Protecting intellectual property (IP) is high priority for security professionals, but IP can be a vague term. What exactly is included under the umbrella of IP? And what’s the best way to protect IP within an organization?
Intellectual property goes beyond pre-patent data; it’s an all-inclusive term that includes projects in every department, sales campaigns and earnings details. It truly is not just one thing – it’s almost anything that can give you a competitive advantage. Typically, IP data itself tends to be unstructured. It’s found in documents, drawings, spreadsheets, and emails, and is shared and moved around via personal clouds. Unstructured data is difficult to protect through traditional security products, which are primarily designed to protect structured data. It’s a huge problem to even find and specify the IP data to be protected, never mind actually protecting it.
In order to get a better grasp on the issues and methods of protection security professionals are currently employing, Wisegate recently conducted a private roundtable with 20 of senior IT professionals, including CISOs, CIOS and CSOs from varying industries. These security professionals teamed together to collaborate on past experiences and how IP should be best protected. Highlights of the best practices learned from that roundtable have been collected and shared within this article. As the roundtable was conducted in private, the security professionals’ identities will remain undisclosed.
IP security and legislation
While personally identifiable information (PII) breaches are reportable, IP breaches are not. However, the U.S. Securities and Exchange Commission (SEC) announced in June that they are thinking about making boards responsible for lack of attention to cyber security detail, one security professional explained during the Wisegate roundtable.
“While the FTC talks about PII and credit card information, the SEC is looking more broadly at the loss of competitiveness. If board members are held responsible, this will change the game,” he said.
Motorola’s $600M IP loss
An example of massive loss was disclosed during Wisegate’s roundtable. One security professional shared his experience after being hired by Motorola because of a data breach in 2005. At that time, Motorola had a heavy investment in China, with 20,000 employees involved in R&D, software development and manufacturing. The company had a firewalled relationship with Huawei; sharing some things but not others. But the firewall failed.
“After several visits to China and turning over a few rock, I concluded that Huawei had got into everything in Motorola and was using the data to its own advantage – making Motorola products faster and cheaper than Motorola could do,” he said.
Adding insult to injury, this was compounded by the Jin Case. Hanjuan Jin, a Chinese national working for Motorola took a year’s sick leave, but was simultaneously working for a nearby Chinese competitor to Motorola. Eventually she returned to Motorola under the guise of resuming work, though she had already purchased a one-way flight ticket to China. In fact, she had only returned to work to pick up some hard copy documents that she had in her possession when routinely stopped at the airport.
“The loss of IP cost Motorola something like $600,000,000 – and was without any doubt a major contributory factor in the decline of an iconic company,” the security professional reported.
Best practices to protect IP
In order to avoid major IP loss like Motorola experienced, there are three solutions security professionals should employ when protecting IP.
1. Promote awareness
Many times, staff use and share IP without fully realizing its significance, and it is often shared with partners. This means that employees at your company may even be sharing someone else’s IP without even realizing it. Create a culture of security awareness by explaining to employees, management and board members how to identify and protect IP. One security professional uses reports to understand where IP is going within his organization. He receives regular reports from his defense, which allows him to see what files and data are going where. From these he produces his own reports to management highlighting what is happening and indicating the possible consequences.
2. Employing traditional security in depth
Traditional layered security technology helps; but it was primarily designed to protect structured data and defined perimeters while IP is often unstructured and legitimately allowed through perimeters.
3. Utilizing newer technology
Security teams should consider using newer technology, including APT defense and managed file transfer technology. APT security can be supplemented with managed file transfer, which gives you control over documents, not just when they are within your own network but also when they are on partners’ networks.
There is a massive amount of work to be done to classify and protect IP. Teaming together to talk about these kinds of issues among security professionals is one way to combat cyber security issues and heighten defenses.