by Michael D. Sarlo, EnCE, RCA, CBE, CCLO, CCPA
At the 2012 RSA Cybersecurity Conference, former Federal Bureau of Investigation Director Robert Mueller famously said:
“I am convinced that there are two types of companies: Those that have been hacked and those that will be. And even they are converging into one category: Companies that have been hacked and will be hacked again.”
Suffice it to say his take was on point, and intellectual property continues to be a more common target of hacking events and data breaches.
In honor of World Intellectual Property Day, I wanted to share some of the core tenets involved in protecting proprietary information from a range of risks and threats.
We all know that data theft is a growing problem, and that the stakes are getting higher in IP litigation. However, I continue to see enterprises neglecting their IP governance and general data security responsibilities, at least until they get stung by a major breach or instance of theft.
Proactive, ongoing, and intelligent management of policies, people, processes, and technology is critical to avoiding a range of threats inherently involved in IP ownership.
Here are 3 steps all firms should be taking to protect their IP:
1. Tighten up IT security
IP management is now fully entrenched in the digital sphere, meaning that the first step toward protecting propriety information is mitigating data breach risk.
First, consider these stats:
- IBM and Ponemon Institute’s 2016 Cost of Data Breach Study revealed the average loss from a data breach increased to $4 million from $3.8 million the year prior.
- The Identity Theft Resource Center recorded 1,093 data breaches in the U.S. last year, which was 40 percent more than the 780 events in 2015.
- Help Net Security cited the findings of one study that forecast IP-related data breaches to increase by 58 percent between mid-2016 and July of this year, with 20 percent of perpetrators being insiders.
And, if you want a bit more evidence of how serious data breaches are in the IP realm, check out Dark Reading’s rundown of major events that have recently taken place.
Here are a few ways to ensure your IT security frameworks can protect IP from theft:
- Utilize the full spectrum of protective technologies, including network monitoring and intrusion detection, encryption, mobile device management, and data security software.
- Review your security policies, metrics, and performances at least once every few months to ensure all threats are being mitigated, and that the frameworks defend against newer risks as they proliferate.
- Make sure your employees are properly trained in the best practices of IT security, and make relevant learning programs an ongoing commitment.
It is worth mentioning that this is not just a matter of financial investment. Network World cited a study from ESG that found 69 percent of organizations were planning to increase spending on IT security this year. However, data breach is not a problem that goes away when companies blindly throw money at security technology. Investments must be intelligent, meaningful, and highly aligned with the specific risks each firm faces to yield the desired returns.
2. Enhance personnel policies
I know that I discussed this matter at length in my last article on IP governance and you might think I’m beating a dead horse, but trust me – this horse is very much alive and kicking. Insiders represent the greatest threat to your IP and sensitive information, and likely always will.
This has been proven time and time again. Harvard Business Review reported that an IBM study found 60 percent of all data breaches were caused by insiders, and 75 percent of those events were purposeful. To combat this issue, decisive measures must be taken by all enterprises, law firms, and other entities.
Consider obliging these guidelines that follow the employment timeline of each staff member to shore up defenses against insider threats:
- Recruitment and screening: Commit to exhaustive background checks and other investigative practices for every potential new hire ahead of the onboarding process, using professional services when necessary.
- First day on the job: Create and make employees sign non-disclosure and confidentiality forms that cover every possible scenario that could lead to the theft of proprietary information, including client lists. Make sure these policies have teeth, backed by progressive enforcement practices.
- Initial months: Engagement is one of the greatest deterrents to insider threats. As mentioned above, disgruntled workers are among the most common types of malicious insiders. Keep lines of communication open, ensure employees feel valued and heard, and proactively measure engagement.
- Throughout tenure: Keep identity and access management protocols tight. No matter what, sensitive information should only be available to employees with the necessary credentials. Consider monitoring and logging access to environments that contain sensitive information at all times.
- Departure: Regardless of whether an employee is fired or quits, swift action must be taken to protect the firm thereafter. Make sure devices and accounts are immediately decommissioned, and minimize exposure in every possible way through tight policies and enforcement procedures.
As a note, if a key employee leaves, the safest move might be to employ an external service provider that conducts departing employee investigations – even before a problem arises. Some action items involved in these activities include imaging of phones, analysis of data transfers, email account investigations, and general forensic appraisals.
When your personnel policies are intelligently crafted and voraciously enforced, your risk of IP theft will be dramatically lower.
3. Pull practices from battle-tested frameworks
You do not need to re-invent the wheel, nor fly blind, when you are building and enforcing your IP protection strategies. Rather, you should pull from techniques, tactics, and models from proven, battle-tested frameworks that have been developed to better manage information in all formats.
To be clear – there is no such thing as a one-size-fits-all approach to security and governance that will work for every company. Rather, you will need to ensure your frameworks are highly tailored to the unique goals and needs of your company’s IP initiatives.
Still, here are a few frameworks that can help guide your policies:
- The Information Governance Reference Model provides an extensive and intelligent approach to data management, and can be an invaluable resource for firms looking to better protect their IP. The whole idea behind this chart of sorts is to unify and standardize the ways in which information is managed, monitored, governed, and used across an enterprise’s various departments.
- The National Institute of Standards and Technology’s Cybersecurity Framework can assist you in understanding all of the moving parts involved in protecting information. This includes your IT infrastructure, communication channels, and more. Applying the tenets of this framework to your IP protection strategies can reduce risk and give your policies the comprehension they need to be effective.
- The U.S. Department of Health and Human Services has a range of materials, guides, and frameworks meant to help medical organizations keep their information safe under the Health Information Portability and Accountability Act. These can be extremely helpful for sensitive information, including IP, even if it is not related to health.
The more work you put into the development of your IP governance and protection frameworks, the safer your firm will be. As always, though, if your firm lacks the resources, time, experience, or expertise necessary to create and enforce the best possible IP protection strategies, consider working with a skilled, experienced service provider that specializes in managing these types of assets to get the job done, and get it done right.
Happy World Intellectual Property Day!
Michael Sarlo is HAYSTACKID’s Vice President of eDiscovery & Digital Forensics