Security Think Tank: You can’t protect what you don’t know you’ve got

IP theft: who should be tackling it and how?

All businesses have IP (intellectual property) regardless of size or sector. Most will also have IP they do not realise they possess, due to the fact that innovation is a natural by-product of development.  

A prime example is that around 1,400 NASA inventions have benefited industry, created jobs and improved life for people around the world. Since 1975, space program spin-offs have led to myriad products – from kidney dialysis and the CAT scanner to microwave dinners and cordless tools.

Approaching the problem purely from an information security perspective is one strategy, but it is hobbled by the fundamental rule that you cannot secure something you don’t know you have. 

So, unless an organisation takes active steps to identify and secure all of its IP, it cannot be protected from being leaked, stolen or subsequently conceived and exploited elsewhere. 

In other words, a business asset you didn’t know you had suddenly becomes a market threat working against you. That’s why it is vital that businesses conduct regular audits of their IP to identify and protect those intellectual assets.

It is likely that your employees will create work that carries IP rights. The good news is that any economic rights will normally be accrued by the employer, provided that staff have employment contracts. Especially if those contracts state the IP ownership position explicitly and have additional confidentiality clauses to cover the sensitivity of any secrets related to intellectual property. 

Read more about halting IP theft

  • Security Think Tank: Block IP theft with policy, process and controls
  • Security Think Tank: Least privilege is key to blocking IP theft

The same is not necessarily true of freelance contractors, where, unless you take steps to actively assign the IP rights to your business, you will neither own nor have exclusive rights to exploit them. 

Having IP secrets leaked, stolen, disclosed, infringed or claimed by another party before you have had a chance to protect them is generally considered a bad place to be.

Assuming you have identified, catalogued and verified who owns - or should own - the IP rights to each item, the next step is to seek legal protection for your IP where the opportunity exists and its value to the business justifies. 

It is worth bearing in mind that the new Patent Box scheme for tax relief which comes into force on 1 April 2013 includes a special 10% corporation tax rate for profits arising from patented innovations – which is likely to be a serious business driver to identify, assess and protect all of your in-house IP.

Who actually performs the various activities needed to identify, value and protect all of the organisation’s IP will vary between organisations, but will usually require close cooperation between the legal, HR, security and audit functions working under a common business directive and agreed targets.


Adrian Wright is director of projects, UK Chapter of the Information Systems Security Association (ISSA)

Read more on Privacy and data protection

Data Center
Data Management