Intellectual property (IP) is the lifeblood of every organization. It didn’t used to be. As a result, now more than ever, it’s a target, placed squarely in the cross-hairs by various forms of cyber attack. Witness the long list of hacks on Hollywood and the entertainment industry’s IP including “Pirates of the Caribbean” and more recently HBO’s “Game of Thrones.”
Your company’s IP, whether that’s patents, trade secrets or just employee know-how, may be more valuable than its physical assets. Security pros must understand the dark forces that are trying to get this information from your company and piece it together in a useful way. Some of these forces come in the guise of “competitive intelligence” researchers who, in theory, are governed by a set of legal and ethical guidelines carefully wrought by the Society of Competitive Intelligence Professionals (SCIP). Others are outright spies hired by competitors, or even foreign governments, who’ll stop at nothing, including bribes, thievery, or even a pressure-activated tape recorder hidden in your CEO’s chair.
IP protection is a complex duty with aspects that fall under the purview of legal, IT, human resources and other departments. Ultimately a chief security officer (CSO) or risk committee often serves to unify intellectual property protection efforts. With protection from cyber attack now critical, the chief information security officer (CISO) now plays a major role.
What is intellectual property?
IP can be anything from a particular manufacturing process to plans for a product launch, a trade secret like a chemical formula, or a list of the countries in which your patents are registered. It may help to think of it as intangible proprietary information. The World Intellectual Property Organization’s (WIPO’s) formal definition of IP is creations of the mind—inventions, literary and artistic works, symbols, names, images and designs used in commerce.
IP is divided into two categories: Industrial property includes but is not limited to patents for inventions, trademarks, industrial designs and geographical indications. Copyright covers literary works like novels, poems and plays, films, music and artistic works, for example drawings, paintings, photographs, sculptures, web site pages and architectural design. Rights related to copyright include those of performing artists in their performances, producers of phonograms in their recordings, and broadcasters in their radio and television programs.
For many companies, such as those in the pharmaceutical business, IP is much more valuable than any physical asset. IP theft costs U.S. companies as much as $600 billion a year according to the Theft of Intellectual Property Commission.
What are the 4 types of intellectual property?
The four legally defined categories of intellectual property for which theft can be prosecuted are:
Patents grant the legal right to exclude anyone else from manufacturing or marketing your unique tangible things. They can also be registered in foreign countries to help keep international competitors from finding out what your company is doing. Once you hold a patent, others can apply to license your product. Patents can last for 20 years.
Trademarks are names, phrases, sounds or symbols used in association with services or products. A trademark often connects a brand with a level of quality on which companies build a reputation. Trademark protection lasts for 10 years after registration and can be renewed in perpetuity.
Copyright protects written or artistic expressions fixed in a tangible medium — novels, poems, songs or movies. A copyright protects the expression of an idea, but not the idea itself. The owner of a copyrighted work has the right to reproduce it, to make derivative works from it (such as a movie based on a book), or to sell, perform or display the work to the public. You don’t need to register your material to hold a copyright, but registration is a prerequisite if you decide to sue for copyright infringement. A copyright lasts for the life of the author plus another 50 years.
Trade secrets can be a formula, pattern, device or compilation of data that grants the user an advantage over competitors is a trade secret. They are covered by state, rather than federal, law. To protect the secret, a business must prove that it adds value to the company — that it is, in fact, a secret — and that appropriate measures have been taken within the company to safeguard the secret, such as restricting knowledge to a select handful of executives.
IP can can simply be an idea as well. If the head of your R&D department has a eureka moment during his morning shower and then applies his new idea at work, that’s intellectual property too.
IP theft examples
If your IP is stolen by ne’er-do-wells, catching them is hard, prosecuting them is harder, and getting the stolen information back — putting the proverbial cat back in its bag — is usually impossible. In this area, a little paranoia is quite helpful, because people really are out to get you. That’s why it’s important for the CSO, CISO, and chief risk officer (CRO) to be involved in protecting IP.
CSO contributor Christopher Burgess offers these real-life examples:
In February, 2018, Apple discovered that iOS source code had been posted to GitHub. The code in question would allow potential attackers to “manipulate the iOS to make iPhone jailbreaks easier and potentially discover vulnerabilities more easily. An Apple intern was found to be responsible for the leak, having shared the code with “five friends who were active in iPhone jailbreak groups.”
In October, 2017, an Apple engineer was fired for a video posted by his daughter of the then prototype iPhone X. “The engineer’s daughter posted a video of her experience accompanying dad to the office, and it included the embargoed phone,” Burgess writes.
In May 2017, Xu Jiaqiang, a Chinese national, pleaded guilty to stealing source code from IBM, where he had worked from 2010-2014. “In late-2015, Xu had a face-to-face meeting with undercover law enforcement officers. At the meeting, Xu noted the code was his former employer’ s(IBM) code. Xu also confirmed to his interlocutors how he had purloined the code prior to his May 2014 employment separation and had made modification so as to obscure the point of origin, IBM.”
In February, 2019, Xiaorong You was “indicted for her actions involved in the theft of trade secrets…. She is accused of trade secret theft and economic espionage after allegedly stealing bisphenol-A-free (BPA-free) technologies owned by several companies, including her former employers Coca-Cola and Eastman Chemical Company. The value placed on the development of the stolen technologies is $119.6 million.”
More IP theft headlines:
- Ex-Google engineer charged with theft of AI tech for Chinese firms
- China’s cyber espionage focus: intellectual property theft
- Motorola case shows importance of detecting insider IP theft quickly
- China theft of US agriculture sector trade secrets prompts government guidance
- How to protect algorithms as intellectual property
How to protect intellectual property: 10 steps to follow
The steps below are the minimum you should to top keep your IP safe.
1. Know what intellectual property you’ve got
If all employees understand what needs to be protected, they can better understand how to protect it, and from whom to protect it. To do that, CSOs must communicate on an ongoing basis with the executives who oversee intellectual capital. Meet with the CEO, COO and representatives from HR, marketing, sales, legal services, production and R&D at least once a quarter. Corporate leadership must work in concert to adequately protect IP.
2. Know where your intellectual property is
If you focus your efforts on your core IT systems to secure IP, you will overlook other areas where it might be stored or processed. These include:
- Printers, copiers, scanners and fax machines: Your input/output devices all store the documents they process, and they are typically networked and connected to remote management systems. Proper policies and procedures need to be in place to purge these documents and protect against unauthorized access.
- Cloud applications and file-sharing services: These might be company-managed or shadow IT. You need to know what your employees are using so you can restrict unauthorized cloud services and ensure that company-sanctioned services are properly configured and secured.
- Employees’ personal devices: An employee might email a document home, typically for benign reasons. Educate your employees on the proper handling of IP and have monitoring systems in place to track where your IP is being sent.
- Third-party systems: IP is often shared with business partners, suppliers, or customers. Make sure your contracts with those parties define how those third parties must secure your IP and have controls in place to ensure those terms are followed.
3. Prioritize your intellectual property
CSOs who have been protecting IP for years recommend doing a risk and cost-benefit analysis. Make a map of your company’s assets and determine what information, if lost, would hurt your company the most. Then consider which of those assets are most at risk of being stolen. Putting those two factors together should help you figure out where to best spend your protective efforts (and money).
4. Label valuable intellectual property
If information is confidential to your company, put a banner or label on it that says so. If your company data is proprietary, put a note to that effect on every log-in screen. This seems trivial, but if you wind up in court trying to prove someone took information they weren’t authorized to take, your argument won’t stand up if you can’t demonstrate that you made it clear that the information was protected.
5. Secure your intellectual property both physically and digitally
Physical and digital protection is a must. Lock the rooms where sensitive data is stored, whether it’s the server farm or the musty paper archive room. Keep track of who has the keys. Use passwords and limit employee access to important databases.
6. Educate employees about intellectual property
Awareness training can be effective for plugging and preventing IP leaks, but only if it’s targeted to the information that a specific group of employees needs to guard. When you talk in specific terms about something that engineers or scientists have invested a lot of time in, they’re very attentive. As is often the case, humans are often the weakest link in the defensive chain. That’s why an IP protection effort that counts on firewalls and copyrights, but doesn’t also focus on employee awareness and training, is doomed to fail.
In most cases, IP leaves an organization by accident or through negligence. Make sure your employees are aware of how they might unintentially expose IP. According to a February 2019 study by Egress Software Technologies, the most common technologies through which sensitive data like IP are accidentally breached are:
- External email like a Gmail or Yahoo account (51 percent)
- Corporate email (46 percent)
- File sharing via FTP (40 percent)
- Collaboration tools like Slack or Dropbox (38 percent)
- SMS or instant messaging apps like Whatsapp (35 percent)
With email, IP might be sent to the wrong person because:
- The sender used a wrong address–for example, Outlook auto-inserted an email address for someone other than the intended recipient
- The recipient forwarded the email
- An attachment contained hidden content, such as in an Excel tab
- Data was forwarded to a personal email account
7. Know your tools to protect intellectual property
A growing variety of software tools are available for tracking documents and other IP stores. Data loss prevention (DLP) tools are now a core component of many security suites. They not only locate sensitive documents, but also keep track of how they are being used and by whom.
Encrypting IP in some cases will also reduce risk of loss. The Egress survey data shows that only 21 percent of companies require encryption when sharing sensitive data externally, and only 36 percent require it internally.
8. Take a big picture view
If someone is scanning the internal network and your intrusion detection system goes off, somebody from IT typically calls the employee who’s doing the scanning and tells him to stop. The employee offers a plausible explanation, and that’s the end of it. Later, the night watchman sees an employee carrying out protected documents, and his explanation is “Oops…I didn’t realize that got into my briefcase.” Over time, the human resources group, the audit group, the individual’s colleagues, and others all notice isolated incidents, but nobody puts them together and realizes that all these breaches were perpetrated by the same person. This is why communication gaps among infosecurity and corporate security groups can be so harmful. IP protection requires connections and communication between all the corporate functions. The legal department has to play a role in IP protection. So does human resources, IT, R&D, engineering, graphic design and so on.
9. Apply a counter-intelligence mindset
If you were spying on your own company, how would you do it? Thinking through such tactics will lead you to consider protecting phone lists, shredding the papers in the recycling bins, convening an internal council to approve your R&D scientists’ publications, or other ideas that may prove worthwhile for your particular business.
10. Think globally
Over the years, France, China, Latin America and the former Soviet Union states have all developed reputations as places where industrial espionage is widely accepted, even encouraged, as a way of promoting the country’s economy. Many other countries are worse. A good resource for evaluating the threat of doing business in different parts of the world is the Corruption Perceptions Index published each year by Transparency International. In 2020, the Corruption Perceptions Index ranked the following 5 countries as being “perceived as most corrupt”: South Sudan, Somalia, Syria, Yemen, and Venezuela.
How IP spies and thieves work
Leonard Fuld, a competitive intelligence expert, says more damage is done by a company’s lax security than by thieves. All of the data that thieves can gather from the examples below tells a competitor what your company is doing. Combined, the right details might help a rival reduce your first-to-market advantage, improve the efficiency of their own manufacturing facility or refocus their research in a profitable direction:
- Salespeople showing off upcoming products at trade shows
- Technical organizations describing their R&D facilities in job listings
- Suppliers bragging about sales on their websites
- Publicity departments issuing press releases about new patent filings
- Companies in industries targeted by regulators over-reporting information about manufacturing facilities to the Environmental Protection Agency or OSHA, which can become part of the public record
- Employees posting comments on Internet bulletin boards
John Nolan, founder of the Phoenix Consulting Group, has some amazing stories of what people will tell him over the phone. People like him are the reason that seemingly benign lists of employee names, titles and phone extensions, or internal newsletters announcing retirements or promotions, should be closely guarded. That’s because the more Nolan knows about the person who answers the phone, the better he can work that person for information. “I identify myself and say, ‘I’m working on a project, and I’m told you’re the smartest person when it comes to yellow marker pens. Is this a good time to talk?’” says Nolan, describing his methods.
“Fifty out of 100 people are willing to talk to us with just that kind of information.” The other 50? They ask what Phoenix Consulting Group is. Nolan replies (and this is true) that Phoenix is a research company working on a project for a client he can’t name because of a confidentiality agreement. Fifteen people will then usually hang up, but the other 35 start talking. Not a bad hit rate.
Nolan starts taking notes that will eventually make their way into two files. The first file is information for his client, and the second is a database of 120,000 past sources, including information about their expertise, how friendly they were, and personal details such as their hobbies or where they went to graduate school. Often business intelligence gatherers use well-practiced tactics for eliciting information without asking for it directly, or by implying that they are someone they aren’t.
This tactic is known as “social engineering.” Such scams might also include pretexting calls from someone pretending to be a student working on a research project, an employee at a conference who needs some paperwork, or a board member’s secretary who needs an address list to mail Christmas cards. Most of those calls are not illegal. Lawyers say that while it is against the law to pretend to be someone else, it’s not illegal to be dishonest.
Any public place where employees go, snoops can also go: airports, coffee shops, restaurants and bars near company offices and factories, and, of course, trade shows. An operative working for the competition might corner one of your researchers after a presentation, or pose as a potential customer to try to get a demo of a new product or learn about pricing from your sales team. That operative might simply take off his name badge before approaching your booth at a trade show. Employees must know not to talk about sensitive business in public places, and how to work with the marketing department to make sure the risks of revealing inside information at a trade show don’t outweigh the benefits of drumming up business.
Job interviews are another possible leak. Daring competitors may risk sending one of their own employees to a job interview, or they could hire a competitive intelligence firm to do so. Conversely, a competitor might invite one of your employees in for a job interview with no other purpose than gleaning information about your processes.
In some ways, trade secrets are easy to protect. Stealing them is illegal under the 1996 Economic Espionage Act. Employees usually know that they’re valuable, and non-disclosure agreements may protect your company further. What’s more complicated is helping employees understand how seemingly innocuous details can be strung together into a bigger picture—and how a simple company phone list becomes a weapon in the hands of snoops like John Nolan.
Consider this scenario: Nolan once had a client who wanted him to find out whether any rivals were working on a certain technology. During his research of public records, he came across nine or 10 people who had been publishing papers on this specialized area since they were grad students together. Suddenly, they all stopped writing about the technology. Nolan did some background work and discovered that they had all moved to a certain part of the country to work for the same company.
None of that constituted a trade secret or even, necessarily, strategic information, but Nolan saw a picture forming. “What that told us was that they had stopped [publishing information about the technology] because they recognized that the technology had gotten to a point where it was probably going to be profitable,” Nolan says. Then, by calling the people on the phone, going to meetings where they were speaking on other topics, and asking them afterward about the research they were no longer speaking publicly about, Nolan’s firm was able to figure out when the technology would hit the market. This information, he says, gave his client a two-year heads up on the competition’s plans.
Editor’s note: This article has been updated to more accurately reflect recent trends and examples.
Data and Information Security, DLP Software, Intellectual Property, Security