Intellectual Property (IP) theft – whether by competitors or states – has been occurring for a long time. Traditional approaches of protecting IP involve patents, copyrights, trademarks, physical security (locking documents away), classifying documents using a labelling scheme and staff education.
These traditional approaches are still valid today, and may need to be strengthened. They should also be supplemented by a range of electronic approaches.
These include electronic licensing, encryption, data classification, access control, logically or physically separate networks, and providing "clean" devices to staff travelling to countries where IP theft is likely. All approaches are complicated by the demands of international travel, collaborative working, the need to share information (including IP) in the supply chain, consumerisation, and the cloud.
Information Security Forum (ISF) research has shown that protecting your IP can follow an information-led, risk-based process similar to that used to protect information in your supply chains, as discussed in the Securing the Supply Chain reports and tools.
The process is modified to reflect the greater control over your own organisation and staff, and compromises eight steps:
- Quantify the effect of losing information: what information, if lost, would hurt us most?
- Introduce a physical and electronic labelling scheme
- Deploy physical and logical controls: for example, clear desks, lockable cabinets, encryption and access control
- Educate your staff in both physical and electronic protection
- Investigate and implement technical solutions, such as data loss prevention
- Record and manage incidents and breaches: check for relationships and correlation
- Think like the thief: identify valuable information and how you would circumvent its protection.
Such a process should yield a mix of physical and electronic approaches that provide the required protection for your organisation and your IP.
Adrian Davis is principal research analyst at the Information Security Forum (ISF).
Read more on Privacy and data protection
Security Think Tank: Celebrity photo leaks highlight cloud security issues
Security Think Tank: Governance should determine strategy for BYOD
Security Think Tank: Web-based app security needs data-centric, risk-based approach
Security Think Tank: People and risk key to aligning security and business