Despite Cybersecurity Woes, Biggest Threat Could Come From Inside

Top US security officials said yesterday that cyber attacks are agreater threat than terrorism. On top of that, former DHS SecretaryMichael Chertoff (now with Covington), warns that companies need to focus on the threat that comes from within.Yesterday, he was the keynote at Covington's panel on employee trade secret theft, a problem costing businessesbillions a year.Michael, right, is with securities enforcement co-chair David Kornblau.He sees trade secret protection holistically,not solely a cyber problem. Addressing tech but not the human component, Michael says, is like "locking one door and leaving a window open."

Take this DHS experiment: it scattered USBs in a parking lot, and 60% of employees who picked one up inserted it into their computers. For USBs with a logo, it was 90%. And just like that, all the security systems protecting networks from external intrusions could be bypassed.The conference was the idea ofemployee benefits chairRichard Shea, center, after the recent release of the White House strategy on combating trade secret theft.He's flanked by moderatorKurt Calia(an IP lit partner who flew in from Silicon Valley), insurance partnerMarialuisa Gallozzi, and privacy associateLindsey Tonsager. They're all from different practices because the issue requires a holistic solution.

David Fagan, a partner who focuses on cybersecurity and data privacy, rounded out the panel at the firm's 620 Eighth Ave NY office. Despite a focus on the high-tech, he says, much of trade secret theft is carried out more by way of the sneakernet(someone putting it on a USB and walking away with it). Equally low-tech and inexpensive solutions can make a big impact, including just stamping "Proprietary and Confidential" on documents, so that if information is stolen, a legal case can be made.One company used flat-screen TVs with scrolling messages about privacy.

Kurt and Lockheed's Kimberly O'Grady. Which industries see information being stolen? It's anything from defense to media companies to law firms.In response, companies can file a civil suit, or cooperate with the government for a criminal suit or to apply diplomatic and trade pressure. Retaliation in kind for intrusions (tampering with or blowing up their networks) may sound tempting but is strongly discouraged. Back to Michael's burglary comparison--if somebody robs your house, you can't just incinerate theirs.

Other low-tech solutions are tightly written compensation,insurance and benefits policies that incentivize a culture of privacy and disincentivize theft. (Because no company likes to pay an exec a hefty outstanding bonus if he's already left to take trade secrets elsewhere.) More include: a formalized process dealing with exiting employees, with varying degrees of scrutiny depending on risk level; social media policies; and agreements with component part suppliers to handle supply chain threats.