Security Think Tank: Block IP theft with policy, process and controls

IP theft affects almost all buinesses, observes no national boundaries and costs economies billions - so who should be tackling it and how?

Intellectual property (IP) theft is a big business – in the US and UK economies, IP theft is estimated to run into tens of billions or more of lost revenue, writes Adrian Davis.

IP theft occurs in all sectors and all geographies. The main actors can range from states and criminal gangs to employees or teenagers. Targets include the largest multinationals and the smallest SME. Organisations find it very difficult to protect their IP or prosecute those who steal it– especially in digital format – because of the ease of copying and disseminating it, differing laws, scales of punishments, cultural and social attitudes across the globe.

From the perspective of the Information Security Forum (ISF), organisations can take the following steps:

  • First, the organisation should have a policy, backed by enforcement, covering the use and protection of IP in all formats, physical or digital. The policy should cover organisational and non-organisational IP and how staff can use, share and protect it – weaving in both IT and information security aspects. Staff,  especially those dealing with IP, should be educated in how to work with and protect this information.
  • Next, the organisation should implement a process to identify and manage the information risks that arise from sharing information with its upstream suppliers and downstream customers and set its assurance requirements accordingly. Contracts with new suppliers should include IP clauses and existing contracts renegotiated to enhance IP protection.
  • To protect digital IP, in addition to fundamental controls such as access management, hardening servers and secure system development (as described in the ISF Standard of Good Practice), deploying technologies such as digital rights management, content filtering and logging, along with a data analytics solution (to spot unusual activity) should be considered, as should the provision of a forensics capability (in house or external) to collect evidence should IP theft be attempted or occur.

Adrian Davis is principal research analyst at the Information Security Forum (ISF).

Read more on Privacy and data protection