In a landmark case last week, the U.S. Justice Department charged five Chinese officials with hacking into the networks of the U.S. Steel Corporation and Westinghouse Electric. Unfortunately, the theft of corporate secrets from what is estimated to be more than 3,000 American companies in one report circulated last year is nothing new. Intellectual property (IP), which contains proprietary information such as treasured trade secrets, research, or publications that are pending copyright, is one of the most prominent targets of hacker attacks and yet, it’s one of the most weakly guarded.
The many frameworks, standards, and methodologies out there that emphasize data security and privacy do not outline how to protect and govern your IP data in plain, straightforward terms. So, how protected are you? When I asked prominent IP attorney Brent Britton, of the law firm Gray Robinson, he said, “What is dangerous is that there is no governance around intellectual property, beyond the patent process.” As you may well know, the U.S. patent process is older than the Constitution and has changed very little in the past 300 years. It’s nowhere near equipped to safeguard you against today’s risk realities around IP data:
Risk Reality #1: Information is everywhere.
Solution: Know where your IP data is and what controls are in place.
Do you know what data you make available to employees across your environment? If you aren’t sure where IP data is stored, what controls are in place to safeguard it, or who has access to the data, it’s time to inventory this information and better understand how vulnerable or how protected you are. If a process collects the IP data from a third party, you should know exactly which vendor sends the data and for what purpose and what transmission medium and control are used to transport the data.
If you are unsure where to start, consider executing a data privacy risk assessment to understand the IP data flows, supported processes, and associated controls in place
Risk Reality #2: Four-wall security is not enough.
Solution: Secure your IP documents both physically and logically.
Why expose your company’s “bread and butter” on open access file shares so anyone can get their hands on it? IP data should be kept under lock and key, with access on a need-to-know basis only. Review access controls list on a periodic basis and remove those who no longer need access to the data.
To protect hard copies, consider implementing and enforcing a clean desk policy to ensure valued data is tucked away.
You should also segment the IP data store separately in a secure network. If your main network is hacked, a segmented network can help you to minimize the risk of a breach.
Risk Reality #3: Beware of the silent assassin.
Solution: Implement an effective logging and monitoring capability.
When people do bad things and never get caught, no penalty or preventive measures are ever carried out. If you want to catch people in the act and avoid further damage, you should examine system or device logs and detect anomaly activities on a regular basis to identify malicious users. Industry best practices and standards such as PCI DSS or SANS Critical Security Controls require a robust logging and monitoring capability to ensure continuous audit and timely detection or correction of security events. Security Incident Event Management (SIEM) tools such as Splunk, ArcSight, or TripWire can provide real-time monitoring, correlation, and reporting of events and incidents that occur across the enterprise.
Additionally, establish and integrate a logging, monitoring and reporting process within the organization’s overall incident response process to ensure the expeditious response to threats and incidents. Clearly defined roles and responsibilities (including third party vendors), escalation path and workflow, response actions and threshold are critical to swift action.
While many companies want to instill a spirit of collaboration and openness across the enterprise, the reality is that this also introduces threats to your IP data. The loss of this data can be catastrophic, ranging from regulatory fines to patent-related lawsuits. Governance around IP is slim and ambiguously inferred in security frameworks and standards, but taking a practical approach outlined above can you help you to secure your IP data.