ISACA Journal
Volume 3, 2,018 

Features 

Intellectual Property Protection for High-Tech’s Crown Jewels 

Ray Cheung, CISA, CITP, CPA, and Mike Porter, CISSP 

Theft of intellectual property (IP) is an emerging threat and a topic of boardroom conversation for organizations across the United States, particularly for those in the high-tech industry. One need look no further than the IP Commission Report, updated in February 2017, to see the scale of the risk this issue presents. This report estimates the cost of trade secret theft to be 1 to 3 percent of the US Gross Domestic Product (GDP), which translates to between a sobering US $180 billion to $540 billion.1 While the government is driving initiatives to curb these losses, organizations should not wait around for legislation that may be difficult to implement or fail to address the source of the risk.

IP theft can prove disastrous. With the possibility of IP thieves invading from both the inside and outside, organizations must address the risk by using a proactive and holistic approach that encompasses people, processes and technology. This requires a comprehensive understanding of the inherent risk associated with IP and, in turn, the implementation of effective management and technical controls.

The High Cost of IP Theft

Cases of IP theft and leakage can be devastatingly costly for enterprises. Thieves can leak IP directly to consumers, as happened with some of the HBO content stolen in 2017,2 or to an organization’s competitors. Either way (and sometimes both scenarios unfurl), thieves can lay waste to existing business strategies and expected revenue sources and leave a path of unforeseen costs as breaches are investigated, diagnosed and remedied.

If a malicious hacker steals IP, the hacker can create an eye-popping bill for the victim, costing an organization extensive time and money to repair any corrupted material and institute precautionary measures to prevent similar incidents in the future. Sony Pictures made headlines in 2014 when employees were greeted with images of a red skeleton on their workstations, alerting them that the studio had been hacked by the “Guardians of Peace.”3 The studio suffered enormous monetary losses due to the theft of IP assets (including scripts and movies) as well as reputational damage due to the leaking of embarrassing emails. The IT expenses alone cost the company an estimated US $35 million.4

The cost for Sony Pictures was substantial, but the company was able to move past the incident and continue its normal operations after making the appropriate responses to protect its remaining IP. However, other organizations that fall victim to IP theft are not always as lucky; for some, the damage runs far deeper.

That was the case for American Superconductor Inc. (now known as AMSC), an energy company that sold its wind turbine technology to other companies as its primary source of revenue.5 When a customer that represented more than half of its revenue recruited an AMSC employee to obtain turbine technology trade secrets, the loss of that customer resulted in a financial setback so large that the company was forced to lay off half of its 900-employee workforce and its stock prices plummeted.6 The US Department of Justice (DOJ) estimated the company’s losses at US $800 million7 and the company has struggled to return to its former strength. This is just one example; corporate espionage events have affected numerous organizations such as global grants IBM and Siemens.8

Every organization must recognize IP protection as an ongoing priority. As the Sony Pictures and AMSC examples demonstrate, IP theft can result in crushing financial losses, compromised business strategies and irreversible detrimental effects on business operations. The additional damage done to a victim organization’s reputation, while harder to quantify, should not be underestimated. An organization might see its public image tarnished, and customers could become reluctant to do business with it for fear that their data will be targeted in the future.

Risk Factors

High-tech companies might be particularly vulnerable to IP theft due to several factors.

International Relationships
Controlling IP becomes more important, and more complicated, when an organization has international relationships, which is common for tech companies (e.g., a tech company that uses foreign component manufacturers). Global collaboration and coordination can, of course, offer several advantages for product manufacturing and development of IP, but they also can increase the inherent risk of managing the related data. If nothing else, these relationships create an added layer of complexity when addressing legal considerations for patent, trademark and copyright protection. The need to translate IP into another language can also obfuscate the flow of such data.

International relationships can bring the risk of bribery, too. Bribery risk varies greatly from country to country.9 While the mere existence of bribery risk should not exclude potential collaborators from consideration, it highlights the need for an organization to consider the cultural, economic and political climates of all of its business partners.

Quantity of IP
When it comes to IP, an organization can have both a standard and inverse risk relationship with its quantity of IP data. On the one hand, the risk of IP theft follows a standard model, climbing as the quantity of IP increases. On the other hand, though, a limited amount of IP can represent disproportional risk if that IP is essential to the core business activity. The exposure of such IP data could be catastrophic for organizations that rely on a single service, technology or algorithm.

Format of IP
The format of IP can greatly affect the ease of management and commensurate controls that an organization can deploy to protect it. For some companies, IP comes in defined formats and resides in well-controlled repositories: for example, a software development company whose source code is controlled through an enterprise version-control system.

But the format of IP can prove more difficult to understand, define and control in other organizations. When IP takes the form of business processes, technical schematics (in a variety of formats) or creative content, it can be less obvious where controls should be inserted.

Most large organizations find themselves in both boats. Some of their IP is well defined, with a clear inventory and understood business processes, while other IP is hard to define, discover and, ultimately, control.

Management Controls

An organization’s management controls are its front line of defense against IP theft. A three-pronged approach can go a long way toward keeping a lid on risk.

Employee Vetting
Information collected during the hiring process generally helps hiring managers make informed and considered decisions. But without proper controls in place to see that background check processes are fully executed, the management team cannot be assured that any “problem” employees are filtered out.

Once candidates pass the screening process and are hired, they should be asked to sign employee contracts that include legally enforceable terms to protect critical business assets in cases of employee disputes or malfeasance. These terms should address:

  • IP ownership
  • Definitions of relevant IP
  • Appropriate use and movement of IP data (including nondisclosure agreements)
  • Restrictions on competition
  • Sanctions for noncompliance
  • Dispute resolution

It is not enough simply to have strong policies, standards and procedures in place; organizations also must communicate these requirements to employees. New-hire and annual training can help employees understand their responsibilities and rights.

Vendor Contracting
Organizations also must consider their contracts with vendors and other third parties involved in developing and manufacturing their products or services. The concepts outlined for employees apply equally to third parties.

These are some important questions organizations should ask on this front:

  • Who has access to the organization’s critical IP?
  • Who plays a vital role in developing and producing IP?
  • Where do the third parties operate?
  • Do those jurisdictions have IP requirements that are more stringent or less stringent?

Organizations must know the IP they are outsourcing when assessing vendor and collaborator risk and controls. At a minimum, organizations should identify what their IP comprises, who controls it and how it is protected. They also must closely scrutinize their IP licensing agreements to determine whether the agreements prohibit outsourcing of the IP without authorization.

While protecting IP rights in the United States is relatively straightforward, due to the strict enforcement regime built around such rights, it could become a greater challenge to enforce rights elsewhere. To avoid such hurdles, organizations need to establish controls to determine whether collaborators’ home countries are signatories of the various international IP protection treaties.

Classification
IP classification involves categorizing IP into different groups or labels based on sensitivity. Classification allows organizations to let business processes flow freely in cases of low-risk data while prioritizing the highest-risk information for additional controls. This saves on costs related to deploying security technologies, monitoring data flow and controlling system access. For example, “highly confidential” might encompass all IP that could cause major harm and tremendous financial loss if leaked. This class of IP should be secured at the highest, most resource-intensive standard. By building controls around IP classification, organizations can exert greater control over their information and reduce the odds of a data breach.

Classification standards should be tightly integrated with processes for identity and access management (for both employees and vendors). Without the implementation of security authorizations, classification of data will fall short of preventing data exposure. Organizations need to consider these authorizations at all relevant levels, including access to networks, file shares, applications and databases.

Technical Controls

Technical controls can reduce the risk of IP theft, too.

Border Controls
As with most areas of data security, the most critical (and logical) control points for IP data relate to the borders of an organization’s network. Controls around outbound email, permissible data transfer mechanisms, inspection of encrypted traffic and the use of cloud services are vital to preventing the theft of the low-hanging fruit of IP data. Implementing these controls can be easier said than done, but organizations should not leave these concepts out of a broader IP protection campaign.

Data Discovery
As organizations seek to better control their IP, it is necessary to understand the scope and usage of such data across the organization. This is a particularly daunting task for large organizations with many product lines, manufacturing facilities, international offices or vendor relationships, but no organization can protect an asset if it is unaware of the asset’s existence. This is where data discovery tools become crucial for managing IP.

These tools can come in multiple forms, such as passive network monitoring, active device scanning or user-based flagging. Data discovery tools that perform automatic scans to discover where data reside are included in numerous data loss prevention (DLP) tool sets and also are available as stand-alone products and services. In the coming years, advancements in machine learning techniques will yield new tools to help automate these discovery efforts, and some technology vendors already are moving in this direction. However, no magic bullet solutions exist at this point. Organizations need to select tools that are designed specifically to identify the types of data in which they are interested. This approach likely will result in the adoption of multiple tools to identify data across repositories such as databases, file shares, local files, email and cloud services.

Data Loss Prevention
Assuming that an organization has a strong grasp of the type of IP data it uses, how the data are classified and where the data reside on the network, it can use DLP technologies to further control the data. DLP solutions come in several forms that address specific areas or technical components of IT infrastructure, including email, end points, cloud services or movement throughout the internal network. The appropriate tools will depend heavily on the organization’s specific areas of risk in terms of data format, movement and sensitivity.

Revision and Source Code Control Systems
IP data that take the form of source code or files that are subject to constant modification and revision should be managed and monitored by a version-control system. As with all sensitive IT systems, a version-control system should be accessible only by authorized personnel, hardened and subject to robust monitoring. Central repositories such as these often are complemented by the use of DLP technologies. Any anomalies regarding the movement of data or unauthorized modification should be investigated to preserve the confidentiality and integrity of IP.

Getting Started

For organizations that want to more effectively manage the security of their IP, the process should begin with a simple three-step approach:

  1. Identify. Organizations must first identify and understand their data. Surveys can be a very useful tool to get the process rolling. By surveying employees from across the business, an organization can begin to understand the scope and complexity of its IP and then narrow the focus for more detailed conversations and evaluation. Examples of survey questions include:
    • How does your team define IP?
    • What are your thresholds for considering something sensitive?
    • Which form does the IP with which you work tend to take? Conceptual format? File format?
    • Do you tag or classify IP in any way?
    • What are the specific repositories used to store IP? File shares, databases, code repositories, etc.?
    An organization also can identify IP through the use of automated tools that can scan networks based on file type, file content (natural language processing), metadata or classification tags. The usefulness of these tools will depend on the form of the organization’s IP: The more IP takes a defined form or has consistent markers, the more effective the tools will be.

    For example, starting with a known, high-risk system such as a source code controls system, an organization can map the inbound and outbound data flows to understand other systems and networks that should be considered from a risk perspective. This will enable the organization to develop an understanding of the format of the data and ways in which they may be identified or tagged in the future.
  2. Control. Once the organization’s IP data are better understood, the next step is to begin applying controls. Controls should be implemented based on risk and the business’s needs. Striking the balance between controlling the flow of data and allowing the business to operate efficiently and effectively always poses a challenge. A combination of management and technical controls (as previously outlined) should be considered and applied as appropriate.

    For example, an organization can start with low-hanging fruit for controls. It can terminate unnecessary data flows, encrypt all data flow channels going outside of the organization and review user access to the system. The organization can then continue to layer on controls to a level that allows the business to operate effectively while managing risk to an acceptable level.
  3. Evaluate. Any control environment should be regularly evaluated to answer significant questions such as these:
    • Are the controls operating as expected?
    • Can a similar level of control be achieved with less friction?
    • Are the current controls aligned with new and emerging risk scenarios?
    • What feedback is being received from the business?
    For example, an organization may choose to start by looking at past events and implementations of controls by performing audits or interviewing key stakeholders. This will help in trying to identify ways in which continuous monitoring, 100 percent testing or frictionless reporting can be integrated in the control strategy.

The Big Picture

Securing IP begins with having a deep understanding of the organization’s needs and goals, as well as the related risk. From there, management and technical controls can make great strides toward protecting the data. But organizations that seek peace of mind regarding the security of their valuable IP would be remiss to not also consider the nuances of employee management and international law.

Endnotes

1 The Commission on the Theft of American Intellectual Property, “Update to the IP Commission Report,” February 2017, http://ipcommission.org/report/IP_Commission_Report_Update_2017.pdf
2 Fung, B.; C. Timberg; “How Bad Is the HBO Hack? The Company Is Still Struggling to Find Out,” The Washington Post, 3 August 2017, https://www.washingtonpost.com/news/the-switch/wp/2017/08/03/how-bad-is-the-hbo-hack-the-company-is-still-struggling-to-find-out/?utm_term=.b4a39ed54962
3 Peterson, A.; “The Sony Pictures Hack, Explained,” The Washington Post, 18 December 2014, https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/the-sony-pictures-hack-explained/?utm_term=.d64e0dbc5938
4 Zetter, K.; “Evidence Suggests the Sony Hackers Are Alive and Well and Still Hacking,” Wired, 12 February 2016, https://www.wired.com/2016/02/evidence-suggests-the-sony-hackers-are-alive-and-well-and-still-hacking/
5 Department of Justice, Office of Public Affairs, “Sinovel Corporation and Three Individuals Charged in Wisconsin With Theft of AMSC Trade Secrets,” USA, 27 June 2013, https://www.justice.gov/opa/pr/sinovel-corporation-and-three-individuals-charged-wisconsin-theft-amsc-trade-secrets
6 Sears, C.; M. Isikoff; “Chinese Firm Paid Insider to ‘Kill My Company,’ American CEO Says,” NBC News, 6 August 2013, https://www.nbcnews.com/news/other/chinese-firm-paid-insider-kill-my-company-american-ceo-says-f6C10858966
7 Ibid.
8 Burgess, C.; “China’s Theft of IBM’s Intellectual Property,” CSO, 22 May 2017, https://www.csoonline.com/article/3197751/security/chinas-theft-of-ibms-intellectual-property.html
9 TRACE International Inc., TRACE Bribery Risk Matrix, 2016, https://www.traceinternational.org/trace-matrix?year=2016

Ray Cheung, CISA, CITP, CPA
Is a managing director and leads the high-tech group in risk consulting at Crowe Horwath LLP, one of the largest accounting, consulting and technology firms in the United States. He has more than 25 years of experience in public accounting and private industry, solving business problems by identifying control inefficiencies through implementing technology and control process improvements. Cheung has significant experience providing independent board and senior management-level consulting services in the high-tech sector and across other industries. Previously, Cheung was a managing director in risk advisory services for a national accounting firm and a Big Four firm. He was also the chief information officer for a start-up and vice president of the technology management group at Visa International. Cheung can be reached at ray.cheung@crowehorwath.com.

Mike Porter, CISSP
Is a manager in the cybersecurity solutions group of risk consulting at Crowe Horwath LLP. His experience includes system design and implementation projects for a variety of technologies including end-point security, data loss prevention, network access controls, and identity and access management. Porter can be reached at mike.porter@crowehorwath.com.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.