Security Think Tank: Follow an information-led, risk-based process to protect IP

The rapid rise in cyber espionage highlights the need to rethink data security strategies to improve protection of intellectual property. But what is the best way of doing that?

Intellectual Property (IP) theft – whether by competitors or states – has been occurring for a long time. Traditional approaches of protecting IP involve patents, copyrights, trademarks, physical security (locking documents away), classifying documents using a labelling scheme and staff education.

These traditional approaches are still valid today, and may need to be strengthened. They should also be supplemented by a range of electronic approaches. 

These include electronic licensing, encryption, data classification, access control, logically or physically separate networks, and providing "clean" devices to staff travelling to countries where IP theft is likely. All approaches are complicated by the demands of international travel, collaborative working, the need to share information (including IP) in the supply chain, consumerisation, and the cloud.

Information Security Forum (ISF) research has shown that protecting your IP can follow an information-led, risk-based process similar to that used to protect information in your supply chains, as discussed in the Securing the Supply Chain reports and tools. 

The process is modified to reflect the greater control over your own organisation and staff, and compromises eight steps:

  1. Understand what you have and what you share
  2. Quantify the effect of losing information: what information, if lost, would hurt us most?
  3. Introduce a physical and electronic labelling scheme
  4. Deploy physical and logical controls: for example, clear desks, lockable cabinets, encryption and access control
  5. Educate your staff in both physical and electronic protection
  6. Investigate and implement technical solutions, such as data loss prevention
  7. Record and manage incidents and breaches: check for relationships and correlation
  8. Think like the thief: identify valuable information and how you would circumvent its protection.

Such a process should yield a mix of physical and electronic approaches that provide the required protection for your organisation and your IP.

Adrian Davis is principal research analyst at the Information Security Forum (ISF).

Read more on Privacy and data protection