Guest Post | Protecting Intellectual Property against Human Risks. A Company Approach.

The Risk is Real

In a previous post we discussed how competitors and adversary nations still use human collectors to steal intellectual property (IP), costing businesses billions. In our example, we imagined how a properly prepared employee spotted an elicitation attempt by a malicious actor, avoided disclosing sensitive information, reported the incident to company security, and helped prevent IP theft. It was a win for everyone except the adversary!

Let’s talk about how the employee reached that enlightened state, how that fortunate situation can come about, and what a company can do to handle suspicious contacts that might make their employee’s warning lights flash and hair stand on end.

These are a few practical and low-cost measures that can help protect against losing your IP, and money.

Feasible Measures

• Foster a Security Environment. Making security an integral part of company operations is perhaps the most important step. Adversaries attack companies at varying levels; by approaching employees, by exploiting published information, and through gaps in information technology, to name a few. When companies imbue a security mindset to all operations, it enables defenses at all the attack surfaces an adversary might exploit. A security emphasis will enlist the power of the entire company to protect your competitive advantage.
• Identify your “Crown Jewels”. Not everything is sensitive, and you need to share some information for successful marketing. So what to protect, and how stringently? Consider what information is unique to your company, such as code, algorithms, manufacturing methods, business processes, proprietary formulas, R&D results, or more. Information on your technical advantage that may enable the duplication, defeat, or manipulation of your technology may be Critical Program Information (CPI). Designating information as CPI will help employees know what not to discuss with outsiders. The process may also indicate what information requires legal protection such as patents, copyrights, trademarks, or others.
• Build a Relationship with Law Enforcement. Cooperation between private industry and law enforcement is vital to protect IP. Both rely on the other for current information, reported incidents, trends and adversary methods, and more. And many law enforcement organizations are eager to work with industry. In the United States, the FBI operates the Office of the Private Sector to enhance collaboration with industry, and the “Company Man” campaign focuses on thwarting economic espionage. Information from those programs and others can help differentiate between routine business enquiries and suspicious contacts, helping companies know what to report.
• Educate the Team: Bring the strength of your company together with security awareness education. Short presentations can inform employees on risks to your IP, what information is sensitive, how to be wary of suspicious contacts, and what to report to company security. Senior leader attendance and support will emphasize your security culture. Repeat the education periodically and make it part of on-boarding new employees.
• Have a Reporting Process. Designate a security official that employees can speak with about potential suspicious incidents. The security official can screen incidents and pass the information to law enforcement if they appear suspicious. Ensure reporting is discreet. Encourage the process as a vital part of protecting company business and discourage any stigma about reporting. Periodically remind employees to report suspicious contacts, particularly before trade events or other external interactions.

Low Cost, Big Impact

The measures above are relatively low cost but can have a significant impact on protecting company IP. However in addition to human collection adversaries use multiple methods to steal IP. For thorough protection a company should have a comprehensive program to identify vulnerabilities and close defensive gaps. Engaging professionals for advice can help establish an effective and affordable protection program.

The good news is those who might want to steal your IP hate thorough defenses. By using the measures we’ve outlined here and emplacing comprehensive defenses, adversaries are left out in the cold.