Insider threats are as diverse as the employees and contractors causing the security problems. We tend to think of an insider threat as someone who has accidentally or purposely loaded malware into the network, allowing outsiders the opportunity to spy or steal intellectual property.
The legal dust-up between fitness tracker companies Jawbone and Fitbit shows another, less discussed version of the insider threat – the deliberate theft of intellectual property from a company by employees who are leaving and moving on to a competitor or who plan to use the stolen data for personal advantage.
According to eWeek, this is what has been happening between Jawbone and Fitbit (and in full disclosure, I researched both companies extensively when searching for my own fitness tracker and chose a different brand). Jawbone is suing Fitbit and the lawsuit “charges that Fitbit employees were ‘systematically plundering’ confidential information by hiring the former Jawbone workers, who ‘improperly downloaded sensitive materials shortly before leaving,’ according to a May 27 report by The New York Times.”
If this were intellectual property theft coming from an outside country using insiders to do the dirty work, it would be a huge data security story. But as Mohan Koo, founder and CEO of Dtex Systems, told me in an email, the Jawbone versus Fitbit story is a good example of why organizations are finding it increasingly difficult to protect sensitive company resources and cutting-edge product information in the process. Koo went on to state:
These allegations show that [intellectual property] theft has the potential to go far beyond a single disgruntled employee acting independently. If the allegations are accurate, this amounts to a concerted effort by Fitbit to lure privileged users into providing trade secrets on a regular basis. This reinforces the necessity of having an accurate picture of your threatscape. It's not just about securing individual employees—the pressure and persuasion that outside actors can impose must also play into an effective strategy for handling the insider threat.
An Information Age article pointed out that insider-related losses run into the billions of dollars, and the reason that insider threats remain such a problem is because IT departments continue to struggle to come up with procedures to stop them:
Old security models have no room for insider threats. As companies pour millions into preventing outside attackers from gaining entrance to their network, they operate under the assumption that those who are granted internal access in the first place are trustworthy.
If Jawbone’s allegations are true, this is a very serious insider security threat, one that could have lasting and damaging consequences. We talk all the time about the need to rethink the way we approach security. This situation shows us that the time has come to rethink the way we approach insider threats. Admittedly, that’s going to be a very tough undertaking, because each threat is going to be as unique and individual as the employee responsible for the security break down.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba