ACSSINT helps you keep your company intellectual property safe, whether that’s patents, trade secrets or just employee know-how — may be more valuable than your physical assets. Intellectual property (IP) is the lifeblood of every organization. IP protection is a complex duty with aspects that fall under the purview of legal, IT, human resources and other departments. Ultimately a chief security officer (CSO) or risk committee often serves to unify intellectual property protection efforts.
Read More Intellectual Property Use Case
To Have an Effective IP Protection Program
Intellectual property may be the single most important asset a company possesses. Whether it is physical or digital, customer data or operational information, trade secrets or business strategies, intellectual property (IP) is often the main driver of revenue for any organization.
ACSSINT looks at multiple facets of the issue, including basic elements of a protection program, how and why investors need to assess cyber risk, protection of intellectual property assets in the cloud, the often-overlooked risk of poor patent translation, and the use of security assessments to strike a balance between collaboration and information protection.
There are a number of reasons that IP theft is an increasingly complicated and challenging issue. With advances in technology, the preponderance of proprietary assets—such as product formulas, customer lists, strategic plans and blueprints—are in a digital format. Unlike physical records of the past, digital information can be discreetly stolen in the absence of robust systems to protect it.
A second factor is that companies are working with suppliers and business partners who span the globe. Distance, lack of transparency in practices, and markets where the rule of law is comparatively weak all contribute to vulnerabilities in global supply chains.
So what systems should be in place to protect intellectual property? According to research by the Center for Responsible Enterprise and Trade (CREATe.org), eight key elements are necessary for an effective IP protection program. These guidelines should apply not only to individual companies, but to their suppliers and business partners as well:
1. Policies, Procedures and Records
Guidelines are necessary for all types of IP within an organization. A full leadership team must be aware of and promote these policies, procedures and records. There should also be systems in place for managing IP with employees and among third-party supply chain companies.
2. IP Compliance Team
A team should be responsible for IP protection and it needs to be cross-divisional and include representation from senior management.
3. Scope of the Program and Quality Risk Assessment
Systems must be in place to assess the risks of IP theft by company employees and among third parties.
4. Management of Supply Chain and Contractors
Systems for effective due diligence, contracts, communicating IP protection policies and ongoing management of IP are essential.
5. Security and Confidentiality Management
Computers and corporate networks should be designed to protect IP and confidential and proprietary information kept by employees, contractors and third parties.
6. Training and Capacity Building
Businesses must offer ongoing IP protection and compliance training for employees and third parties.
7. Monitoring and Measurement
Systems should be designed to monitor the implementation of the IP protection program to ensure that it is effectively managed among employees and third parties.
8. Corrective Actions and Improvements
Risk managers must develop a framework for implementing corrective actions and improvement processes when a problem with the IP compliance program occurs.
How To Keep Your Intellectual Property Safe
Your company’s IP, whether that’s patents, trade secrets or just employee know-how, may be more valuable than its physical assets.
The steps below are the minimum you should to top keep your IP safe.
1. Know what intellectual property you’ve got
If all employees understand what needs to be protected, they can better understand how to protect it, and from whom to protect it. To do that, CSOs must communicate on an ongoing basis with the executives who oversee intellectual capital. Meet with the CEO, COO and representatives from HR, marketing, sales, legal services, production and R&D at least once a quarter. Corporate leadership must work in concert to adequately protect IP.
2. Know where your intellectual property is
If you focus your efforts on your core IT systems to secure IP, you will overlook other areas where it might be stored or processed. These include:
- Printers, copiers, scanners and fax machines: Your input/output devices all store the documents they process, and they are typically networked and connected to remote management systems. Proper policies and procedures need to be in place to purge these documents and protect against unauthorized access.
- Cloud applications and file-sharing services: These might be company-managed or shadow IT. You need to know what your employees are using so you can restrict unauthorized cloud services and ensure that company-sanctioned services are properly configured and secured.
- Employees’ personal devices: An employee might email a document home, typically for benign reasons. Educate your employees on the proper handling of IP and have monitoring systems in place to track where your IP is being sent.
- Third-party systems: IP is often shared with business partners, suppliers, or customers. Make sure your contracts with those parties define how those third parties must secure your IP and have controls in place to ensure those terms are followed.
3. Prioritize your intellectual property
CSOs who have been protecting IP for years recommend doing a risk and cost-benefit analysis. Make a map of your company’s assets and determine what information, if lost, would hurt your company the most. Then consider which of those assets are most at risk of being stolen. Putting those two factors together should help you figure out where to best spend your protective efforts (and money).
4. Label valuable intellectual property
If information is confidential to your company, put a banner or label on it that says so. If your company data is proprietary, put a note to that effect on every log-in screen. This seems trivial, but if you wind up in court trying to prove someone took information they weren’t authorized to take, your argument won’t stand up if you can’t demonstrate that you made it clear that the information was protected.
5. Secure your intellectual property both physically and digitally
Physical and digital protection is a must. Lock the rooms where sensitive data is stored, whether it’s the server farm or the musty paper archive room. Keep track of who has the keys. Use passwords and limit employee access to important databases.
6. Educate employees about intellectual property
Awareness training can be effective for plugging and preventing IP leaks, but only if it’s targeted to the information that a specific group of employees needs to guard. When you talk in specific terms about something that engineers or scientists have invested a lot of time in, they’re very attentive. As is often the case, humans are often the weakest link in the defensive chain. That’s why an IP protection effort that counts on firewalls and copyrights, but doesn’t also focus on employee awareness and training, is doomed to fail.
In most cases, IP leaves an organization by accident or through negligence. Make sure your employees are aware of how they might unintentionally expose IP. According to a study by Egress Software in 2019, the most common technologies through which sensitive data like IP are accidentally breached are:
- External email like a Gmail or Yahoo account (51 percent)
- Corporate email (46 percent)
- File sharing via FTP (40 percent)
- Collaboration tools like Slack or Dropbox (38 percent)
- SMS or instant messaging apps like Whatsapp (35 percent)
With email, IP might be sent to the wrong person because:
- The sender used a wrong address–for example, Outlook auto-inserted an email address for someone other than the intended recipient
- The recipient forwarded the email
- An attachment contained hidden content, such as in an Excel tab
- Data was forwarded to a personal email account
7. Know your tools to protect intellectual property
A growing variety of software tools are available for tracking documents and other IP stores. Data loss prevention (DLP) tools are now a core component of many security suites. They not only locate sensitive documents, but also keep track of how they are being used and by whom.
Encrypting IP in some cases will also reduce risk of loss. The Egress survey data shows that only 21 percent of companies require encryption when sharing sensitive data externally, and only 36 percent require it internally.
8. Take a big picture view
If someone is scanning the internal network and your intrusion detection system goes off, somebody from IT typically calls the employee who’s doing the scanning and tells him to stop. The employee offers a plausible explanation, and that’s the end of it. Later, the night watchman sees an employee carrying out protected documents, and his explanation is “Oops…I didn’t realize that got into my briefcase.” Over time, the human resources group, the audit group, the individual’s colleagues, and others all notice isolated incidents, but nobody puts them together and realizes that all these breaches were perpetrated by the same person. This is why communication gaps among information security and corporate security groups can be so harmful. IP protection requires connections and communication between all the corporate functions. The legal department has to play a role in IP protection. So does human resources, IT, R&D, engineering, graphic design and so on.