Who will figure out how to provide food and clean water fora world population that soon will reach 7 billion people? Who will developdrugs to treat devastating diseases? Who will market the next generation ofenergy-saving solutions? And who will introduce the next big thing ininformation technology?
These questions spur on governments, entrepreneurs,scientists and engineers?all hoping to strike it big or advance the cause ofhumankind. But the creators of these solutions are not the only ones racing toanswer these questions. Many more are lurking in the shadows to exploit thework of others.
The theft of intellectual property (IP) and trade secrets isbig business, and the thieves range from corporate competitors to nation-statesengaged in economic, industrial or technological espionage. Target No. 1? TheUnited States, which is responsible for nearly 40 percent of the global R&Dinvestment. The No. 1 nation behind the illicit acquisition of U.S. IP andtrade secrets? China. But China isn?t the only one. More than a hundred nationsare engaged in the illegal transfer of technology.
Protecting IP and trade secrets is not just in a company?sself-interest. National security, critical infrastructure security, andcommercial success require paying more attention to defending the developmentsthat fuel the economy and provide jobs.
Here are some measures that can help protect intellectualproperty and trade secrets from unauthorized access and illegal acquisition:
? Accept the fact that the threat is real. Many companiesignore the threat?some because they think they?re too small to be on anybody?sradar screen. That?s not true. The Internet is the great democratizer of marketpresence and competition. No company is immune; no secret is safe.
? Identify valuable secrets. A common definition, derived inpart from the Uniform Trade Secrets Act, is that secrets include all forms andtypes of financial, business, scientific, technical, economic or engineeringinformation that the owner has taken reasonable measures to protect and whichhave an independent economic value. This information may be tangible orintangible, and it may be stored, compiled or memorialized physically,electronically, graphically, photographically or in writing.
? Consider personal information. If the company is requiredto protect personal information, use those requirements as a minimum thresholdof defense. Leverage the security already being deployed.
? Limit access. Not everyone needs access to IP, yet manycompanies place few restrictions and barriers to access, even though it shouldbe on a need-to-know basis.
? Social media. Many secrets are compromised through socialmedia use when employees blog about their work. Engineers, researchers,technologists and others seeking peer review are inclined to post informationfor review. Unfortunately, such sharing reduces the level of control thatcompanies can exert over protected information.
? Use encryption. When transmitting secrets, use encryptedemail, encrypt documents and don?t share passwords. Create strong passwordpolicies and enforce them.
? Conduct background investigations. Know who is beinghired. No one wants to inadvertently hire a spy who?s intent on stealingsecrets, but it does happen.
? Conduct background reinvestigations. Circumstances change,financial conditions change and so does the motivation to steal secrets.Companies often conduct inadequate, one-time background investigations.
? Create awareness. This may be the best example of securityvalue. Explain to employees and third-party vendors that information must beprotected. Set the tone from the top, starting with the CEO and the board.Approximately half of internal breaches result from administrative error andthe mishandling of information.
? Place a value on secrets. Place a realistic value on theinformation, and hire a third-party firm to help estimate that value. Calculatethe short- and long-term value, based on investment level and revenue-streamprojections, as well as on the importance of that information to the company?smarket and competitive positions?and the ability to continue in business if theinformation were stolen.
? Third-party vendor risk. Ensure that vendors are managedeffectively through risk-reinforced service-level agreements. Hold vendorsaccountable for managing security, privacy, threat and risk analysis, andcompliance. Articulate enforcement requirements, insist on internal audit accessand examine foreign corrupt-practices management processes.
? Measure success. Measure organizational success bymonitoring and auditing tools, policies and procedures, employees andthird-party vendors to ensure compliance.
While protecting critical information can be challenging, itis essential in an increasingly hostile world. Our economic, national andhomeland security depend on it. Protecting intellectual property and tradesecrets may make the difference between business success and failure.
MacDonnell Ulsch is CEO of ZeroPoint Risk Research and theauthor of THREAT! Managing Risk in a Hostile World. Michael J. Sullivan, Esq.,is a partner in the Ashcroft Sullivan LLC law firm and serves as an executiveresearch fellow at ZeroPoint.
