A few posts back, I revealed my eight predictions for 2021. Since then, I’ve dived into the details of the first five:
- Ransomware victims will face penalties.
- Your digital reputation will come under attack.
- Zerologon will continue to cause pain for IT pros.
- People will remember the hard way that they have Group Policy.
- A rebound in M&As will make more people realize just how hard a tenant-to tenant migration is.
Today, it’s time to cover #6: Transitional and project-based employees will increase the risk to intellectual property (IP).
IP risk case study: The Krusty Krab
Ever watch SpongeBob SquarePants?[1] SpongeBob works at the Krusty Krab restaurant, home of the Krabby Patty. Since the Krabby Patty is one of the most successful foods in all of Bikini Bottom, rival restaurateur Plankton is desperate to steal the secret recipe. Over the course of the series, he invents a truly astonishing number of schemes to get his hands on it, involving everything from robots to elaborate disguises to sci-fi tech like lasers and teleporters.
But here’s the thing: Nearly all of the stratagems boil down to two basic tactics:[2]
- Trying to break into the safe (or, in one case, the buried time capsule) that holds the recipe
- Trying to trick or bribe an employee to reveal the prized formula
Do those techniques sound at all familiar to you as an IT pro? To me, they are analogous to the two best-known types of cyberattacks aimed at stealing IP and other sensitive data:
- External hackers attempting to break into your network
- Schemes designed to gain control over an insider account, like phishing and credential theft
Pivoting to the real world
Of course, we don’t live in a cartoon. In the real world, the analogy breaks down in several very important ways.
First of all, intellectual property today is by no means limited to a few closely guarded trade secrets like proprietary recipes and patents. Today, IP takes a wide variety of forms, from strategic plans to competitive research to proprietary designs to computer code. For instance, both Apple and Tesla have recently accused former employees of stealing source code for self-driving vehicles.
Second, IP — like most other information — is now stored primarily in digital form, rather than on a slip of paper in a bottle inside a physical safe. Moreover, there’s no single digital vault — critical data is spread across multiple databases, code repositories, collaboration platforms, messaging systems, and even in the memory of devices like printers and copiers. What’s worse, your IT team might even necessarily manage (or even know about) every system that hosts your IP; modern applications are so easy to deploy that shadow IT has become commonplace.
Third, IP used to be known to only a select few people. For instance, back in 2010, just seven people apparently knew how Thomas’ English muffins get their trademarked “nooks and crannies” — a fact that became publicized when an executive downloaded that IP and was then enjoined by a lawsuit from taking a job at rival company Hostess. Today, most IP simply cannot be held that closely; it is necessarily developed, massaged and accessed by multiple people outside of the C-suite, including marketing teams, software developers and other technical experts, and product managers.
2021 will bring one IP risk to the forefront
In 2021, with the global economic downturn and business uncertainties caused by the pandemic, protecting your IP will become more vital than ever. Indeed, avoiding an IP leak could easily mean the difference between the survival and the collapse of your business.
I predict that in the coming year, one threat will become particularly urgent: the IP risk posed by short-term users in your IT environment. There are several business realities behind this prediction. As organizations seek to stay lean and adaptive, they will hire people only when needed and rely more on short-term employees, contractors and vendors. That means more users in your IT environment who have reduced corporate loyalty, less concern about an individual’s role in cybersecurity, and less training to help them recognize attacks like phishing and dangerous practices like copying sensitive data to laptops or inserting USB devices into network-connected devices.
At the same time, IT teams, who are perennially understaffed anyway, are still struggling to facilitate productivity for remote teams. When the pandemic hit, they had to quickly deploy new cloud applications and migrate users and data, and now they are quite busy trying to remediate security and other gaps that were left in the wake of those rushed efforts. As a result, there are more chances for IT teams to make mistakes or take shortcuts. For example, with so many users joining and leaving the organization, they are more likely to over-provision users to get them working, and fail to promptly de-provision them when their contracts end.
Finally, many of your regular full-time employees are still working from home, where boundaries can seem quite a bit fuzzier. They are communicating and collaborating through unfamiliar platforms and applications, like SharePoint Online and Microsoft Teams, instead of face-to-face where visual clues like different badge colors often make it obvious who’s a contractor and who’s not. Therefore, they might not be paying as close attention as they should to exactly who has access to the data they are sharing. Indeed, the trend in modern applications has been to decentralize control, so business users are able to easily create their own sites and teams. They might not have either the training or the mindset to focus on IP security when they are focused on getting their work done, so they might not think twice about including temporary workers in their chats, distribution lists, teams and so on.
Reducing your IP risk in 2021
While the bad news is that the coming year will bring more opportunities for your critical intellectual property to leave the organization, I bear good news as well: The key to reducing your IP risk is adhering to the same IT best practices you’ve heard about for years. You simply need to up your game to the next level. After all, attackers today are not nearly as inept as Plankton, and there aren’t any writers behind the scenes guaranteeing a happy ending for your business.
In particular, you need to:
- Rigorously enforce least privilege — This includes not just ensuring accurate provisioning, having deep insight into effective permissions and streamlining the attestation process, but cleaning up group sprawl and controlling external sharing in Office 365.
- Pay close attention to Microsoft Teams — Teams is a powerful collaboration platform that is exploding in popularity, which makes it an important vector for IP leakage. In particular, make sure you understand how guest users can be added to teams and what they can do once they’re in. You can reference much more on guest access in Teams here.
- Control sharing of data in SharePoint — SharePoint is also a powerful channel for transfer of information. The files stored on a SharePoint site are usually available to everyone with permissions to the site, and users can share specific files, or even an entire site, with others as well. Pay special attention to setting that control external sharing and use of anonymous or “Anyone” links.
- Closely audit changes and other activity — No matter how carefully you configure your environment, you still need to keep a close eye on what’s happening day in and day out. Be on the lookout for activity that could jeopardize the security of your IP, including changes to Active Directory objects (including Group Policy settings) and unusual behavior by users. Ideally, you want to get real-time alerts, be able to conduct quick and thorough investigations, and the ability to lock down critical objects from being changed in the first place.
- Simplify and automate IT tasks — Get your IT teams out of fire-fighting mode so they can be proactive about protecting your IP. Make critical but routine processes like backup and recovery, reporting, and Active Directory management as simple and foolproof as possible through automation.
Stay tuned…
Hard to believe, but my next post will be the penultimate one in this series! I’ll be discussing why Microsoft 365 multi-geo configurations will send multi-nationals down the rabbit hole. (Even if your organization isn’t multi-national, I promise there will be valuable information for you, too!)
[1] Full disclosure: I’ve watched a few episodes, but I’m certainly no expert. However, I consulted with an avid fan, who assures me that my claims here are accurate!
[2] Granted, Plankton also spends a good deal of time trying to steal an actual Krabby Patty so he can analyze the ingredients, but that’s reverse-engineering, not IP theft.