Trade Secrets in the Age of Wikileaks and Cyber Industrial Espionage
By now, casual observers may have numbed to the steady stream of leaked-email and compromised-financial-record scandals. Anyone with access to Wikileaks can view more than 30,000 documents and 170,000 emails from Sony Corporation. The U.S. Department of Defense and Lockheed Martin have suffered multiple breaches of systems supporting the Joint Strike Fighter Project. Even computer security firm RSA was compromised to the point of losing intellectual property about its two-factor authentication security technology.
And while data insecurity might be blase from a news-cycle perspective, businesses are in no position to merely spectate. In fact, firms should be carefully assessing the potential for loss of intellectual property from cyber attacks.
Strategies for protecting intellectual property (IP) should include both legal measures and a comprehensive information security plan. The latter begins with identifying IP assets along with risks and threats to those assets. This step will certainly include cataloging the physical infrastructure of information technology (IT) operations, but it is more important, and often more challenging, to identify information capturing intellectual property.
Some IP assets, such as computer-aided design files or lab notes, are apparent. Others are less so. Engineers using instant messaging to collaborate can leave trails of IP in discussion threads, and a breach of information systems with fragmented pieces of IP such as these poses a significant risk. The same techniques and tools used for searching and retrieving disparate information on the Web or within a corporate network are capable of analyzing data dumps from even the most aggressive cyber attacks.
Once you've identified your sources of IP, categorize information according to a data classification scheme that reflects the value of the information represented in that data. Highly valued intellectual property warrants stricter controls than non-confidential information.
Any single security measure can fail: Well-crafted phishing emails can induce an executive into revealing login credentials. Disgruntled employees can use legitimate privileges to steal confidential information. External attackers can exploit vulnerabilities in operating systems, databases and other software to gain access to sensitive data. Your plan should include implementation of multiple, redundant security controls in a practice known as defense in depth. Common countermeasures include: access controls, encryption, vulnerability scanning, network traffic filtering and monitoring for anomalous events within servers and networks. The U.S. National Institutes of Standards and Technology provide guidance and best practices on information security controls.
In addition to security measures, businesses should consider the cost of shifting the risk of IP loss through the use of cyber insurance. Although the market for cyber-insurance is limited by factors such as lack of actuarial data on cyber breaches, the market is expected to grow to $7.5 billion by 2020.
Finally, businesses should consider legal protections of trade secrets, patents and related international agreements. Owners of trade secrets should take reasonable measures to preserve the secrecy of their intellectual property, and this includes information security controls.
Today, protecting intellectual property spans legal as well as information technology realms. Neither alone is sufficient to protect IP.