The True Cost of Intellectual Property

Intellectual Property (IP) is the stuff that drives our business and keeps us ahead of the competition. It is also highly sensitive data that is often described as our ‘secret sauce’. But those company secrets are valuable. Corporate espionage and theft of trade secrets are said to cost the U.S. up to $600 billion a year, according to a report by the IP Commission.^[1]

Intellectual property, like other sensitive or personal data, is at risk from cyber-attacks. Those attacks may be malicious, or they may be accidental. The end result is not only leaked company confidential information but potentially the loss of core business activity.

Protecting IP is a multi-stage process, made up of part legal, part human awareness of IP, and part technological. IP protection requires an understanding of legal frameworks such as copyright and even employee contracts.  It also needs to have technological measures put into place to prevent Intellectual Property from being exposed. The whole is dependent on understanding IP form a human perspective too – what it is and how it is accessed and used. In a world where the digitization of business is steaming ahead, IP protection, including the technology used to secure it, should be viewed as multi-layered.

In this short paper, we will look at all of the above aspects of protecting your company secret sauce with some tips on what technologies fit this multi-layered approach to securing IP.

What is Intellectual Property?

Before beginning our journey into IP protection, we need to understand what it is we are protecting? Intellectual Property takes many forms. It can be documented blueprints, contracts, IP monetization strategies, software code, and so on.

For the purposes of legal reflection and action, there are typically said to be four main types of IP:

• Trade Secrets and design – this includes source code, design documents, formulas, etc.
• Trademarks – typically, brand marks and ideas around branding
• Copyright – books, white papers, other copyrighted works (this can also overlap with software code)
• Patents – patent documents used to protect inventions

In the U.S., the Department for Homeland Security has formed the National Intellectual Property Rights Coordination Center (IPR Center). The IPR Center works with the FBI and partners across industry, to attempt to educate businesses about the risks to IP and how best to protect company sensitive data.^[2]

Who Wants to Steal IP and How is it At Risk?

Intellectual Property is not only valuable to the company that owns it; it is a valuable commodity to competitors and those who may wish to harm an organization. There have been many examples in recent years of IP theft. Many were accidental and some were malicious. Here is a sample of some of the most prominent types of IP theft and exposure.

Types of Intellectual Property Theft

Industrial Espionage

In a CNBC poll on IP theft, 1 in 5 U.S. companies believed that their trade assets had been stolen by China.^[3]

The theft of trade secrets is nothing new. But the digitization of company assets has made the protection of company secrets more complicated. A case that shows the nature of industrial espionage is that of two U.S. tech companies, Avago and Skyworks.^[4] Two employees of the two companies, worked in collusion to exfiltrate data from their employers to allow them to form their own tech company. Trade secrets, including product designs, were stolen by the pair, simply by attaching IP documents to emails sent between the pair.

Accidental leaks

Accidental leaks of Intellectual Property can be as damaging as malicious theft. There are myriad of ways that accidents involving data happen. Sometimes it can even be just a snippet of information, but it will be enough to have a major impact on your company. One area where accidental trade secret disclosure can easily happen is in the case of software developers. The development community often use online forums, such as Stack Overflow^[5], to discuss programming problems and help each other out. If you search for “code sample” or “code example” in the forum you will come across many samples of code that developers have created for their employers. Some posts may contain proprietary information. The developers are not malicious, this is just how the community operates. This type of inadvertent human-factor in IP exposure can be as much a problem as malicious intent.

Data Breaches and Cybercrime

The number of data breaches continues to increase year-on-year. In the first half of 2019, 4.1 billion data records were exposed.[6] Many of these breaches expose personal data. However, some exposure company trade secrets and proprietary company information. For example, vulnerable companies are often discussed on darknet forums, hackers looking for intelligence to help them breach the company’s defenses. DarkOwl,^[7] who research the darknet and its uses, has found Nation State actors using it to find out intelligence on companies, to exploit development and to carry out industrial espionage. But company account login credentials and intelligence on company executives are also available on the darknet to all cybercriminals who look for it. This can be used to cause further data breaches and target specific company employees to obtain trade secrets.

The Legal Aspects of IP Protection

Legal frameworks help to set in place a culture of security and can be used to enforce certain types of IP protection. These legal frameworks cover many aspects of IP ownership.

The most common types are:

Copyright

Copyright is normally used to protect the written word, but it can also be used to protect software source code. Copyright is used to appoint fundamental rights to the sale and distribution of the writings or software. Copyright is usually used in combination with and/or linked to other frameworks, including employment contracts. The USA has extensive copyright law to protect your company content.^[8]

Patent and trade secret legislation:

Patent law is used to protect trade secrets such as inventions and excludes others from using the patented process or design. Patent law varies across the world. In the USA, patent law is governed by the United States Patent and Trademark Office (the USPTO) under the Patent Act (35 U.S. Code).^[9]

Employment contracts:

Employment contracts are useful documents to manage ownership of IP. The contract you use depends on the relationship you have with your employee or contractor. Direct employment contracts are usually used with direct employees. Consultants and freelancers may require a Non-Disclosure Agreement (NDA) to protect sensitive information and IP.

Technology and IP Protection

Contracts and legal structures are an important part of protecting IP, but they rely upon being able to fight a court case. Cybercriminals don’t care about legal documents. This means that as well as the legal aspects of IP protection, you must also put measures in place to protect against inadvertent or malicious exposure of your company’s Intellectual Property.

Here are our top tips to help prevent the leak of your secret sauce:

Tip 1: Know your Intellectual Property

To be able to truly protect IP you need to know what it is. Visibility of IP and mapping your intellectual property to lifecycle movement and use of the data is vital in knowing what protection mechanisms need to be in place. Questions you need to ask include:

1. What is the lifecycle for the IP?
2. Who handles the IP during that lifecycle and at what point and to what extent?
3. Can the touchpoints for IP handling be minimized?
4. Can the users accessing the IP be minimized?
5. Do your cybersecurity policies cover the company’s most sensitive data thoroughly?
6. Can your IP protection policies extend to cover your wider vendor ecosystem?

Tip 2: Security Hygiene

Ongoing security maintenance measures should include:

• Regular updating and patching across the network and extended device environment.
• Robust and secure backup services (that are isolated to prevent ransomware infection)
• Disaster recovery measures in place.

Tip 3: Security Awareness Training

A study by Proofpoint found that human intervention was required in 99% of cyber-attacks.^[10]  By teaching people to spot the tell-tale signs of a cyberattack you can help to protect your intellectual property as well as other data. Security Awareness Training can help employees understand how cybercriminals operate. Used alongside techniques like simulated phishing and interactive videos, employees can be taught what to look for in a phishing email and to prevent clicking malicious links or opening malware infected attachments.

Security Awareness Training should be bolstered by using it alongside company policies on the protection of your trade secrets. Proprietary data such as source code, product designs, and even brand development, should be included in a culture of protection. All staff, including the R&D team, need to understand that a simple slip of information on a forum could end up with your competitive edge slipping.

Tip 4: Layered defense

Digitization of business has led to a more connected but logistically disparate workplace. This usually means the use of cloud infrastructure and cloud-based apps. This infrastructure often incorporates mobile devices and allows for remote working. This all leads to a highly complex setup to protect. Using a layered defense strategy covers all of the expanded layers of the company and should include:

• Endpoint Detection and Response (EDR) – used to spot a threat on a desktop or laptop and isolate that threat before it infects a network.
• The application of the principles of ‘least privilege’ – that is, only allowing access to sensitive resources, like trade secrets, on a ‘need to know’ basis. Make sure that access controls are robust. For example, the use of second-factor login credentials and even risk-based controls. The latter applies tighter access restrictions when certain rules kick-in, e.g. if the user is outside of the company IP address, they cannot access the resource.
• Spam controls to help prevent phishing – phishing can result in lost access credentials, which, in turn, can be used to access company sensitive data.
• Data loss prevention (DLP) – to spot signs of unusual behavior, such as the movement of sensitive documents outside of the company boundaries.
• Web application protection – e.g. Web Application Firewall (WAF) to protect cloud-based apps.
• Disaster recovery strategy and tools – if the worst does happen, how can you contain an incident and help prevent further leaks of Intellectual Property.

Conclusion

An organization has to do a lot of work to build and maintain a competitive edge. The Intellectual Property that goes into building unique selling points and best-of-breed products and services strengthens a company, creates jobs, and bolsters the general economy. This secret sauce is based on hard work, expertise, and often years of research. IP theft prevention must be one of the business’s core strategies; the board and C-Level ensuring it is tabled as a key item for budget and delivery. But the protection of IP is not a one-stop-shop. IP protection is a mix of legal, social, and technological. Awareness of what IP is and how it works, within the context of a business, is as important as the technology structures used to protect it.

Bringing together all of these pieces is an important part of modern business IP management. Protecting IP is about protecting your company’s future.

^[1] IP Commission Report 2017: http://ipcommission.org/report/IP_Commission_Report_Update_2017.pdf

^[2] IPRCenter: https://www.iprcenter.gov/

^[3] CNBC: https://www.cnbc.com/2019/02/28/1-in-5-companies-say-china-stole-their-ip-within-the-last-year-cnbc.html

^[4] Securonix: https://www.securonix.com/a-case-of-corporate-espionage/

^[5] Stack Overflow: https://stackoverflow.com/

[6] Norton: https://us.norton.com/internetsecurity-emerging-threats-2019-data-breaches.html

^[7] DarkOwl blog: https://www.darkowl.com/blog

^[8] Copyright Law of the United States: https://www.copyright.gov/title17/

^[9] USPTO: https://www.uspto.gov/web/offices/pac/mpep/consolidated_laws.pdf

^[10] Proofpoint: https://www.proofpoint.com/uk/resources/threat-reports/human-factor