Threats To IP Call For A Risk-Based Approach

By Pamela Passman, Center for Responsible Enterprise and Trade (create.org). Article reproduced from IP Watch.

Economic globalization and digitization of information have revolutionized business and allowed for efficiency that was unimaginable a few decades ago. The ability to share information remotely means companies can coordinate with partners remotely, integrate suppliers, track shipments and communicate in real time with customers in distant markets. These trends represent a seismic shift in the way the world works.

But the shift has created new challenges and vulnerabilities that companies are only beginning to comprehend. The information that firms hold and exchange – including intellectual property, trade secrets and customer data – is rich with high value targets for criminal syndicates, governments, competitors, disgruntled insiders and hackers. Today’s business networks, which can include a few, a few dozen or a few thousand partners in various nations, are riddled with access points for motivated trespassers.

Information theft is a real and present danger, and the daily headlines chronicle how it is hitting profits, corporate and brand reputations, and cutting into markets. The rapidly mounting losses caused by these incidents is evidence that the way many companies are addressing the threat – typically with a combination of legal, IT and supply chain tools – tends to be reactive, taking place after the damage is already done.

In this new reality, companies need to take holistic, risk-based approach that recognizes information assets as one of the keys to business success. Fortunately, most companies can leverage a system that they already have in place to address other key risks. Enterprise risk management (ERM), which is widely used to anticipate and grapple with other high-level business risks, can be adapted to address threats to IP and other proprietary information.

The scope and nature of the threat is evolving and growing:
A simple email is sometimes all it takes for a malicious employee to share valuable trade secrets with competitors – assets such as product plans, the findings of expensive research or a unique manufacturing process.

A complex supply chain can open the door for counterfeit parts to enter products and result in health and safety risks to consumers. Fake products and components have been found in virtually every industry – including military equipment, automobiles, pharmaceuticals, food and toys.

A coveted new technology can be copied and immediately distributed around the world. In an increasingly common narrative, it is a departing employee who is arrested after downloading company files with proprietary information on hybrid car technology, solar panel technology, high-tech fabric for military use, and financial system code.

Meanwhile, cyber intrusions that compromise consumer data or payment information for thousands, or millions of customers are skyrocketing. These attacks have increased 66 percent year-on-year since 2009 – and have become much more costly on average, according to PwC’s recently published Global State of Information Security Survey for 2015. Globally, the annual estimated reported average financial loss attributed to cyber security incidents was $2.7 million, up 34 percent over 2013. Organizations reporting financial hits of $20 million or more in 2014 increased 92 percent in that period.

And this is just a partial picture. Some organizations choose not to report detected cyber intrusions for a variety of reasons, while many others are believed to go undetected, the report said.

Getting Out Front

The challenge for companies, as well as governments and other organizations, is to get ahead of the threat by anticipating a potential risk of information theft rather than reacting after it has become an urgent problem. In addition, they need to think beyond their traditional boundaries to be effective.

ERM is the most effective resource that companies possess for doing so. It is designed to help a company shift from dealing with negative events reactively to taking a proactive, preventative approach to the risks that it faces, and for strategically allocating resources to reduce the company’s risks internally and in its end-to-end supply chain.

The framework is widely used to take on issues such as financial stability, quality control, health and safety, environmental and labor issues. The system can be readily adapted to consider the business and compliance risks related to IP. Indeed, it is imperative that threats to these assets, which are now effectively the “crown jewels” for many companies, be considered alongside other key business risks.

The fundamental elements of ERM – though there are a couple of different models – are to systematically “identify, assess and manage” business risks.

For protecting intellectual property it is hard to overstate the importance of first step – to identify risks. This requires a full accounting of company’s intellectual property – that covered by patents, trademarks, and copyrights as well as trade secrets and sensitive data – where it is located, who has access to it.

Identifying vulnerabilities, internally and within the supply chain, is critical to addressing them. The PwC survey suggests that many companies have not done a comprehensive assessment. Just 52 percent of the respondents said they have a program to identify sensitive assets, and just 56 percent have taken the effort to inventory the collection, transmission, and storage of sensitive data for employees and customers.

The risk-management approach provides a way to rank threats by analyzing the probability of given problems – in this case, misappropriation of IP – and the severity of the damage each would cause.

That assessment in turn provides a return-on-investment basis for a risk management strategy. With respect to IP risk, it helps to focus allocation of resources for investment in IT security, and generates insights for improving IP protection processes, training employees, conducting due diligence on potential supply chain partners and creating contingency plans if sensitive information is compromised.

It is not surprising that companies have rushed to invest in cyber security over the past several years. Theft of sensitive information through cyber attacks are the misappropriation incidents that get the most press – especially those apparently launched by foreign governments.

“(I)n the battle against cybercrime most companies spend the majority of their time and resources building a fence around their internal organization – including their data, systems and personnel,” according to the Global Information Security Survey 2014 published in October by Ernst and Young. “This is a starting point, but the perimeter is no longer stable, and a fence no longer possible.”

Theft by insiders remains more common. In the PwC survey, 57 percent of respondents viewed employees as the most likely source of a cyber attack, and 32 percent said insider crimes are more costly or damaging than incidents perpetrated by outsiders.

Last year’s data breach of Target stores, compromising the credit card and personal information of millions of customers, suggests how third party relationships might prove to be a conduit for theft. That incident reportedly traces back to carelessness on the part of a vendor providing heating, air conditioning and refrigeration services for the big box store.

It is important to note that no company is immune. As larger companies put in place more effective security safeguards, threat actors are increasingly stepping up their assaults on middle-tier companies, many of which may not have security practices that match the maturity of bigger businesses.

The value of the risk management approach is that it helps companies consider the whole business ecosystem and tailor security strategy manage IP risk internally and within the supply chain, as well as guarding against attacks from afar.

It is worth emphasizing that while IT security is essential, it is just one element required to protect IP from misappropriation.

Effective protection also requires buy-in from top leadership, and the input from all business divisions. A cross-functional team is instrumental for identifying important IP and risks, and ensuring policies are in place for handling sensitive information. The policies must be translated into procedures, reinforced by communication and training of employees.

Given today’s interconnected business ecosystem, vast amounts of data is generated and shared with business partners and suppliers, so due diligence of potential business partners should be of paramount importance. And within a business network, companies should also help key partners bolster their IP protection efforts – and to the greatest extent possible, provide training for their employees.

It is without doubt a challenge to account for threats that are ever changing and traversing nations.

But the reality is that the efficiency we have gained through technology and sprawling global supply chains comes with its own weaknesses. Companies must identify their vulnerabilities and manage the risks thoughtfully, or find that their adversaries will exploit them – potentially at a much higher price.

Note: This White paper is available here