Protecting Your Electronic Intellectual Property

First, Define a Computer Use Policy for Your Firm

How can you best protect against IP theft—or simple misuse—by employees? Karl Epps explains that a solid first step is defining a computer use policy establishing approved policies and protocols for removable media, offsite storage, remote access, and laptops. Here’s an overview of common problem areas and software and policies that can help best address them.

As a forensic computer technologist and computer consultant, I have often dealt with the past tense when addressing computer-related crime.  I am asked by clients: How did? Why did?  and Who did?   However, the best practice is to take steps ahead of time to minimize or prevent the potential for certain types of computer-related crimes to occur. This is particularly true when dealing with the theft of intellectual property data stored in your company computers.

For this article, due to limitations on length, we will concentrate only on discussing measures to protect company data from misuse or theft by employees.

Protecting your data starts with having a Computer Use Policy for your firm or company.  It is very important that you define “acceptable behavior” for your computers and data stored within them.

For the purposes of this article, we will explore four general ways that someone could copy or “steal” data from your computers via:

1. Removable media (thumb drives, iPads, iPods, for example).
2. Offsite storage (like Dropbox or Carbonite).
3. Remote access (like LogMeIn or GoToMyPc).
4. Laptops.

One way to address removable media is to use drive-encryption/write-blocking technology.  Using a program such as Imation’s Defender or similar software can enable you to cut the risk involved with removable media.  With Defender, when a user utilizes a thumb drive, portable hard drive or CD/DVD to copy data, they will be asked to encrypt the media. Then, any data moved to the media is encrypted and a record is created.  This means that any file that is copied to the media is documented. 

The software also logs decryption.  Decryption must occur via the Internet through the same software from which it was encrypted.  So if the employee decrypts the data onto a specific computer, you will see the date, time and machine name of the computer that your data was copied to.  This technology also allows for control of passwords, so you can revoke the ability to decrypt the data entirely. 

Other devices like iPads/iPods/iPhones and OS-based devices like Droids cannot be encrypted; instead, they are write-blocked so data cannot be downloaded to these devices.  If the user declines to encrypt a drive, it is automatically write-blocked.  This does two things: first, it prevents the user from working around the software; the user cannot write anything from or to the device.  Second, if the device is infected with a virus or malware, write-blocking it prevents infection of your network.

Your data can also be stolen by someone copying it to a remote online site. The best option here is a blended solution.  First, prevent access to known specific sites like Facebook, MySpace, Dropbox, and Carbonite, which facilitate uploading of data.  This still leaves e-mail through which company data can be sent. E-mail can be monitored to create a record of the data sent through e-mail. A couple of good examples of monitoring software are Untangle and Guidance Software’s EnCase Enterprise. Approved remote access to company computers creates the potential for data theft. Many companies allow employees to use LogMeIn and GoToMyPc for remote access in the normal course of business. Through this remote access an employee may download data to another computer. This is very difficult to track. One way to monitor this activity is to limit remote access to specific computers on which monitoring software has been installed. This software provides you with the ability to watch or review what a user of this level does at your discretion. 

When an employee uses a company laptop, they can save data and walk out the door with it. Your risk includes not only the possibility of theft of the data by the employee. It also means if the laptop is lost, that another person could access proprietary company data. To control these issues, you can use whole disk encryption. To address the laptop being stolen, a product like Computrace will allow for remote wipe or physical recovery of the computer.

Once a policy is in place it is only as effective as the enforcement and monitoring techniques you use. The tools discussed in this article can be effective, but technology changes. Any such software needs to be kept up to date and monitored to be effective.

Karl Epps is certified in Computer Forensics with the EnCe certification. He has over 15 years of experience in computer systems and troubleshooting. He is a principal with Epps Forensic Consulting, PLLC, providing computer-related services through the firm’s Epps Tech division.