Protecting IP

By Jeff Vance

(Back to article)

An overseas partner pirates a software title and sells it in local stores. A sales manager leaves for a competitor and takes his Rolodex and his clients with him. A company violates another’s patent when creating a new Internet service, hoping the theft won’t be noticed and the patent won’t be enforced. A new employee has taken a job with your company for one reason and one reason only — to steal your trade secrets.
Theft Risks & Prevention Steps
Principal IP Theft Risks

  • Insiders, especially those leaving the organization
  • Outsourcing
  • Partners, customers, and third-party vendor relationships
  • Accidental disclosures, such as an organization accidentally posting sensitive data on an online forum
  • Hackers and organized crime
  • Competitors and corporate espionage

    Eight Steps to Prevent IP Theft

  • Create information hierarchies and restrict access to critical data
  • Deploy appropriate security technologies, such intrusion prevention and anti-phishing systems
  • Deploy information monitoring and content filtering technology
  • Log important systems like email and perform regular audits
  • Educate your employees. Address IP policies in the employee handbook and hold regular training sessions
  • Create and enforce policies, and make IP theft prevention part of your overall security efforts
  • Conduct background checks and screening, whether with potential new employees or vendor partners
  • Create comprehensive data backup plans. Those stealing data may erase or destroy it to cover their tracks. Data backup also provides audit trail

    FREE IT Management Newsletters

  • All of these are forms of intellectual property (IP) theft, which is becoming more and more common in the digital age. According to the U.S. Commerce Department, intellectual property theft costs U.S. business about $250 billion each year, while also slashing nearly 750,000 jobs from the U.S. economy.

    IBM states cyber-crime is now more expensive for U.S. businesses than physical crimes, while also noting that more than 70% of businesses believe insider attacks are more of a threat than those from traditional hackers.

    The most recent CSI/FBI study found 52% of survey respondents were impacted by security breaches from outside of the organization, while 68% of those reporting security incidents believed a significant portion of those breaches came from insiders.

    Faking an Entire Company

    NEC recently fell victim to one of the most ambitious IP theft schemes ever. In 2004, after fielding reports of counterfeit keyboards, blank DVDs, and blank CDs being sold in China, NEC sent investigators to trace the problem.

    Investigators found that pirates weren’t simply knocking off typical consumer products but trying to create an entire fake company. Their product lines were extensive and their products were judged to be of high quality.

    After raids on 18 factories and warehouses in China and Taiwan, authorities found a phony NEC brand pirating everything from MP3 players to home entertainment systems. The counterfeit products sold in Taiwan, China, Hong Kong, Southeast Asia, North Africa, the Middle East and Europe. Often retail stores stocked the counterfeit products alongside legitimate NEC goods.

    With such an extensive con, why not simply create a new company? Brand recognition. By slapping the NEC label on their products, the new company had instant name recognition and a multination marketing push they didn’t have to pay for.

    Typically, the scope of an IP theft incident is far less than that experience by NEC, but even a single incident can cause enormous damage. While the dollar amounts estimated by the likes of the U.S. Chamber of Commerce are shocking, many experts believe those numbers underestimate the full scope of IP theft.

    “Everyone knows the problem exists,” said Ed Gaudet, vice president of Product Management for Liquid Machines, a provider of enterprise rights management solutions. “However, not everyone reports it, and many don’t even know they’ve been the target of IP theft.”

    Robert Richardson, director of the Computer Security Institute, added, “It’s a very slippery thing to estimate. Unlike theft from a bank account, where things are measured in dollars, it’s hard to know what the actual cost is. There are so many intangibles that can make the loss greater than it first appears.”

    Protecting IP

    Whatever the exact dollar amounts, the experts agree the problem is huge and only promises to get worse. But the real question facing most organizations is not about the scope of the problem but how to prevent falling victim to IP theft.

    “Our advice is to act proactively, rather than reactively. You need to know what your employees are doing. Protect yourself through legal documents, training, technology and systems,” said Todd Stefan, executive vice president of Setec Investigations, a computer forensics service provider.

    Many companies believe the best way to do business is by having an “open company.” In certain fields, like high tech, employees are given a lot of autonomy. With openness, though, comes risk. “You don’t want to create a police-state mentality,” Stefan said, “but the more open your company is the more rigorously your recordkeeping needs to be. Create logs and do regular audits.”

    According to Robert Yonowitz, a partner in the law firm Fisher & Phillips, LLP, the first thing organizations should do is come up with a plan for managing critical data.

    “If your customer lists are readily available to anyone walking in the building, say sitting on receptionists’ desk, then the court won’t view that information as valued," Yonowitz said.

    Internally, the same holds true. “Don’t give every sales person access to the whole customer list. Only give them access only to their accounts.” Otherwise, a court may likely determine those customer leads are easy to get, easy to access, and not worth protecting.

    However, an equal problem is being over aggressive when classifying data as sensitive. According to Yonowitz, nearly as many organizations make the mistake of slapping a “confidential” stamp on everything from annual reports to press releases, often for legal reasons.

    In court, however, if a judge sees that a company recklessly classifies information, it will be harder for the aggrieved party to justify large damage claims and even prove damage has been done.

    “If trade secrets are critical, treat them as such,” Yonowitz said. For example, if your trade secrets are dubbed as confidential in the same way that a pre-release draft of a press release is, then you’ve undermined your case.

    After data protection, the most important thing organizations can do to protect their trade secrets is to get a handle on their employees, through training, through hiring, through access control to key data, through the signing of non-solicitation agreements, and through exit interviews that outline IP theft-related offenses.

    Too much emphasis is often placed on training employees once they step on site, when the most critical protection happens earlier. “One of the best ways to stop IP theft is to prevent people predisposed to it from having jobs,” Stefan said.

    Stefan suggested screening anyone who has access to critical data, be they employees, partners, or large customers. If they have a poor track record, your best defense is not doing business with them.

    Other suggestions include making IP theft part of your overall security strategy, creating and enforcing IP policies, being diligent when logging communications systems, and conducting regular audits.