Intellectual Property Protection
The InfoSec Consulting Series #27
By Jay Pope
An organisation’s IP is one of its most important assets. Yet, not all companies value it as much as they should. It could be secrets of the trade, patents or something as intangible as employee know-how. It can very easily represent a value that may be higher than equipment and property. Sadly, there are people out there who will try to get this information and use it to their advantage. Anything from the actions of “competitive intelligence” researchers to actual spies could be trying to steal IP from your organisation at any time. As a result, Intellectual Property protection is now a crucial aspect of your organisation’s cyber security.
The Definition Of Intellectual Property
Initially, it can be hard to understand what IP is. The World Intellectual Property Organisation (WIPO’s) has defined it as: “creations of the mind —inventions, literary and artistic works, symbols, names, images and designs used in commerce”. It is possible to be prosecuted for theft for taking one of the following categories of IP:
- Patents can last for 20 years and are a way of stopping competitors from manufacturing your designs and ideas. If you hold a patent for a product, others cannot manufacturer it without a licence;
- These could be a name, a symbol, a phrase or even a sound that is used in association with your services or your products. Trademarks can be registered and with constant renewal, the registration can last indefinitely;
- This is the legal protection for written or artistic property such as works of authorship, music or film. Copyright lasts for 50 years after the author has died;
- Trade secrets. These are a little harder to define. Typical examples are formulae, devices, patterns or data that confer a competitive advantage. IP can also be an idea.
Intellectual Property Protection
Once your valuable intellectual property has been stolen, it is very hard to rectify the situation. It’s difficult enough to catch the perpetrator and impossible to make the information secret again once it is out there. It is always preferable to prevent it from being released in the first place.
Start by establishing what IP you need to protect. This can only be achieved if the heads of all departments work together. Everyone from human resources to research & development has a role to play. Good communication is vital. A Business Impact Analysis (BIA) is useful at this stage, because it can also drive the development of your Information Classification policy, your risk management strategy, and your organisational risk appetite statements. Which information is most vital? Which would cost you the most if it was lost? What would be the Impacts? Then analyse which IP is most at risk from theft. This will give you a good idea as to where to focus efforts.
Labelling valuable IP is very useful. Something as simple as a message on a log-in screen which makes it clear to everyone that they are dealing with commercially sensitive information and that they need to take care. Then establish where the IP is stored. It is not just a case of securing your servers. Think about devices such as printers and scanners because devices that input and output data also store some part of it and are potential targets. They are often networked and may be connected to remote management systems. If you purge the documents regularly, you will remove this point of access.
Most organisations need some form of file-sharing capability or cloud storage and this presents another opportunity for thieves. Restrict such activity to authorised cloud services and company-sanctioned services that have been correctly secured and configured.
Don’t overlook the threat introduced by employees’ personal mobile devices. For example, if a crucial document is emailed to a home laptop, this presents a potential weak point. This is best overcome by on-going staff training and education.
A final problematic area is third-party systems. It is often necessary to share IP with business partners or with your suppliers. Protection in this area is afforded by clear contracts that stipulate how third parties must secure your IP.
More Steps That You Can Take For Intellectual Property Protection
It is important to put both physical and digital protection in place. Cyber-safety is crucial but so is physical safety. It could be something as basic as a lock on the door where physical IP is stored. But remember that you must keep a track of who has the keys. The same goes for the cyber threat presented by inadequate passwords on documents and databases.
Employee education is vital and must be tailored to the information to which employees are permitted access. The more specific the training, the more attention employees pay to it because they can see the relevance to their everyday work. So, employees engaged in research & development need to be aware of which IP is held in that department and what they must do to protect it. We routinely find that the weakest link in a cybersecurity chain is the human factor. Information Security Management Systems that focus only on network controls and forget employees are likely to fail.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.