Kelley to present a CLE webinar to Women in eDiscovery - Indianapolis Chapter on June 5 on the topic: Fabricating & Concealing Data on Smart Phones.

IP Theft: The Insider Threat


IP Theft: The Insider Threat

Author photo
Vestige Digital Investigations, Senior Forensic Analyst

There is always the fear that somehow insider information is leaked to the outside world. With large increases in intellectual property (IP) theft and data breaches making the news, this is a natural concern. However, it may be easy to think that the threat is only on the outside, just an anonymous attacker that is trying to steal data for profit. While building up a stellar defense to prevent such breaches is good practice, there is another, potentially more dangerous threat that may fly under the radar. That threat of data theft is the insider.

The Insider Threat

What is an insider threat? An insider threat is defined as a threat to a company or organization that originates from various people, typically employees, within the organization.

So what exactly makes an insider more dangerous than an outsider? First and foremost, an insider may have knowledge of the vulnerabilities in a company’s infrastructure. If detection measures are known, they become much easier to avoid.

Further, an insider is typically expected to be inside the network for their work. Completing daily tasks, there is nothing suspicious about an employee being on the network and accessing sensitive data if they were hired to in the first place. In stride with this, an insider will typically be trusted by peers and supervisors. Any nefarious action that they may commit may go unnoticed simply because they are trusted.

Finally, an insider has the ability to do much greater damage to the company and remain hidden for a longer period of time. That is the nature, and main advantage, of the insider threat.

At Vestige, we run into IP theft cases quite often. Over the course of case work, we have seen commonalities between IP theft cases where an insider was involved. A particular scenario that seems to repeat indefinitely is that a user copied IP to a flash drive and left for a competing company, utilizing the IP for career advancement elsewhere. This is the oldest trick in the book in terms of insider IP theft. Another example is a user attached files to an email and sent it to a personal account. Yet another tactic we see in insider threat cases is a user setup a personal DropBox account on the work computer and uploaded data, then downloaded it to a personal desktop at home.

Concerned about the Insider Threat? Get the Expert, Find the Evidence, and Introduce Protective Measures

Typical artifacts that get left behind on a suspect’s computer during internal IP theft are surprisingly numerous. A main artifact, and potentially most telling, is evidence of a USB device connection. Evidence of USB connections around timeframes of interest could be a quick indicator as to whether or not IP theft is a possibility. Many IP theft cases involve documents being copied to external USB devices.

Another major artifact is Internet history. Evidence of relevant Google searches, cloud storage site visits, file access information, and more can piece together a timeline of activity that may suggest an insider threat. These, in addition to many other artifacts, can reveal the what, when, and how of an IP theft involving an insider threat. However, these artifacts may not be interpreted or correlated correctly by the average user. It is for this reason that getting an Expert involved is so imperative. The Expert will be able to analyze and report on the significance of the above artifacts and provide opinions as to what happened on the system.

Preventing intellectual property theft from an insider threat may seem difficult. After all, a CEO must trust the employees or the ship would sink. The question then becomes how can employees be trusted yet still protect a company from insider threats? A first step would be to limit access to folders containing documents of concern. If any employee can access everything under the sun, the infrastructure is inherently less secure. Another measure is to block access to connecting USB devices to work computers. If users cannot connect personal USB devices without special privileges or assistance, this opportunity to quietly move files out of the company is lost. Finally, blocking access to cloud storage sites unless necessary for daily tasks would prevent movement of files to personal DropBox accounts or other cloud sites.


Insider threats are indeed difficult to detect. Sometimes, these threats are discovered too late, when a competing company is already utilizing stolen IP. However, knowing the facts of insider threats will assist in mitigating this risk. If the situation did arise that IP theft is suspected, hiring a Forensics Expert to perform an investigation is the ideal way to build a case that will stand in court. Learn more about the non-compete and IP theft cases Vestige has been involved with and contact Vestige LTD to learn more about our data breach services.

Ian Finch for web   By Ian Finch, GCFA, Forensic Analyst at Vestige Digital Investigations