Slashdot Mirror
How to Prevent IP Theft by Your Own Employees?
Cursed by USB asks: "We are a small software startup based in India. Recently one of our employees was caught trying to steal our IP (work) from a computer using a USB thumb drive. While all the staff computers are devoid of floppy drives, cd writers and internet connections, we simply cannot disable the USB ports since there are a lot of USB enabled peripherals that we use. Apart from trying to hire "trustworthy" people, are there any other bright ideas that Slashdot readers might have in this regard to help prevent such theft from workplace?"
Delete the USB mass storage drivers?
/usr/games/fortune
Deny them the rights necessary to install hardware on their workstations. If not for all employees, for the employees that have access to sensitive information.
Yes, my only tool is a hammer. And you're starting to look like a nail.
or something else.
..of course, why would he need an usb drive to steal a 4 byte value?-)
it's possible to disable usb drives as well... some companies have done it. i'm pretty sure you can ask from microsoft how to do it.
but really, if the guy is a coder or whatever.. how are you going to make him not 'steal' your 'ip' which is most importantly ideas.
kick him in the nuts and pay the next guy better?
world was created 5 seconds before this post as it is.
1. you said "IP" suggesting that it is a tangible thing that can be stolen
2. you implied that there is no such thing as trustworthiness in employees
3. you implied that you don't mind having untrustworthy employees as long as they don't affect *you*
Why should we help you? Do your own homework.
Think about it
No E-mail
No External resources (knowledge bases, slashdot)
Nothing
Frankly, I'm suprised you even can get people to work for you, I mean - wow, I haven't worked somewhere without an internet connection on my development machine for almost 15 years now. And it has been north of 20 since I haven't had an internet connection
Frankly, it is much easier to protect your IP, and go after the people that steal it... I mean really what is stopping someone from bringing in a micro hard drive and just taking the whole thing out.
I have mod points and I am not afraid to use them
Have your employees check their brains at the front desk so they can't walk out with snippets of code lodged in their lobes. Or perhaps you may be able to open your source and get help from people who will work on your technology because of interest.
Like you said, hire people you can trust. Then foster a different environment, removing net connections, burners, and floppies is a good way to say, "I don't trust you." Why don't you embrace your employees, make them happy to work for you. Then maybe they won't steal, in fact, I would guess you'd see better productivity.
You've got yourself a self fullfilling prophecy there...
http://monkeyserver.com --- weeeeee
... and even then, it doesn't always work. In the extreme case, you can always copy code using a pen and paper. Unless you're thinking of introducting full cavity searches, you're spinning your wheels. Give up on this "prevention" avenue. Focus more on your hiring process, write up a strict code of conduct, and don't be afraid to fire employees who are caught violating these terms.
Just my $0.02.
As long as your employees have access to your IP, there is absolutely no way to prevent them from "stealing" it if they are determined to do so. Period.
No amount of security will make your data safe. Data is easy to move, easy to duplicate, and easy to store. During the industrial revolution, American industrial spies stole factory plans from British firms by memorizing them. Unless you know how to erase a person's brain, there will always be a hole.
Technology is making this issue ever-more pressing.
You have two options:
1) Hire only trusted people, and trust them.
2) Don't rely on IP as a business model.
Option 2 may sound stupid, but it's really the only way in the long run. Sell a service, sell a product, but don't try to sell information. If the sole thing your company provides is data, someone will endeavor to get that data for themselves, and then you'll be boned.
A business that relies on the scarcity of information it holds internally can not survive. Even if your employees are all 100% trustworthy, outsiders will still vie for your data.
It may sound pessimistic, but it's the truth.
GeekNights!
Late Night Radio for Geeks!
Last I checked, the majority of people here certainly liked free software. But you really can't `pirate' something that's given away from free.
And as for movies and music and other forms of media, you'll find a very wide variety of views on that here, on every side. Probably the only thing that `most' covers is that `most' people here use computers from time to time.
That much is probably true. Though I suspect he'll find some answers here too, even though this really isn't the right place, and I'm amazed the question got greenlighted.The best way to prevent IP theft is to treat your employees with respect and give them no reason to steal your IP in the first place.
Putting in draconian security rules is just going to piss me off and keep me from doing my job effectively, and quite frankly, make me look for a new job.
You should pay them partly with shares,
then they would only be stealing from themself
and their coworkers/Coowners.
You definately can prevent your employees from `stealing' things like code and data. It may not be 100% effective, but you can make it very _very_ difficult.
Think NSA. I certainly never worked there, but I imagine they're 1) very picky about who they hire, and 2) take security to the extreme, and 3) it's all backed up by serious legal threats. (I believe treason is still eligible for the death penalty, is it not?)
#2 is probably most interesting to those here. Physical security is extreme, with metal detectors detecting guns and hard drives, and enforced by men with guns. Things like USB drives (and even Furbies or cell phones) aren't allowed in at all, and I imagine there's spot searches for things like this.
Places like that often have two networks, a secure and an unsecure one. If you plug a computer into the wrong network, it never leaves the building again. The secure network has no access to the Internet whatsoever.
I imagine there's a lot more that they do, but I'm sure that there's web pages dedicated to this sort of thing if you want to read more about it.
Of course, even this isn't 100% effective -- but I imagine it's pretty close. Of course, it's also extremely expensive and restrictive, and few companies are probably willing to do this sort of thing to their employees -- but I imagine that a few do, perhaps to some key employees in key positions ...
The original claim was :
and there's two parts to that claim -- majority and everything. Perhaps the majority of people here have pirated something (be it software, music, movies, TV (broadcast, cable, satellite) or a ship at sea) but I seriously doubt that the majority pirates *everything*.I don't see how this would protect them, as copyright protection doesn't imply protection of trade secrets, which is what the submitter is probably concerned about. The only real protection for trade secrets is trusting employees, and an NDA might be appropriate in the employment contract. The key isn't to remove all of the technology from the offices, but to create enough dis-incentives to prevent the employees from wanting to steal.
-- Microsoft is the most expensive commodity operating system and office suite vendor in the marketplace.
I think the core difficulty here is that you think you have a technology problem, when what you have is a management problem. If you rule out hiring trustworthy people, and fostering an atmosphere that earns their trust, then you are just wasting your time. Think about this: do you think that putting in time clocks would make physicians (let's say) work harder ?
You also need to think about what it is that you are actually trying to protect. One defect (among many) of the term "intellectual property" is that it leads people to think by analogy with actual (tangible) property. If your IP is in software, what are you trying to protect: the typing of the code, or the ideas the code embodies? If it is the latter, you can't open your employees' skulls and remove the ideas from them.
I worked in, and managed, an investment management firm, where it was a truism that our most important assets walked out the door every night. You have to run the business so that people want to work there; so that they have fun, find the work and their environment interesting, and believe that they will be fairly compensated (financially and otherwise). It isn't necessarily easy, but then that's what you get paid for.
Yeah, right.
What the hell kind of crazy society is going on in India?
If corporations are people, aren't stockholders guilty of slavery?
It would have to be a pretty big percentage for that scheme to work.
Let's say the employee is considering stealing $1000 (IP, cash, hardware, or equivalent) from The Company.
Pre-employee-ownership:
He owns 0% of The Company. So he gets $1000.
Post-employee-ownership:
He owns 1% of The Company. So he gets $1000, but effectively loses $10 of that. So he actually stole $990.
Give him 10%, you say? Wow. Okay. Doesn't sound scalable, but sure. So he'd still net $900 in his theft.
This won't work and it's exactly why even employees with massive ownership (e.g. CEOs) are still regularly caught pilfering from "their own" company.
Won't work. If the employee is a thief, he's a thief.
(And if the company works on military contracts, perhaps they CAN back it up with guys with machine guns. Maybe.)
Yes, it's expensive. Yes, it's not conducive to productivity. But it can be done.
Perhaps. Perhaps not. At my work, I have access to the source code for all our products, but the part I've contributed is exceedingly small (I'm in support, not development.) I guess I could steal it, but 1) who would want it? 2) I'd get sued into oblivion if I did, and probably end up in jail. It's not even remotely worth it. But physically, it would be easy.As for #1, `who would want it?', even our competitors wouldn't want it. They wouldn't touch it with a 10' pole, because if it was ever found out, they'd be sued into oblivion and they know it. No legitimate company wants that sort of exposure.
And even if a single person did write all of this code, if he does it for his employer, on company time, on company computers, it probably belongs to the company, not him. (The specifics would be lined out in his employment contract and other paperwork.) Yes, perhaps he could write it again for somebody else (though often NDAs prohibit that), but few large projects are one-man-shows anymore.
Creativity and productivity are the two things a startup company, particuarly a software startup, needs the most. Draconian security kills both of these. Likewise, oppressive NDAs and a corporate attitude of mistrust are not going to build loyalty among your employees.
If you don't want your programmers to steal "your" code, treat them like PARTNERS, not EMPLOYEES. There's not much incentive to steal from yourself.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
In Mexico, they were having problems with cops taking bribes. Now they pay them a lot better, and they have less of a problem.
... as much.
Hire trustworthy people, treat them well and pay them well - 1% above market rate if you can afford it - and they won't be tempted
For the few that do get through, termination with a negative reference and, if applicable, legal action is probably your best bet. Reasonable, non-intrusive practices such as eliminating USB mass-storage drivers or making them read-only might prove helpful.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.