Protecting Trade Secrets in an Enterprise: From IP to IT
Insights from the #IPPulse Counsel-to-Counsel Idea Exchange with Digital Forensics Expert Rob Kleeger
It’s no surprise that as technology continues to advance, so too do the abilities of tech-savvy individuals and organizations striving for innovation. While this can result in great benefit to a company’s bottom line, it also means greater vulnerability, and an increasingly urgent need to protect intellectual property.
As part of our Counsel to Counsel IP Pulse program, Dilworth IP facilitated an insightful discussion amongst leading senior corporate IP counsel with Michael Dilworth, Founder and Managing Partner at Dilworth IP, and Rob Kleeger, Founder and Managing Director at Digital4nx Group, Ltd moderating the conversation. With a focus on the critical goal of protecting valuable IP assets such as trade secrets, the conversation addressed the array of cyber threats enterprises face, and the subsequent need for enhanced cybersecurity and digital forensics within company structures.
Incidents of trade secret theft have increased dramatically in recent years — of particular note in a growing number of organizations is an uptick in IP misappropriation amongst c-suite level members. A recent study revealed that the top two areas of weakness rendering companies vulnerable to trade secret theft were inadequate cybersecurity and employee leaks of information. Weak cybersecurity systems make it easier for malware and ransomware attacks to occur, and employee leaks indicate an insider threat. As a result, executives are tasked with formulating strategies to enhance security measures, implement or alter employee surveillance tactics, and restrict access to IP data to certain groups within the organization.
The Motivations Behind Cyber Attacks
To better understand how to enhance the protection of intellectual property, it is essential to look at the motivation behind these attacks. Of course, a primary motivation for many cybercriminals, especially those who employ tactics like ransomware, is the possibility of significant monetary gain. There are, however, many other possible motivations for IP theft and misappropriation, including:
- Disgruntled employees (past and present) seeking to harm the organization
- Corporate espionage for political or financial gain from competitors or foreign governments
- Sabotage to a company’s network, data and/or infrastructure for personal or financial reasons
- Blackmail against the company and/or or its members to gain a monetary or competitive advantage
- Protest against the industry, country, capitalism, etc. based on a social or political agenda
- Notoriety for attacker(s) seeking to have their skill or influence recognized
Identifying an Emerging Threat
Cybercrime is not a new phenomenon, and the types of malware cybercriminals can employ to harm or extort an enterprise are as varied as the attackers themselves. One type of attack that is emerging as increasingly prevalent is the use of ransomware — a type of malicious software specifically designed to block access to an IT system, locking users out until a sum of money is paid. Ransomware incursions tend to be very sophisticated, highly targeted, and hard to prevent. When IT departments do not have the necessary back-ups in place, an attack like this can result in lost information and time as users are sidelined in frustration, waiting for the ransom to be paid or some other resolution to take place — not to mention damage to your brand reputation.
Ransomware and other forms of cyberattacks are sometimes the result of a known vulnerability that cybercriminals exploit; other instances can arise when a staff member clicks on a link that exposes the organization to malicious software.
A growing number of organizations are now opting to purchase cyber insurance coverage in a bid to manage the financial fallout of an attack; however, the case law in this industry is ever evolving and changing.
In order to minimize the risk of a cyber attack, companies should have a plan in place and be prepared. Though there is sometimes a stigma attached to falling victim to a cyber attack, and thus an added level of fear among organizations, having the right controls in place makes it easier to identify and respond should an attack occur.
Organizations specializing in cybersecurity have noted that a significant percentage of attacks are a result of internal threats within an organization. In some cases disgruntled employees are the culprit, and in others it is a matter of an untrained employee having access to sensitive data and inadvertently making a mistake. And as employees depart organizations, there is always the possibility of them taking trade secret information with them, either to bolster their chances for success with their new employer, or perhaps unwittingly holding on to data they are not authorized to take outside the enterprise.
To combat this, many companies are implementing employee surveillance systems which vary in terms of intensity. For organizations with a ‘Bring your own Device (BYOD)’ policy in place, this type of surveillance carries an added level of complexity. Though enterprises can implement company security systems on personal devices, there is a grey area in terms of what is considered personal content and what is considered company content.
Protecting your Enterprise
Having an emergency plan in case of an attack is essential. However, it is just as essential to test these plans before an actual attack occurs so that you can proactively identify any gaps. A comprehensive plan may include some or all of the following:
- Have back-up systems (emails, R&D, and critical databases should be securely backed up)
- Rehearse back-ups every quarter
- Prepare a business continuity plan
- Educate your IT departments on the IP they are protecting and why
- Be transparent about attacks with your employees
- Implement employee surveillance systems and practices
- Segment and decentralize data
- Ensure that multifactor authentication is mandatory
It has never been more clear that in order to better protect their intellectual property, companies need to do an audit of their current IT structures and identify any areas of weakness to improve. Added layers of security such as multi-authentication, segmenting company data, encrypting, and educating employees on how to think critically and assess potential threats are key.
At Dilworth IP, we specialize in developing strategies that protect and secure your company’s trade secrets and IP portfolios. Contact us here to get started.