In Who will figure out how to provide food and clean water for a world population that soon will reach seven billion people? Who will develop drugs to treat devastating diseases? Who will market the next generation of energy-saving solutions? And who will introduce the next big thing in information technology?
These questions spur governments, entrepreneurs, scientists and engineersall hoping to strike it big or advance the cause of humankind. But the creators of these solutions are not the only ones racing to answer these questions. Many more are lurking in the shadows to exploit the work of others.
The theft of intellectual property (IP) and trade secrets is big business, and the thieves range from corporate competitors to nation-states engaged in economic, industrial or technological espionage. Target No. 1 is the United States, which is responsible for nearly 40 per cent of the global R&D investment.
The first nation behind the illicit acquisition of the US IP and trade secrets is China. But China isnt the only one. More than a hundred nations are engaged in the illegal transfer of technology.
Protecting IP and trade secrets is not just in a companys self-interest. National security, critical infrastructure security, and commercial success require paying more attention to defending the developments that fuel the economy and provide jobs. Here are some measures that can help protect intellectual property and trade secrets from unauthorised access and illegal acquisition:
Accept the fact that the threat is real: Many companies ignore the threatbecause they think they are too small to be on anybodys radar screen. Thats not true. The internet is a great democratiser of market presence and competition. No company is immune; no secret is safe.
Identify valuable secrets: A common definition, derived in part from the Uniform Trade Secrets Act, is that secrets include all forms and types of financial, business, scientific, technical, economic or engineering information that the owner has taken reasonable measures to protect and which have an independent economic value. This information may be tangible or intangible, and it may be stored, compiled or memorialised physically, electronically, graphically, photographically or in writing.
Consider personal information: If the company is required to protect personal information, use those requirements as a minimum threshold of defence. Leverage the security already being deployed.
Limit access: Not everyone needs access to IP, yet many companies place few restrictions and barriers to access, even though it should be on a need-to-know basis.
Social media: Many secrets are compromised through social media use when employees blog about their work. Engineers, researchers, technologists and others seeking peer review are inclined to post information for review. Unfortunately, such sharing reduces the level of control that companies can exert over protected information.
Use encryption: When transmitting secrets, use encrypted email, encrypt documents and dont share passwords. Create strong password policies and enforce them.
Conduct background investigations: Know who is being hired. No one wants to inadvertently hire a spy who is intent on stealing secrets, but it does happen.
Conduct background reinvestigations: Circumstances change, financial conditions change and so does the motivation to steal secrets. Companies often conduct inadequate, one-time background investigations.
Create awareness: This may be the best example of security value. Explain to employees and third-party vendors that information must be protected. Set the tone from the top, starting with the CEO and the board. Approximately half of internal breaches result from administrative error and the mishandling of information.
Place a value on secrets: Place a realistic value on the information, and hire a third-party firm to help estimate that value. Calculate the short and long-term value, based on investment level and revenue-stream projections, as well as on the importance of that information to the companys market and competitive positionsand the ability to continue in business if the information were stolen.
Third-party vendor risk: Ensure that vendors are managed effectively through risk-reinforced service-level agreements. Hold vendors accountable for managing security, privacy, threat and risk analysis, and compliance. Articulate enforcement requirements, insist on internal audit access and examine foreign corrupt-practices management processes.
Measure success: Measure the organisational success by monitoring and auditing tools, policies and procedures, employees and third-party vendors to ensure compliance.
While protecting critical information can be challenging, it is essential in an increasingly hostile world. Our economic, national and homeland security depend on it. Protecting intellectual property and trade secrets may make the difference between business success and failure.
MacDonnell Ulsch is CEO of ZeroPoint Risk Research and the author of THREAT! Managing Risk in a Hostile World. Michael J Sullivan, Esq, is a partner in the Ashcroft Sullivan LLC law firm and serves as an executive research fellow at ZeroPoint.
Add new comment