The IP Theft Puzzle, Part IV: Ambitious Insiders

The IP Theft Puzzle, Part IV: Ambitious Insiders

In this last post in this series, I’d like to look at another type of insider. I’ve already written about the Entitled Independents. These guys fit our common perception of insiders: a disgruntled employee who doesn’t receive, say, an expected bonus and then erase millions of your business’s CRM records.

These insiders are solo acts. However, that’s not always the case with IP theft.

Take Me to Your Leader

The CMU CERT team discovered another insider variant in analyzing theft incidents in their database. Referred to as an Ambitious Leader, this insider is interested in taking the IP, along with a few employees, to another company — either one he will start by himself or a competing firm where he’ll lead a team.

The Leader will typically recruit others to help him gather the IP and then reward his helpers with jobs at the new company. These underlings are not disgruntled employees but rather have been swayed by a charismatic leader who promises them fame, free cafeteria food, and a cube with a view.

In pop culture, the disgruntled employee has been represented by Office Space-like characters. But for the Ambitious Leader, we’re now looking at white-collar professionals — attorneys, agents, financial traders, and, yes, high-powered tech types.

Does anyone remember early tech history and The Traitorous Eight? They were a group of grad students working for the infamous (and rage prone) William Shockley hoping to commercialize the newly invented transistor. With all the IP embedded in their neurons, they fled from him to found the legendary Fairchild Semiconductor. And the rest is history.

This pattern of Silicon Valley superstar employees leaving to start new companies is still playing out to this day.

Easier to Spot

With higher-level professional employees, you especially need to have non-disclosure agreements in place. You don’t need to be told that, right?

As we pointed out in previous posts, these IP agreements, along with employee communications about data security and employee monitoring, can act as a deterrent. In theory, when potential insider thieves see that the company takes it IP seriously, they’ll back down.

But with Entitled Independents, close to half took no precautions to hide their activities. Since they felt the IP was theirs, these mavericky insiders simply grabbed it. Of course, their spontaneous theft activities were harder to detect.

While they didn’t have a lot of data points, the CMU CERT researchers noticed that the IP agreements did have an effect on the Ambitious Leaders: it made them more likely to apply deceptions!

Their deceptions then led to more observable indicators. The Leader, for example, might plan the attack by scoping out the relevant folders, and then moving or copying files in bits and pieces during off-hours.  It’s reasonable to assume they would rather not get caught early on before they have a head start on their venture and then, perhaps, gain the resources to fight any legal challenges to their IP.

CMU CERT also noticed that when the IP was segregated among difference access groups, the Leader was forced into recruiting additional members.  Makes sense: the Leader can’t do it all and so needs help from new gang members who had the appropriate access rights.


These Ambitious Leaders are showing all the signs of the CEOs they are in the process of becoming: planning, personnel recruitment for their project, and complex execution. Their activities are far easier to detect when appropriate monitoring tools are in place. In several cases, CMU CERT noticed there can be “large downloads of information outside the patterns of normal behavior” by employees directed by a Leader who has sometimes already left the company.

Where does this leave us?

I’ve been keeping score on these different insiders, and here’s my list on the types of employees you’re most likely to catch:

  • Of the Entitled Independents: those who didn’t create the IP directly and therefore will likely exhibit precursors—entering directories they normally don’t visit or exhibiting other rehearsal behaviors.
  • Of the Ambitious Leaders: those who need to recruit several employees who have access to the IP. Precursors could include unusual bursts of email and file copies between the potential employees and their pack leader.
  • Any insider who exhibits bother technical and behavioral precursors. If they keep eyes and ears open, IT security with help from HR can connect the dots between problems at work—abusive behaviors, unexplained absences—with system activities.

No, you won’t be able to completely prevent insider IP theft—they are your employees and they know where the goodies are. But what you can do is reduce the risks.

In my original insider threat series — reread it now! — I concluded with a few tips to help reduce the risks. It’s worth repeating the key ones: enforce least-privilege access and separation of duties, strong passwords, and more focus on security preceding employee exits and terminations.

Finally, companies should inventory their IP resources — code, contracts, customer lists — on their file systems and make sure granular logging and auditing is in place.

In a worst case scenario, the logs can be used forensically later to prove theft had happened. But with the right software, it’s still possible to spot insider activities close to when they occur.

Don’t make it too easy for that ambitious executive! Find out with  Varonis DatAlert who’s looking at your IP.

Get the latest security news in your inbox.