Protect Intellectual Property and Trade SecretsBy MacDonnell Ulsch & Michael J. Sullivan | Posted 2012-03-05 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Locking down your IP helps your business, and even your country.
Who will figure out how to provide food and clean water for a world population that soon will reach 7 billion people? Who will develop drugs to treat devastating diseases? Who will market the next generation of energy-saving solutions? And who will introduce the next big thing in information technology?
These questions spur on governments, entrepreneurs, scientists and engineers—all hoping to strike it big or advance the cause of humankind. But the creators of these solutions are not the only ones racing to answer these questions. Many more are lurking in the shadows to exploit the work of others.
The theft of intellectual property (IP) and trade secrets is big business, and the thieves range from corporate competitors to nation-states engaged in economic, industrial or technological espionage. Target No. 1? The United States, which is responsible for nearly 40 percent of the global R&D investment. The No. 1 nation behind the illicit acquisition of U.S. IP and trade secrets? China. But China isn’t the only one. More than a hundred nations are engaged in the illegal transfer of technology.
Protecting IP and trade secrets is not just in a company’s self-interest. National security, critical infrastructure security, and commercial success require paying more attention to defending the developments that fuel the economy and provide jobs.
Here are some measures that can help protect intellectual property and trade secrets from unauthorized access and illegal acquisition:
• Accept the fact that the threat is real. Many companies ignore the threat—some because they think they’re too small to be on anybody’s radar screen. That’s not true. The Internet is the great democratizer of market presence and competition. No company is immune; no secret is safe.
• Identify valuable secrets. A common definition, derived in part from the Uniform Trade Secrets Act, is that secrets include all forms and types of financial, business, scientific, technical, economic or engineering information that the owner has taken reasonable measures to protect and which have an independent economic value. This information may be tangible or intangible, and it may be stored, compiled or memorialized physically, electronically, graphically, photographically or in writing.
• Consider personal information. If the company is required to protect personal information, use those requirements as a minimum threshold of defense. Leverage the security already being deployed.
• Limit access. Not everyone needs access to IP, yet many companies place few restrictions and barriers to access, even though it should be on a need-to-know basis.
• Social media. Many secrets are compromised through social media use when employees blog about their work. Engineers, researchers, technologists and others seeking peer review are inclined to post information for review. Unfortunately, such sharing reduces the level of control that companies can exert over protected information.
• Use encryption. When transmitting secrets, use encrypted email, encrypt documents and don’t share passwords. Create strong password policies and enforce them.
• Conduct background investigations. Know who is being hired. No one wants to inadvertently hire a spy who’s intent on stealing secrets, but it does happen.
• Conduct background reinvestigations. Circumstances change, financial conditions change and so does the motivation to steal secrets. Companies often conduct inadequate, one-time background investigations.
• Create awareness. This may be the best example of security value. Explain to employees and third-party vendors that information must be protected. Set the tone from the top, starting with the CEO and the board. Approximately half of internal breaches result from administrative error and the mishandling of information.
• Place a value on secrets. Place a realistic value on the information, and hire a third-party firm to help estimate that value. Calculate the short- and long-term value, based on investment level and revenue-stream projections, as well as on the importance of that information to the company’s market and competitive positions—and the ability to continue in business if the information were stolen.
• Third-party vendor risk. Ensure that vendors are managed effectively through risk-reinforced service-level agreements. Hold vendors accountable for managing security, privacy, threat and risk analysis, and compliance. Articulate enforcement requirements, insist on internal audit access and examine foreign corrupt-practices management processes.
• Measure success. Measure organizational success by monitoring and auditing tools, policies and procedures, employees and third-party vendors to ensure compliance.
While protecting critical information can be challenging, it is essential in an increasingly hostile world. Our economic, national and homeland security depend on it. Protecting intellectual property and trade secrets may make the difference between business success and failure.
MacDonnell Ulsch is CEO of ZeroPoint Risk Research and the author of THREAT! Managing Risk in a Hostile World. Michael J. Sullivan, Esq., is a partner in the Ashcroft Sullivan LLC law firm and serves as an executive research fellow at ZeroPoint.