Security Think Tank: IP theft: Have you got all the bases covered?

IP theft: who should be tackling it and how?

Organisations holding information which gives them a competitive advantage and allows them to compete in business should have an awareness of what intellectual property (IP) they hold. 

Examples of intellectual property include: plans for a product launch; a trade secret, like a chemical formula; company contact lists; marketing and sales strategies; computer code; customer information; marketing plans; sales plans; business plans; trademarks; recipes, and any type of information that will give a company a competitive advantage.

Most IP has no describable value; however, a significant proportion of companies are valued according to the IP they hold. 

Therefore, an IP theft can have a serious detrimental impact on a company's future; a stolen chemical formula or prototype could be potentially worth millions, or even billions, in potential market share, and research shows that IP theft costs businesses billions of pounds a year. There have been stories in the press where some companies have gone bankrupt because of IP theft.

A large majority of organisations believe their IP is adequately protected by current security controls and practices that they currently have in place. 

However, most IP is located in various parts of the organisation and will not always be in a digital format: IP can also exist in filing cabinets, white boards, and even on conference calls - whereby developers could be discussing a new prototype or formula for a new product on a conference call. 

Listening into a conference call can be a great way to steal information; a large majority of workers now work from home and dial into conference call facilities all the time. In January this year, the hacktivist group Anonymous managed to listen into a conference call conversation between the FBI and Scotland Yard. Anonymous recorded the call and later posted it on YouTube causing embarrassment to both organisations.

There are various steps a company can employ to protect their IP from getting stolen or leaked. They are:

• Understand what IP you have. This can be achieved by doing a data classification exercise which will allow you to assess the sensitivity of the data you hold. The data classification exercise will also give you an indication of what your information is worth and determine what information, if stolen or leaked, would cause your company financial loss or embarrassment.

Apply marking labels to the information – confidential, restricted, secret, etc; this can be achieved through the use of digital watermarking, or by adding those labels to the header and footer to documents.

• Create a data classification standard and guideline which should include what controls should be applied to the information in question, and what users are allowed and not allowed to do with that information.

Educate employees about the information you hold, and what they should do and not do with that information. This can be achieved by running a security awareness campaign. Most data leaks and IP thefts are caused by employees not being aware of things, like scams, phishing, or social engineering attacks. As we all know people are the weakest link - examples being an employee plugging in USB device with malware on it, like Flame, Stuxnet, etc, which resulted in the theft of IP.

There are other controls and data loss prevention (DLP) technology that you can use to protect IP from getting stolen or leaked. Even an eDiscovery solution can be used to see what data is where within an organisation; this will allow you to see if the controls you have in place are adequately protecting the data.

IP is paramount to the survival of any business, and any loss or theft of that IP could bankrupt companies, or cause huge embarrassment – how many companies are prepared for IP theft or loss?!


Kevin Wharram is a member of the ISACA London Chapter Security Advisory Group

Read more on Privacy and data protection