Brain drain: Protecting your organization's IP

Global healthcare provider Best Doctors employs the most robust technologies and practices available to protect the privacy of its members' personal data—but that's just a part of doing business in this industry. Less obvious but equally important is the degree of vigilance with which the company protects its brand name, which is trademarked in dozens of countries worldwide.

"Our distinctive name and logo, those two words connote the high quality of our doctors and hospitals. Something very simple can be very powerful," says Tom Seaman, senior vice president and general counsel for the company, which provides health insurance as well as health advisory services.

Though Best Doctors has a small portfolio of patents (including a business process patent it received in the 1990s when such things were in vogue), the firm's primary focus when it comes to intellectual property protection is its brand, which is trademarked. "We take extreme measures to protect it," says Seaman. His vigilance is entirely appropriate.

This is no time to blink. Many now see intellectual property (IP) as one of the most important corporate assets—worthy of protection, electronic and otherwise.

"Targeting of IP is increasing," says Gary Loveland, partner at PricewaterhouseCoopers. "We're seeing an evolution from a hacking perspective. Before, [breaking in] was just a trophy to show you could get access to the data. Then there was identity theft. Now, there's a focus on IP because of the profit motive." Accessing a company's proprietary information provides a quick path to stealing its business.

Daily headlines detail attacks on corporate IP, especially when the assaults are launched from emerging economies such as China. For example, security software vendor Symantec recently announced its discovery that hackers had targeted the intellectual property of about 50 organizations, including chemical and defense companies, in a global wave of cyberespionage. These attacks were thought to be the work of a Chinese man. Symantec competitor McAfee also reported that it detected that 72 organizations had been subject to cyberattacks on IP last summer. Google disclosed its Aurora attacks in 2010. The Wall Street Journal recently reported that the Chamber of Commerce suffered a major theft of information, also believed to have been conducted by someone in China. The full extent of the damage from these incidents won't be understood for years, say experts.

But as scary as these stories are (and they are that, if you're paying attention), they shouldn't eclipse your concern over a host of more mundane but potentially equally damaging threats to your company's IP. The most common scenario, alas, is that an employee unwittingly shares a trade secret or a confidential idea, or that your business partner forgets about a nondisclosure agreement signed long ago. Social networks make this scenario exponentially more likely. The problem is, most companies have a broad range of information that can be considered intellectual property—though many have not taken the time to properly identify it all—and protecting all of it from myriad threats is a daunting prospect.

A number of CISOs contacted for this article say their corporate intellectual property is adequately protected by the standard data security practices they already have in place. That could be true, but consider: Much of the attention in recent years has focused on protection of transactional data and personally identifiable information (PII), such as customer names and credit card numbers. That's what compliance regimes such as PCI DSS address. Intellectual property is much squishier and may live in different parts of your network—and of your filing cabinets and whiteboards and so on—from PII. And it is sometimes subject to a different set of legal protections.

So read on for expert advice on connecting all the dots and creating a more robust IP protection program.

Taking Stock of Intellectual Property

Unless you have already done this, and recently, the first thing you have to do is identify what your IP consists of and where it resides. This is no easy feat, as IP can be deceptively chameleon-like, taking multiple forms: structured and unstructured, amorphous and concrete, small shreds of things or entire databases, thoughts in someone's head or captured in a document. You need to explain to your employees and business partners in particular what your IP is, because if you don't, you can be sure they will share the information haphazardly and thereby reduce its value (at best) or jeopardize the company (at worst).

"We have gone through a significant effort to understand what we have in-house, what's commercial, where it resides," says Black. "Due to the speed at which we iterate, it's quite an effort."

After you've completed your IP inventory, the next step is to map the data, according to Gary Lynch, global head of strategic consulting for Marsh, a security advisory company.

"How does it get created, where does it get created, what happens to it? You have to look at all the stages of data formation and use all the way through to disposal, access, storage and transmission," says Lynch. Your IP data map then becomes your footprint for applying controls. (And, obviously, the data map itself will be a very sensitive document requiring excellent protection.)

Electronic protection of IP is different from protecting many other types of information. Often referred to as the "corporate jewels," IP is so precious it needs to be protected at a data and document level, as opposed to just at the level of the system on which it resides. Unfortunately, more draconian protections make it difficult to share the data, which is the order of the day in today's collaborative environments. "Public key infrastructure and general encryption are not very usable in an enterprise," says Ryan Kalember, who became chief marketing officer of WatchDox last month. "Users will find their way around the controls."

On the other hand, when you have a small amount of ultra-secret, non-shared information to protect from prying eyes, the task is fairly straightforward: encryption or data masking, two- or three-factor authentication and embedded access controls you get from a tool like WatchDox or Tripwire. The latter tools represent the future of electronic IP protection, says Kalember. "The protections must be embedded in the IP in a frictionless way for the users. Otherwise, it's just the whack-a-mole routine we've been doing for years."

These decisions—what to count as IP and how and to what degree to protect it—should flow from your business objectives, according to Evan Falchuk, chief strategy officer for Best Doctors.

"The way you focus those efforts has to fit into your business. Our business is to make sure people get the right medical care. We have to have a brand that people know and recognize and trust. They need to feel completely secure when they share information with us. We ask, 'What does it take for our business to win?' Our strategies flow from that," says Falchuk.

So, as mentioned above, Best Doctors focuses on supporting its brand name with its IP protection, though it uses comprehensive IT security technologies and practices, including requiring all new employees to sign a nondisclosure agreement. And everyone has to leave behind a clean desk when they go home for the night, part of Best Doctors' attention to seemingly minor details.

Many companies turn to the experts—lawyers, generally—for help educating staff and getting their commitment to protect IP. Jeff Feldman of Feldman Gale is often called in to do IP counseling for employees. Seminars covering IP basics can help the organization immunize itself against the virus of IP leakage, which can take benign-looking forms.

[Also read about the basics of internal investigations]

An in-house patent lawyer at a healthcare company laments the collegial way doctors tend to share data. "It's like an academic environment—they're just trying to further the cause of medicine. But they don't understand that the company has shareholders, and the company has to make investment decisions for its shareholders," he says. This attorney does training based on real-life scenarios, telling people, "Don't let this be you."

Feldman's bugaboo is idea misappropriation. He has seen too many instances where a former employee tries to claim credit for the idea behind a product or service. He also cringes when content and entertainment companies have no clear-cut idea-submission policy.

"Follow the lead of Google and Facebook and have a policy: 'You send me an idea, it's mine,'" he advises. Eliminate the implied duty of confidentiality right out of the box, and avoid claims down the road.

A Cautionary Tale

Virtually everyone interviewed for this story warned that IP is highly perishable. Once the secret is out, it's out. And the consequences can be dire.

Prescott Winter, CTO of the public sector for HP Enterprise Security Products, was advising a small high-tech company that was hit by the Google Aurora attacks in 2010. This company spent a significant portion of its revenue on research and development.

"They only had about nine months of profit on their new products, about a 35 percent to 40 percent return on investment," says Winter. After that, the return rates dropped off. "The advantage they had dissipated immediately. They had overlapping nine- to 12-month bumps in revenue. If three of those high-revenue product cycles in a row were to be damaged or destroyed because a competitor gets the information, game over." Post-Aurora, the company was forced to shut down.

"They were unable to respond before their future was stolen," says Winter. "So many companies are hanging by a thread." In the words of the patent lawyer, don't let this be you.

The IP Landscape

Your company's intellectual property may encompass a wider range of items than you've considered, including:

Patents. This is usually fairly straightforward. If your firm was granted one or more patents, you or your legal department will be charged with defending it (that is, detecting and suing over possible infringement). Less clear-cut: When other companies or patent trolls claim your firm is infringing their patents. It happens every day. In industries like high tech, companies routinely infringe each other's patents via reverse-engineering, according to an industry insider, and then negotiate to decide a reasonable licensing fee post-facto.

Copyrighted material. When an author creates a written work, a natural copyright (that is, the right to exclude others from copying that work) arises. This natural copyright exists even without registering a formal copyright and using the © symbol, but if the document or work is important, you should take the time to register its copyright.

Trademarked names or logos. If your corporate name or logo carries a trademark, create usage policies for employees and business partners to follow or risk diluting the value of your IP.

Ideas. These are amorphous and generally exist in unstructured form (often in people's heads) and so can be difficult to protect. Most important here is to have a written agreement in place from the beginning of the person's employment or the start of the partnership so all parties understand who owns what in the case of a later claim.

Trade secrets (including recipes, ideas, transcripts, notes, presentations). This category covers any manifestation of value to the corporation for which you prefer not to seek formal IP protection, due to competitive or other reasons. The object here is to make sure the secret remains safe from prying eyes. You should seek the highest information security for this type of information, including encryption and multi-factor authentication. And don't skimp on the employee and partner education and security policies.

Mark Itri, a patent attorney with law firm McDermott Will and Emery, was on a plane going to visit a major airplane manufacturer when he overhead a conversation, apparently among employees, about the schematics for the next generation of jet engines.

"They were talking really loud. Everyone could hear. All over the schematics were the words 'confidential and proprietary,'" says Itri.

He promptly walked into the airplane maker's offices and said, "This is how you lose your trade secrets."

Join the CSO newsletter!

Error: Please check your email address.

More about FacebookGoogleHewlett-Packard AustraliaHPMarshMcAfee AustraliaPricewaterhouseCoopersSymantecTripwireWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lauren Gibbons Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts