It would be hard to find a company today that has not wound its way through the digital transformation to some extent. And whether its final product is in the form of software coding or scientific formulas, the increasing digitization of sensitive information puts intellectual property at risk of theft.
As all aspects of life move tighter into the electronic embrace, the challenge for businesses and their intellectual property is keeping their reams of data secure as cyber-criminals search relentlessly for holes in companies’ digital defenses.
Industrial espionage is currently high on the agenda. In 2017, the US authorities launched an investigation into China’s intellectual property practices, characterized as a decades-long assault on the IP of American companies, in sectors ranging from military and defense equipment to video games and fashion design.
This was an important factor in the recent decision by President Donald Trump to impose increased tariffs on a range of Chinese imports. IP theft is reported to cost the US up to $600 billion a year, with China the country held most responsible. When trade secrets are stolen, companies that may have invested huge amounts in research and development are at risk of losing their competitive advantage.
Smaller companies with fewer resources available for protection can get hit harder, and tend to fall below the radar as the bigger cases make the headlines. Ashar Aziz, founder and former CEO of US cyber-security outfit FireEye, says small businesses with significant digital assets are those most commonly targeted by hackers, along with legal and professional services firms holding information from larger, better-protected companies, such as on contracts, litigation or mergers. US telecoms group Verizon says in a 2017 report on data breach investigations that 61% of victims were businesses with fewer than 1,000 employees.
Recent attacks on public-sector bodies, including a ransomware extortion attempt against the city of Atlanta in late March, and one on the UK’s National Health Service last year attributed to North Korea, demonstrate the vulnerability of organizations responsible both for vast amounts of data and the provision of essential publc services. David Jordan, chief information officer for Arlington County, Virginia, says: “A smart local government will have fire, police and cyber-security at the same level.”
Verizon’s report, which surveyed 65 organizations, noted some interesting intellectual property theft statistics: while 75% of breaches came from outside the companies in question, the remainder of intellectual property theft cases involved internal actors – implying that in some cases, insiders collaborated with external hackers.
However big or small a business, it must be prepared from the inside out. This requires preventive measures and ongoing actions across a range of areas.
A primary need is to empower a staffer for security, so appointing a chief security officer is a good place to start, regardless of organization size. He or she will rank high in the business hierarchy, overseeing all aspects of the company’s security, and will be responsible for designing a risk strategy that identifies the value of the various assets of the business and the cost if they were lost, helping decide where to allocate resources for protection.
Companies that lack the capability to assure security in-house should hire a team of information technology experts. Leading groups that offer security packages include IBM, HP, Verizon, Symantec and McAfee. While the idea of handing control to external parties might make managers nervous, hiring a security services firm makes sense for many businesses that cannot manage the function internally, freeing resources to concentrate on core business that may have nothing to do with IT.
The chief security officer and IT team will invest in security software, manage firewalls, encrypt devices, ensure passwords are changed regularly, and oversee links to secure data centers, whether these are in-house or outsourced. Key tasks include the use of web filtering to block access to certain sites, countering malware through the use of anti-virus software, and installing security-related updates from the providers of software used by the business, such as Adobe or Microsoft, as rapidly as possible.
Staff responsible for data security must also ensure an action plan is in place in case of a breach. The use of two-step authentication is helpful if credentials have been stolen or accessed. If there is any risk of being unable to protect vital assets, they are best kept off the company network.
Good leadership regarding human resources is important, including care over who is hired, supervising people within the business carefully and attentively and managing any departures effectively. The biggest risk is for the business’s intellectual property assets to be plundered or damaged by a disgruntled employee.
Verizon found that in 60% of breaches, insiders have extracted data with the aim of future monetization. But other cases may involve unsanctioned snooping (17%), taking data to a new employer or using it to start a rival company (15%) – the issue at the heart of the lawsuit over information brought to Uber by the former CEO of Waymo, Alphabet’s autonomous driving business.
Company IT teams can help prevent this by monitoring computer use and keeping an eye out for big transfers of data or the use of USB devices for downloads. An important element is controlling employee access to sensitive data, which should be restricted to staff that need it to do their jobs. One hacked computer should not offer intruders access to the whole system. Confidentiality clauses in contracts, or non-disclosure agreements with external parties, are also useful, if limited, tools.
A central strand of IT security strategy should be to educate and inform staff, making them the first line of defense rather than the weakest link. This includes ensuring all employees are kept current about the threats of industrial espionage, IP theft, piracy and counterfeiting – and providing specialist training for managers. The overwhelming majority of security breaches still arise from weak, easily-guessed or stolen passwords, and individuals still commonly falling for phishing e-mails. As for that last point, staff should always report any phishing attempts.
It might seem obvious, but just as one locks windows and doors when leaving home, business premises should be secure as not all data breaches occur online. In particular, access should be restricted for hubs of sensitive information, such as archive rooms or server centers.
Businesses need to know their markets and competition, and keep up-to-date with trends in cyber-crime – a function that could be outsourced. In creating the right culture, managers and specialists should talk to competitors and participate in industry bodies to stay abreast of current developments and threats, particularly regarding potential theft of their company’s intellectual property. They can also draw on government resources, including law enforcement and regulatory bodies, to help if and when breaches occur.
Sharing and exchange of information is often vital for a business to innovate and flourish, but it is also important to monitor competitors for evidence of proprietary ideas, discoveries and processes being used elsewhere. A little paranoia is useful, but it should not become obsessive – barring the door against IP theft should not close a company to new investment opportunities or clients.
A legal team can protect a company’s IP patents and ideally avoid the cost, time and trouble of court cases, for example by establishing the nature of intellectual property infringement and whether intellectual property can be protected as a trademark, copyright, patent or trade secret. Maintaining a comprehensive (virtual) paper trail, with as much in writing as possible relating to essential business ideas and identifying with whom they have been discussed, ensures the documentation will be in place should the lawyers need to be called in.