Don’t get complacent: IT security is just one step in safeguarding IP
Cyber attacks are stealth and sensational, so it’s easy to see why these incidents grab the headlines. In one example alone, a series of Night Dragon cyber attacks on oil and gas companies around the world “exfiltrated” gigabytes of confidential information about field operations, project financing, bidding and more. As our whitepaper on trade secret theft noted, 39 percent of global firms have identified “attacks from data thieves” as a threat.
But companies take note: Cyber theft is not the only threat to intellectual property (IP). And IT security — a necessary, critical tool for preventing misappropriation of business information — is far from sufficient.
As CREATe’s Allen Dixon writes in his recent Trend Alert, addressing IP risk requires a much more holistic approach, one that includes, but does not end with, IT security. To access the trend alert, please click here.
“IP protection is not just IT security, but a much broader management issue,” Dixon writes. “Much of a company’s business, value, compliance and reputation can depend on getting IP protection right.”
In CREATe’s pilot project evaluating the IP protection of 40 companies operating in 14 countries, it was clear that most had dedicated thought, energy and resources to IT security, with 70 percent having a high level of maturity in this area. Some of these companies had implemented IT security systems based on International Standards Organization’s (ISO) 27000 series. But even when companies are compliant with ISO 27001, IP protection may be inadequate. A few examples suggest some of their vulnerabilities.
- Forty-five percent of the companies in the CREATe evaluation had a low overall maturity level for all the processes needed to protect trade secrets — with security left primarily to security guards and/or IT staff and not integrated into business operations.
- Despite having strong firewalls in place to prevent outsiders from accessing confidential material on the company’s computer networks, many still allow all employees to access any data on that network without restriction — even when they have no “need to know.” Although cyber theft gets the press attention, insiders or business partners more often perpetrate the transfer of confidential IP, either intentionally or by accident.
- A company’s own security and confidentiality measures for dealing with IP internally may be stellar, but if these are not replicated, monitored or even required of its suppliers and other business partners, confidential and other valuable IP-related material is left at risk.
The way to address gaps, Dixon explains, is through a series of steps to build IP protection as an integral part of management systems, including but not limited to IT security. A comprehensive approach encompasses policies, training, physical security, a means of monitoring for security lapses internally and in the supply chain, and taking corrective action, to name a few elements.
This holistic approach can better safeguard competitive assets from cyber-attack as well IP misappropriation by means that may be more mundane, but every bit as damaging.