The pandemic has pushed the corporate workforce to remote locations, which has resulted in increased risk to corporate data. As corporations rise to the challenge of responding to this risk, compliance officers, CISOs, and leaders should look to revamp disjointed and siloed approaches to protecting corporate data. The past few years have seen a notable expansion of trade secret laws resulting from a new federal trade secret act in the U.S., the passage of stricter trade secret regimes in Asia, and the harmonization of trade secret protection in Europe with the EU trade secret directive. With these new laws has come a noticeable uptick in trade secret civil and criminal cases. Like traditional compliance risks, theft or loss of information can lead to loss of valuable R&D, business disruption, loss of competitive advantage, reputational damage, and – if an employee improperly uses a third-party’s trade secrets – costly civil or criminal litigation. While ransomware, hacking, and phishing schemes often get the most news coverage, insider theft represents the vast majority of data loss.

The Importance of a Cross-Functional Team Approach 

In our view, a Chief Information Security Officer cannot – on her own – sufficiently mitigate the risks posed by insider threats. The task of building and maintaining a robust information security system to mitigate against internal theft requires cross-functional input, execution, and maintenance. While the critical work of protecting infrastructure and equipment is led by the Info Security team, IT, Human Resources, Legal, and other functional groups have a role to play in successfully protecting the company’s resources. This is especially true as it relates to insider threats, where a company’s own employees or trusted partners steal, lose, or divulge the company’s information.

For example, Human Resources needs to be involved in the training, education, hiring, on-boarding, and off-boarding procedures. R&D and business leaders need to make crucial decisions about designation and access to confidential information. They should also be integrally involved in the design of information security systems and the execution of processes that build the systems. Legal needs to be involved in the drafting and execution of confidentiality agreements, supplier agreements, NDAs, as well as incident management, investigations, and pursuing potential legal remedies if and when theft occurs.

There also needs to be communication between and amongst these groups. For example, Human Resources may work with IT on credential management to disable access for departing employees or alert Legal if an employee with access to valuable information resigns to work for a competitor. IT can advise if company devices are outstanding so that Legal can trigger an investigation, decide to preserve the employee’s devices, or send a letter to the new employer, alerting them of the employee’s ongoing confidentiality obligations. However, in many companies, these functional groups have not historically worked together to develop a cohesive, strategic, and tailored approach to data security. Instead, each group addresses areas of the problem that fall within its silo, leading to inefficient and sometimes counterproductive outcomes. Additionally, some functional groups outside of Legal — such as Human Resources — are not trained on the critical role they play in data security, such as ensuring the prompt collection of a departing employee’s laptop, leading to data leakage theft.

Companies have started to coalesce these different functional groups under a unified leadership structure. The implementations and reporting structures vary, from task forces to steering committees, to “trade secret leadership.” But the goal is the same: to align the functional groups to one unified and smart approach for protecting company assets and preventing employees from using or uploading confidential information belonging to a former employer. This “reverse threat” of a current employee bringing confidential information from a former employer into the business environment is a real risk. That’s because corporations are typically the “deep pocket” on the wrong side of a trade secret theft lawsuit. A cross-functional, unified approach to protecting corporate information will be viewed as a best practice.

Building an Operational Strategy

Companies spend significant amounts of money developing confidential and proprietary data and must implement security measures to protect the data from theft or loss. While many corporations focus on information security to protect against outside cyberattacks, most data theft occurs from insiders. Because employees need access to corporate data to do their jobs, a company must consider which additional data security measures are necessary to allow employees to work. At the same time, there is an obligation to protect trade secret data, including, for example, tracking if confidential or proprietary data leaves the system. This is not just a best practice; it is required. Trade secret regimes worldwide require a company to demonstrate that it took “reasonable measures” to protect their data before they can claim trade secret protection over its information. While “reasonable measures” is not a well-defined term, courts are looking at the overall robustness of an organization’s approach to data security to determine whether a trade secret right has been established.

To address this threat and ensure that reasonable measures are in place, we recommend a cross-functional team to develop an operational strategy. This high-level operational plan allows the team to identify risk and reach consensus on priorities, strategic response, implementation, responsibilities, and accountability. Building consensus around a well-thought-out approach – including identifying data protection strategies designed to protect data from insider threats and allocating resources – is a key step toward effective trade secret protection.

Further, a company’s ability to respond to data theft and minimize what can be catastrophic and costly consequences – depends on the implementation of measures to detect, investigate, and contain any such theft long before it occurs. The operational plan should address data theft response so that a company is well-positioned to respond swiftly and efficiently.

Focusing on Trade Secret Audits

We counsel clients to be proactive in protecting corporate data by conducting a data security audit to identify and protect confidential and trade secret information. The audit should not just focus on the technical aspects of the systems (though technical audits and strategic roadmaps are integral aspects of most information security programs), but also approach protection from a cross-functional, proactive perspective looking at preventing theft, detecting theft, and responding to suspected theft. By assessing the maturity of technical systems and processes and the human side, companies will be able to determine their risk to information theft more accurately and be well-positioned to mitigate that risk in a coordinated approach.

These audits involve identifying the corporate trade secret information, how the data is handled, and who has access to such data. The audits consider a review of the data security provisions in place to restrict and protect data, and a review of policies, processes, and procedures. Audits also include analyzing the enforceability of the company’s standard confidentiality agreements and assessing information security measures, including interviews with key stakeholders.

While the contours of such an audit vary depending on a company’s size, international presence, industry, type of workforce, nature of its trade secrets, and risk tolerance — all companies need to be addressing this risk from the perspective of cross-functional groups.

Here’s a typical scenario. When a key employee is off-boarded, does HR ask probing questions about confidentiality and the employee’s next move? Does HR notify Info Sec when an employee has given notice so that heightened monitoring may be employed? Does R&D fully utilize logs and data access restrictions for higher prioritized information? Do the Legal and InfoSec teams have a protocol for investigating potential misconduct that maximizes evidentiary value while also preserving legal optionality? Have hiring managers been trained about the risks of soliciting competitive information?

The answers to these types of questions, and many others, have a direct bearing on the success or failure of a data security program but may fall within several groups, besides the purview of the CISO.

Furthermore, systems or protocols to improve how the company answers these questions or address data theft require buy-in and implementation by employees outside of the InfoSec team. A company must take a cross-functional approach to data theft to minimize data theft and maximize its ability to respond to (and mitigate the consequence of) a theft that does occur.

As the workforce changes how employees interact with corporate data, companies should bring together the key stakeholders to develop an operational plan to address information security from insider threats and conduct a trade secret audit to protect its valuable data.

Companies that bring teams together and form an operational strategy are more likely to protect data than the best-intentioned silo approach.


Computer security is an issue that is not going to go away anytime soon, and any business that ignores cybersecurity does so at its peril. Whether it’s a data breach or the insertion of a piece of ransomware, you want to do everything you can to keep your computer networks safe.

Part of that involves being aware of what’s happening on your network and knowing how to recognize suspicious activity when it happens. By spotting trouble as soon as it appears, you stand a much better chance at saving yourself any number of headaches and costs.

Here are some things to consider when it comes to identifying suspicious network activity.

Identifying Suspicious Activity

Any number of behaviors, including database activities, unusual access patterns, and changes to files for logs, can point toward a cyberattack or data breach. Recognizing these activities for what they are is vital if you want to locate the source and type of attack. Doing so will let you act quickly in stopping the security threat and minimizing any damage.

Here are some common examples of suspicious activity:

  • Account abuse: The sudden overuse of privileged accounts to grant access to new or inactive accounts is a sure sign of an attack from the inside. Either an employee has initiated a run of unusual activity, or a hacker has gained access to a top-tier account. Other signs could include sharing information without cause, modifications applied to audit records, or mysterious deletion of login files.
  • User access: Unexpected user access changes are often a reliable sign that an outside hacker has acquired a user’s credentials and is poking around your system. Behaviors you may notice include user access at odd hours, remote access, and multiple failed attempts to log in.
  • Database activity: Unusual database activity can come from both inside and outside your business. Vital signs to watch include unexpected changes in users, changes in permissions, changes in data content growth, and access during non-business hours.
  • Unexpected network behavior: Network activities that fall outside of usual expectations are a reliable signal that something amiss is happening. Look for traffic originating from outside your network, protocol violations, and unauthorized scans. A sudden change in network performance should also be checked out.
  • Unexpected virus notifications and system slowdowns: Simple warnings to be on the lookout for would be a sudden increase in virus warnings or pop-up windows. If computers or networks slow to a crawl, there could be a problem. A hacker may have gotten in and installed malicious software, or a website or email may have downloaded and installed malware on the sly.
  • Unauthorized port access: Most ports have specific assignments. If unsanctioned port access occurs, it could be a sign that files are being accessed without authorization or that a malware attack is underway.

How Suspicious Activity Can Vary

Depending on the sort of business you’re in, suspicious activity may present itself in different ways. For instance, smaller companies might notice user abuse or abnormal database activities early on as bad actors access personal or cardholder information. A larger business or financial institution may more likely experience dodgy account behavior, unauthorized port access, and malware or spyware designed to steal financial data and personal identity information.

Some organizations find themselves the target of advanced persistent threats (APTs). These multi-phase attacks usually go after an organization’s network and vary in their subtlety as they poke and probe for weak

nesses or backdoor access. APTs often choose to attack government organizations or large corporations but have been known to cause trouble for small and medium-sized businesses as well occasionally.

Dealing With Suspicious Network Activity

As with most security issues, the key to approaching suspicious network activity is prevention. This requires having set protocols and procedures for both you and your employees. An effective data security policy should include:

  • Solid password policies
  • Periodic review of traffic, error reports, network alerts, and performance
  • Malware and virus protection
  • Robust firewalls
  • Regular risk assessments
  • Employee education
  • Incident and failure response strategies
  • File integrity monitoring

Data Security Is Serious Business

Your customers expect you to keep their information safe, and your business’s reputation is on the line. As often as hackers and other bad actors keep finding new ways to target and exploit networks, so too do the strategies and tools for combating these threats evolve. Whether it’s adopting file integrity monitoring, conducting system activity audits, or running simple virus checkers, you can stay ahead. It just takes a bit of vigilance and commitment to your network’s security.

Your business will be stronger for it.