VARONIS RESEARCH PAPER. Information Entropy. Information Entropy

Transcription

1 VARONIS RESEARCH PAPER 1

2 CONTENTS EXECUTIVE SUMMARY 3 METHODOLOGY 5 WHO RESPONDED 5 PROTECTING IP AND NDAS 6 DATA LEAKAGE AND ENTROPY 8 NDAS AND ENTROPY 9 GAUGING THE SIZE OF LIKELY LEAKERS 10 IP LEAKAGE AND EXIT INTERVIEWS 11 RETURN OF IP 12 CONCLUSION 13 2

3 EXECUTIVE SUMMARY Intellectual property is a core asset of many businesses. IP can be proprietary, non-public information about potential customers, business agreements, product roadmaps, or deeper aspects of products and processes, legally referred to as trade secrets. It can also involve public information that companies need to protect and control for example, patents reflecting novel or innovative functions or copyrighted material. In the US, intellectual property is protected by state and federal laws, and violations of certain types of IP can be investigated by the Federal Bureau of Investigation. To handle the problem of sharing sensitive, non-public data with employees, confidentiality or non-disclosure agreements, known as NDAs, are typically used to limit who gets to see the secrets. NDAs are the starting point in preventing IP leakage. In legal cases involving confidentiality or trade secret violations, the courts expect companies to show they take confidentiality seriously through good IP practices: having all employees sign NDAs and putting file access controls in place are high on the list. In our survey of over 120 companies we discovered that 44% of our sample had not signed an NDA. While it is quite possible that this group of respondents may have forgotten about this agreement when they started their employment, it still points to a significant shortfall in employee education about confidentiality. The results strongly suggest that employers can do more to improve employee knowledge of the confidentiality obligations of an NDA. Another concern for employers is the use of cloud-based lockers or file sync services by employees to store work-related content. NDAs on their own, we discovered, provide something of a deterrent effect to employee usage of the cloud: those who sign NDAs when starting a job are appear to be less likely to then fly under the radar and upload data to the cloud without company approval: 13% versus an overall average of 18%. 3

4 We attempted to gauge the potential size of the leakage of IP into the cloud. Our analysis reveals that about 5% of our survey uploaded confidential data into their personal cloud accounts. While more study is required, we believe that there s something close to an rule playing out: a very small percentage of employees are uploading a large number of files containing confidential and worked related content. For example, after filtering our survey data we discovered one respondent reporting uploading too many files to count containing sensitive business data into the cloud. One way to reduce IP leakage risks is to simply ask employees during an exit interview to return or delete their cloud-uploaded content. Here again we learned that companies are doing a less than adequate job of protecting their IP: only 46% of respondents reported being asked to return digital content when separating from their employers. Finally, we explored the question of what employees were doing with their cloud-content after leaving a job. Only 29% said they deleted all their cloudbased content. A possible source of IP leakage comes from a 13% segment who kept their own notes and documents while deleting files marked confidential. These former employees may think they own their content, but in fact there is a potential for violating copyright agreements and also accidentally revealing confidential business information that was likely not appropriately tagged as such. 4

5 METHODOLOGY In July 2013, Varonis introduced a 7-question survey at several TechEd events. The survey s questions were constructed to: Learn about the employers use of NDAs and other IP protection-related business practices Measure how employees manage their cloud-based locker services to store work-related content Estimate the potential pool of IP leakers among employees Understand the final disposition of work-related content uploaded to the cloud by employees WHO RESPONDED Our responses are a little more heavily weighted towards the above-1000-employee, enterprise-class organizations (57% vs. 43%). Our sample also had a significant presence of respondents from enterprises at the extreme end of the scale: 14% came from 50,000+-employee organizations. 14% 32% 16% 7% 11% 20% < ,000-50,000 >50,000 5

6 PROTECTING IP AND NDAS One important lesson from the court system is that if you want to protect corporate IP, you have to show employees that you take this matter seriously. Courts will generally rule against employers in a confidentiality violation if they can t prove there is a program in place to protect non-public, sensitive information. A good starting point 1 for such a program is to have new employees sign a non-disclosure agreement or NDA when they are hired. In an NDA, employees are told they may come across information either marked confidential, for internal use, or that is understood to be confidential. Employees agree to protect this information by not sharing it with third parties. NDAs remain in effect after employees leave a company, only ending under certain conditions e.g., when the information has become public. Another part of these agreements is typically found under the invention assignment section. The employee agrees to transfer to their employer the rights to any copyrightable material, which can include software code, or patents they ve been issued. You can think of an NDA as controlling the sharing of non-public information within the company and with selected partners; while copyrights, trademarks, and patents are a way to prevent competitors from copying public IP. How did our sample perform in this basic preventive procedure? Not well. Overall, 44% said they did not sign such an agreement. This is a striking result. While we can t reveal names, there were employees from some major banks, financial institutions, and tech companies. It s quite possible that these employees may have forgotten they signed their NDAs it s part of the paperwork that new employees are given when they start and is often soon forgotten about afterwards. 6

7 But that leads to another significant point: many companies are likely not doing an adequate job educating their employees that they are handling confidential information in their work. There may very well be a large company effect, as we have seen in our other surveys. For companies, with over 50,000 employees--large Enterprise the rate of those signing or better yet, those employees who remember their NDAs is around 70%, well above the average of about 53%. It suggests that larger companies with, perhaps, more IP assets at stake, have a greater incentive to protect their interests and are better at IP education and training. SMB 54% 41% 4% 1% Enterprise 39% 2% 54% 5% Large Enterprise 25% 5% 69% No, I didn't have to sign anything like that Not sure Yes, I signed it and fully understand the ramifications Yes, I signed it, but I didn't understand what those legal clauses meant 7

8 DATA LEAKAGE AND ENTROPY One of the goals of the survey is to gauge how much information is leaking out beyond corporate walls. One path for IP to take is for it to be uploaded by employees into cloud-based file sync services (Dropbox, Google Drive, Box, etc.). As we ve learned in our Cloud Collaboration and the Enterprise survey, there is a significant adoption of cloud storage in the workplace. In this current 2 survey, we re seeing similar levels of cloud usage about 27% (see appendix) report that they were using personal cloud-services to store work-related documents. We wanted to understand in more detail about employee experience with these cloud-based file locker services. The survey reveals there s a 22% segment using personal cloud accounts with company approval. These approved accounts can be problematic in general if security admins don t have in place a way to monitor and potentially block sensitive content. We previously showed in our Real-time Alerts survey 3 that very few companies, less than a third of our sample (29%), had the ability to monitor employee access to cloud-storage services. A more obvious pool of potential IP leakers is employees who ve uploaded files to their personal file lockers against company policy. Overall, 18% of our sample almost 1 in 5 self-reported they were doing just that by flying under the radar. Based on these two groups, we can conservatively estimate the pool of potential leakers at about 40% (see below). The remainder of respondents are not using the cloud or they are uploading to company-controlled accounts, which likley has better governance. We will use this percentage as a baseline in the subsequent analysis I don't use any cloud storage No, I'm completely flying under the radar since uploading files to personal cloud account is against company policy Yes, but my company allows business data in personal accounts Yes, but we have to use a company controlled cloud service (e.g., Google Apps for Business, Yammer, etc.) 4 1% 18% 22% 19% 8

9 NDAS AND ENTROPY We were curious about whether employees who signed IPs and understand their obligations behaved differently with regard to cloud usage. Our data shows that there is some effect. Of this group of NDA signers, only 13% (versus an 18% average) are flying under the radar and using the cloud without permission and 54% (versus 41% average) say they don t use the cloud at all to store business documents. This result suggests that NDAs may make employees more aware of IP leakage risks versus non-signers. Another possibility is that a newer breed of NDA agreements which, in the past, has typically contained legal boilerplate--may now include specific clauses about uploading data to the cloud % 22% 25% 25% 40% 20% 20% 20% 54% 13% 20% 13% 25% 50% 25% No, I didn`t have to sign anything like that Not sure Yes,I signed it and fully understand the ramifications Yes,I signed it, but I didn`t understand what those legal clauses meant I don t use any cloud storage No, I'm completely flying under the radar since uploading files to personal cloud account is againist company policy Yes, but my company allows business data in personal accounts Yes, but we have to use a company controlled cloud service (e.g., Google Apps for Business, Yammer, etc.) 9

10 GAUGING THE SIZE OF LIKELY LEAKERS The next topic we take up is estimating the percentage of likely leakers that would form an IP suspect list. As we mentioned earlier, a baseline for IP leakers comes from two groups: those uploading content without the knowledge of their employers, and those uploading it to uncontrolled personal accounts but with management s approval. We have the who part of the equation. Now we just need the what part the content that was uploaded. We learned that (see appendix) 8% of our survey is uploading documents marked sensitive or confidential into the cloud, and another 5% say they store all their work-related data to the cloud. Since many companies likely don t mark all their confidential data, let s assume that 13% have uploaded confidential content. If we look at the intersection of these two groups we come up with 5% of our survey sample that could reasonably form a list of IP theft suspects in the event of an actual leak. Content marked confidential and other work related information (% of entire sample) 3% 1% 4% 5% I don't use any cloud storage No, I'm completely flying under the radar since uploading files to personal cloud account is againist company policy Yes, but my company allows business data in personal accounts Yes, but we have to use a company controlled cloud service (e.g., Google Apps for Business, Yammer, etc.) Now we just need to gauge the volume of leaked content. In one of our questions, we asked for the number of documents that employees have uploaded to the cloud for work. The results reveal (see appendix) that 35% uploaded one to one hundred files, 11% uploaded between 100 and 500 files, and 10% said they uploaded more files than they can count. After filtering our IP theft suspect list for high-volume content uploaders, we find three respondents that have in their possession between 100 and 500 documents, and one claiming to be holding a very large number-- too many to count -- of business documents. Bottom line: We believe there s an rule in effect. From the 40% of potential leakers, we came up with an IP theft suspect list representing 5% the survey. We whittled this group down to a few people, who investigators would likely consider persons of interest if there was an actual theft incident. A tiny percentage of employees in this case about 3%-- are holding lots of business content containing valuable corporate IP. And one person the prime suspect, perhaps? essentially snatched an enormous amount of data. 10

11 IP LEAKAGE AND EXIT INTERVIEWS When an employee leaves, companies can use their exit interviews to make a strong case for their IP if they should ever have to go to court: they can remind employees about their NDAs, which, by the way, often also include clauses requiring them to return company property. Overall, we found that less than half of the survey sample (46%) was asked to return digital files. Digging more deeply, those with approved personal cloud accounts, which the company should know about and view as potential source of IP leakage, the ask rate is just a little bit higher, at 52%. It should be much higher. Overall, the survey results strongly suggest that companies are not engaging in good practices with respect to IP, which ultimately will diminish their chances of successful litigation I don't use any cloud storage 63% 27% 10% Yes, but we have to use a company controlled cloud service (e.g., Google Apps for Business, Yammer, etc.) 33% 33% 34 % No, I'm completely flying under the radar since uploading files to personal cloud account is againist company policy 65% 13% 22% Yes, but my company allows business data in personal accounts 4 8% 4 0% 12% No, I was never asked Yes, they asked me to delete/ return my data myself Yes, they asked me to hand over my personal devices and personal account passwords 11

12 RETURN OF IP Even after employees leave, they are still bound by their NDA agreements. What are employees doing with the company content they ve uploaded to the cloud? We were able to get closer to ground truth information by asking just such a question. A little under one-third (29%) reported having returned or deleted everything after separating from prior employers. Of the remainder, 20% returned documents marked confidential or internal I didn't have anything in the cloud I didn't have to do anything I dutifilly "returned" and deleted all the files that contained anything involved with my work I kept all my notes and other company documents that I created I returned and deleted only documents that were specifically marked confidential or internal, kept everything else 28% 10% 29% 13% 20% A more problematic group (13%) keeps the notes and other company documents they created. Employees may think, mistakenly, that they own their content. That s not quite true. As part of an NDA, they ve assigned their copyrights to code, presentations, meeting notes, etc.--to the company. This transfer is typically found in the invention assignment section of the agreement, but employees do have the opportunity to list their pre-existing inventions and copyrights. In any case, if some of their content does indeed contain confidential information, even if it s not marked as such, then they are also bound by the NDA. While it s too small a sample to draw any significant conclusion, it s still revealing to take a look again at the 3% of the survey from our IP theft suspect list holding hundreds of documents in their personal cloud accounts. In this small segment, three reported returning only documents marked confidential, and one reported keeping all his notes. We believe there is a very small percentage of IP thieves involved in real espionage, but we strongly suspect that most of the leaked IP is coming from, say under 3% of employees, who were assuming, in good faith, that they own notes and this work did not contain confidential information, or that documents not marked as confidential did not contain information protected by their NDA. They are likely wrong on both counts. 12

13 CONCLUSION While theft of high-tech IP by foreign spy rings has received much attention in the press, it s the more common variety of IP transfers involving copyrighted material, lists of contacts and customers, and sensitive corporate presentations that is a more pressing issue for businesses. The FBI will investigate trade secret violations by foreign governments. Interestingly, some of the warning signs they ask companies to watch for is still relevant to non-top secret information: 4 The availability and ease of acquiring proprietary, classified, or other protected materials. Providing access privileges to those who do not need it Proprietary or classified information is not labeled as such, or is incorrectly labeled The ease that someone may exit the facility (or network system) with proprietary, classified or other protected materials Undefined policies regarding working from home on projects of a sensitive or proprietary nature The perception that security is lax and the consequences for theft are minimal or non-existent Time pressure: Employees who are rushed may inadequately secure proprietary or protected materials, or not fully consider the consequences of their actions Employees are not trained on how to properly protect proprietary information On sure-fire approach to limiting IP leakage is to engage in solid data governance and security practices: Ensure that people only have access to confidential data on a need-toknow basis, and enforce this through access controls Monitor and audit access to file data, especially files known to have sensitive information Restrict employee usage of the cloud to accounts that are under corporate control. Monitor employee usage and access to public cloudbased file sync services And perhaps the most important advice of all is to have well-defined employee separation processes in place. This should always include an exit interview in which employees are asked to return or delete business data in their possession, and then reminded of their obligations under their NDAs. 1 A Statistical Analysis of Trade Secret Litigation in Federal Courts (mondaq.com) 2 Varonis Cloud Collaboration and the Enterprise Survey 3 Varonis Security Incidents and Real-time Alerts Survey 13

14 0 10 APPENDIX ARE YOU USING ANY PERSONAL CLOUD-BASED LOCKER OR FILE SYNC SERVICES TO STORE AND SHARE BUSINESS CONTENT? No 73% Yes 27% IN YOUR CURRENT JOB, HOW MANY DOCUMENTS DO YOU THINK YOU'VE UPLOADED TO A PERSONAL CLOUD-BASED LOCKER OR FILE SYNC SERVICE? Not sure 10% None 57% % Too many to count- I can't keep track 16% UPON LEAVING A JOB, WERE YOU ASKED TO RETURN COMPANY DATA STORED IN PERSONAL ACOUNTS OR DEVICES? No, I was never asked 54% Yes, they asked me to delete/ return my data myself 28% Yes, they asked me to hand over my personal devices and personal account passwords 18% 14

15 INFOGRAPHIC 15

16 ABOUT VARONIS Varonis is the leading provider of software solutions for unstructured, human-generated enterprise data. Varonis provides an innovative software platform that allows enterprises to map, analyze, manage and migrate their unstructured data. Varonis specializes in human-generated data, a type of unstructured data that includes an enterprise s spreadsheets, word processing documents, presentations, audio files, video files, s, text messages and any other data created by employees. This data often contains an enterprise s financial information, product plans, strategic initiatives, intellectual property and numerous other forms of vital information. IT and business personnel deploy Varonis software for a variety of use cases, including data governance, data security, archiving, file synchronization, enhanced mobile data accessibility and information collaboration. Free 30-day assessment: WITHIN HOURS OF INSTALLATION You can instantly conduct a permissions audit: File and folder access permissions and how those map to specific users and groups. You can even generate reports. WITHIN A DAY OF INSTALLATION Varonis DatAdvantage will begin to show you which users are accessing the data, and how. WITHIN 3 WEEKS OF INSTALLATION Varonis DatAdvantage will actually make highly reliable recommendations about how to limit access to files and folders to just those users who need it for their jobs. WORLDWIDE HEADQUARTERS 1250 Broadway, 31st Floor, New York, NY T E sales@varonis.com W UNITED KINGDOM AND IRELAND Varonis UK Ltd., Warnford Court, 29 Throgmorton Street, London, UK EC2N 2AT T E sales-uk@varonis.com W WESTERN EUROPE Varonis France SAS 4, rue Villaret de Joyeuse, Paris, France T E sales-france@varonis.com W sites.varonis.com/fr GERMANY, AUSTRIA AND SWITZERLAND Varonis Deutschland GmbH, Welserstrasse 88, Nürnberg T +49 (0) E sales-germany@varonis.com W sites.varonis.com/de 16