• Implementing sufficient IT security policies with respect to the use of storage devices, such as thumb drives and external hard drives, by employees helps to control their usage.  Monitoring and controlling the use of external storage devices ensures the business can control who has permission to use the devices and what the devices can be used to store.  It is common for businesses to provide no control over the use of such devices and, as a result, an employee can effortlessly copy millions of pages of documentation without the business being aware of any such activity
• Implementing an email monitoring system that records who sent what email to where helps to control dissemination and assist in the investigation of IP theft.  A common method of removing IP from a business is removal via email.  IP can be attached to email messages and sent to external email addresses, thus removing the document from the control of the business.  Implementing a monitoring and control system ensures that copies of email messages are retained and logs of activity generated to support any review or investigation of suspected theft
• Implementing appropriate internet security measures is also important for prevention.  Related to email, there are many instances where an employee has circumvented the corporate email monitoring system by using a webmail application, such as Hotmail, to email sensitive documents out of the organisation.  Ensuring employees do not have access to webmail can prevent this from occurring
• Finally, adopting a process of review when employees at or above a certain level leave a business aids in prevention and the identification of issues.  Some businesses have implemented a process by which they review the computer systems and email accounts of all employees at or above a specific level when they leave the business.  Employees are made aware of this and are unlikely to take IP in the knowledge that their computer systems are going to be reviewed regardless.  In addition, if IP had been stolen, then the probability of identifying it is greatly increased.

Whilst the theft of IP is a real risk faced by businesses today, there are steps that an organisation can take to minimise this risk.  By taking steps to protect itself, an organisation ensures that one of its most valuable assets, IP, stays within the control of the business.

Mark Garnett is the leader of the Forensic Technology team in the Sydney office of boutique advisory firm McGrathNicol.