Global Survey Finds More Than One Third of Companies Believe Their Intellectual Property Has Been Stolen
July 7, 2010
While Snooping Continues to Rise, IT Security Is Making It Harder for Insiders to Get Around Controls That Protect Highly-Sensitive Information
NEWTON, Mass. & LONDON–(BUSINESS WIRE)–The results of Cyber-Ark® Software’s fourth annual “Trust, Security and Passwords” global survey show that 35 percent of respondents believe their company’s highly-sensitive information has been handed over to competitors. Thirty-seven percent of the IT professionals surveyed cited ex-employees as the most likely source of this abuse of trust. While perhaps not surprising that disgruntled workers top the list, it’s noteworthy that 28 percent suspected “human error” as the next most likely cause, followed by falling victim to an external hack or loss of a mobile device/laptop, each at 10 percent. The most popular information shared with competitors was the customer database (26 percent) and R&D plans (13 percent).
Cyber-Ark’s fourth annual “Trust, Security and Passwords” global survey is the result of interviews conducted in the Spring of 2010 with more than 400 senior IT professionals both in the US and UK, mainly from enterprise-class companies.
There was little year-over-year change in the number of respondents who suspected the loss of intellectual property to a competitor, indicating that more needs to be done to protect companies’ most valued assets. Additionally, to address vulnerabilities related to human error that could expose a proprietary database or financial information, organizations must employ additional layers of control such as the ability to grant privileges to sensitive data and systems on-demand. This limits “innocent” mistakes by allowing access to information only when users need it to perform a particular task or query.
Snooping On the Rise, but Access Is Getting More Difficult
The research also confirmed that snooping continues to rise within organizations both in the UK and the US. Forty-one percent of respondents confessed to abusing administrative passwords to snoop on sensitive or confidential information – an increase from 33 percent in both 2008 and 2009. When examining the information that people were willing to circumvent the rules to access, US respondents targeted the customer database first (38 percent versus 16 percent in the UK) with HR records most alluring to UK respondents (30 percent versus 28 percent in the US).
Despite the rise, there was also the admission that organizations are trying to better curb snooping and are installing stronger controls to prevent these incidents. Based on this year’s survey, 61 percent responded they could circumvent those controls – a decrease from 77 percent in 2009. Additionally, 88 percent of IT professionals believe their use of these privileged accounts should be monitored, however only 70 percent of organizations actually attempt to do so – with one-third turning a blind eye to what’s happening within their networks and therefore failing to meet regulatory and compliance requirements. Insider sabotage, unfortunately and rather disconcertingly, has increased from 20 percent last year to 27 percent this year.
Speaking about the results, Cyber-Ark’s Executive Vice President Americas and Corporate Development Adam Bosnian commented, “While we understand that human nature and the desire to snoop may never be something we can totally control, we should take heart that fewer are finding it easy to do so, demonstrating that there are increasingly effective controls available to better manage and monitor privileged access rights within organizations. With insider sabotage on the increase, the time to take action has already passed and companies need to heed the warnings.
“It is the organization’s obligation to protect its sensitive information and intellectual property. Failing to do so, in our opinion, makes the company as bad as those who are abusing their privileged positions. Let’s face it, you might as well sell the information to the highest bidder yourself – that way at least you’ll have some control over who’s got it!,” continued Bosnian.
IT Confess to Being the Best at Snooping
The survey found that 67 percent of respondents admitted having accessed information that was not relevant to their role. When asked what department was more likely to snoop and look at confidential information, more than half (54 percent) identified the IT department, likely a natural choice given the group’s power and broad responsibility for managing multiple systems across the organization. Of note, this is an up-tick compared to the 35 percent who identified the IT department as likely suspects in 2009, a number that had decreased from 47 percent in 2008. Respondents identified Human Resources the next curious at 11 percent, followed by administrative assistants.
Note to editors:
This survey was conducted with more than 400 IT administrators at Infosecurity Europe 2010 and RSA USA 2010. To download a detailed report of the survey results, please visithttp://www.cyber-ark.com/constants/white-papers.asp.
About Cyber-Ark
Cyber-Ark® Software is a global information security company that specializes in protecting and managing privileged users, applications and highly-sensitive information to improve compliance, productivity and protect organizations against insider threats. With its award-winning Privileged Identity Management (PIM) and Highly-Sensitive Information Managementsoftware, organizations can more effectively manage and govern application access while demonstrating returns on security investments. Cyber-Ark works with more than 600 global customers, including more than 35 percent of the Fortune 50. Headquartered in Newton, Mass., Cyber-Ark has offices and authorized partners in North America, Europe and Asia Pacific. For more information, visit www.cyber-ark.com.
Manhattan U.S. Attorney Charges Former Goldman Sachs Computer Programmer For Theft of Trade Secrets
February 19, 2010
REET BHARARA, the United States Attorney for the Southern District of New York, and JOSEPH M. DEMAREST, JR., the Assistant Director in Charge of the New York Field Division of the Federal Bureau of Investigation (”FBI”), announced that SERGEY ALEYNIKOV was indicted today on charges related to his theft of proprietary computer code concerning a high-frequency trading platform from his former employer, Goldman Sachs.
ALEYNIKOV was previously arrested and is expected to be arraigned in Manhattan federal court at a later date.
According to the Indictment filed today in Manhattan federal court: From May 2007 to June 2009, ALEYNIKOV was employed at Goldman Sachs as a computer programmer responsible for developing computer programs supporting the firm’s high-frequency trading on various commodities and equities markets. Goldman Sachs had
obtained the high-frequency trading system in 1999, when it acquired Hull Trading Company, the previous owners of the system, for approximately $500 million. Since acquiring the system, Goldman Sachs modified and maintained the system, and took significant measures to protect the confidentiality of the system’s computer programs, including firewalls to limit access to the firm’s computer network, and limiting internal access to
the high-frequency trading program. Goldman Sachs’ high frequency trading system generates millions of dollars per year in profits for the firm. Goldman Sachs takes several measures to protect the system’s source code, including requiring all Goldman employees to agree to a confidentiality agreement.
In April 2009, ALEYNIKOV resigned from Goldman Sachs and accepted a job at Teza Technologies (”Teza”), a newly-formed company in Chicago, Illinois. ALEYNIKOV was hired to develop Teza’s own version of a computer platform that would allow Teza to engage in high-frequency trading. ALEYNIKOV’s last day of employment at Goldman Sachs was June 5, 2009.
Beginning at approximately 5:20 p.m. on June 5, 2009 –ALEYNIKOV’s last day working at Goldman Sachs — ALEYNIKOV, from his desk at Goldman Sachs, transferred substantial portions of Goldman Sachs’s proprietary computer code for its trading platform to an outside computer server in Germany. ALEYNIKOV encrypted the files and transferred them over the Internet without informing Goldman Sachs. After transferring the files,
ALEYNIKOV deleted the program he used to encrypt the files and deleted his computer’s “bash history,” which records the most recent commands executed on his computer.
In addition, throughout his employment at Goldman Sachs, ALEYNIKOV transferred thousands of computer code files related to the firm’s proprietary trading program from the firm’s computers to his home computers, without the knowledge or authorization of Goldman Sachs. ALEYNIKOV did this by e-mailing the code files from his Goldman Sachs e-mail account to his personal e-mail account, and storing versions of the code files on his home computers, laptop computer, a flash drive, and other storage devices.
On July 2, 2009, ALEYNIKOV flew to Chicago, Illinois, to attend meetings at Teza’s offices, bringing with him his laptop computer and another storage device, each of which contained Goldman Sachs’s proprietary source code. ALEYNIKOV was arrested on July 3, 2009, as he arrived at Newark Airport following that visit.
* * *
ALEYNIKOV, 40, is charged with one count of theft of trade secrets, one count of transportation of stolen property in foreign commerce, and one count of unauthorized computer access.
If convicted on these charges, ALEYNIKOV faces a maximum sentence of 25 years in prison. Mr. BHARARA praised the investigative work of the FBI in this case. Mr. BHARARA also thanked Goldman Sachs for its
cooperation in the investigation.
U.S. Attorney PREET BHARARA added: “Sergey Aleynikov allegedly stole confidential computer code from his employer joining a rival company. In today’s information age, a theft of valuable intellectual property represents a serious breach of economic security. This Office is committed to working with the FBI to pursue the theft of intellectual property and prosecuting the perpetrators before they can cause further harm.”
FBI Assistant Director-in-Charge DEMAREST stated: “Proprietary information and trade secrets are sometimes the most valuable assets of a business. The computer code Aleynikov copied was worth millions. But the theft of such assets is usually much harder to detect than the theft or embezzlement of tangible assets, because the thing stolen is not physically missing, it’s duplicated. The FBI is committed to policing the theft of trade secrets.”
This case is being prosecuted by the Office’s Complex Frauds Unit. Assistant United States Attorneys JOSEPH FACCIPONTI and REBECCA ROHR are in charge of the prosecution.
