Many businesses rely on innovation and knowledge to beat the competition and achieve success. Their intellectual property (IP) is often their most valuable asset, and they consider it to be highly sensitive information. There are different types of intellectual property; they include copyrights, trademarks, patents and trade secrets. Some IP is protected under the terms of state and federal intellectual property laws; examples can include innovations, advances in technology, formulas, business processes, media products, web content and music. Because IP protection is a very complicated area, companies often seek the services of intellectual property attorneys, who help them respond to instances of trademark, patent or copyright infringement.
Intellectual property theft occurs when a person steals these assets. Potential outcomes like economic damage, the loss of a competitive edge and slowdown in business growth define intellectual property theft as a serious concern for businesses. According to the Update to the IP Commission Report released in 2017, the U.S. economy loses over $225 billion annually due to IP theft in categories such as counterfeit and pirated tangible goods, patent infringement, and pirated software.
The media often talks about global enterprises falling victims to IP theft while similar stories about small companies go unreported. The truth is, the risk of IP theft is high for companies of any size. In fact, the 2018 Netwrix IT Risks Report found that SMBs are even more vulnerable to IP theft and cyber espionage than enterprises. These cases just don’t get as much attention.
Let’s take a closer look at the 2018 Netwrix IT Risks survey responses to learn about the most frequent intellectual property theft scenarios and the security practices that help with intellectual property protection.
What are the most common IP theft scenarios?
Human errors. 51% of survey respondents named human errors as a common method for intellectual property rights infringement. This happens when employees lose devices, accidentally send files containing trade secrets outside the company network, or fail to uphold their responsibility to not share confidential data with unauthorized parties. For example, in October 2017, an Apple engineer brought his daughter to work — where she filmed the unreleased iPhone X for her vlog. The footage included an iPhone X with special employee-only QR codes and a notes app with the code names of unreleased Apple products. After her video went viral on YouTube, her dad was dismissed from Apple.
Malware infiltrations. 48% of survey respondents have suffered malware infiltrations. Malicious software enables criminals to steal an enormous amount of IP. For example, from around 2006 to 2018, a hacking group called Advanced Persistent Threat 10 (APT 10) targeted the networks of more than 45 technology companies and U.S. government agencies in order to steal information and data concerning a number of technologies. In addition, the hackers attacked the computers of managed service providers (MSPs) and accessed the networks of their clients. By using spear phishing techniques to introduce malware onto computers, they were able to steal of hundreds of gigabytes of intellectual property and other confidential business and technological information.
Privilege abuse. The third most common root cause of IP theft, according to the Netwrix research, was privilege abuse, which was named by 34% of respondents. By exploiting their access to sensitive files, employees commit economic espionage and steal trade secrets. An unfortunate tale which happened at biotechnology company GlaxoSmithKline (GSK) serves as a good illustration. A group of conspirators, including a former GSK research scientist, stole trade secrets to benefit a Chinese pharmaceutical company. According to the U.S. Attorney in the case, the GSK scientist emailed confidential files and transferred portable electronic storage devices containing trade secrets to his China-based associates. In 2018, two of the defendants pleaded guilty to intellectual property theft, but the exact amount of financial damage has yet to be calculated.
Who is responsible for IP theft?
A strong defense against IP theft must involve measures against not just outside attackers, but insiders as well. Even if an attack is initiated from the outside, it is often an employee who disregards privacy policy and clicks on a malicious link that lets the attacker into the network. Insiders also copy sensitive data from their work computers to USB drives and then lose them, putting the data in the hands of outsiders. Unfortunately, the report shows that 29% of companies are still sure that hackers are the most dangerous threat actors when it comes to IP theft, while over 60% of the incidents they experienced were actually caused by regular business users. IT staff, who are perceived as the least dangerous threat actor, were responsible for 30% of reported incidents.
Departing or terminated employees also require attention. Take a look at these figures: Only 25% of companies think that these employees are an important risk factor, but 39% named them as the threat actors responsible for actual security incidents.
What do companies do to protect against IP theft?
The survey reveals that organizations are not doing enough to protect themselves against IP theft. It’s not only that they underestimate the risks coming from their own employees; they also fail to implement security basics. 36% of organizations conduct asset inventory once a year or less frequently, 20% almost never get rid of stale and unnecessary data, and 17% have never performed IT risk assessment.
Moreover, the survey results show that 44% of companies still don’t know or are unsure about what their employees are doing with sensitive data. With this lack of visibility, it’s almost impossible to detect cases of intellectual piracy in a timely manner.
Only 19% of companies classify data once a quarter. Moreover, even though data access rights should be updated every 6 months to help prevent inappropriate access, 51% of organizations perform such checks less than once a year.
How can organizations minimize the risk of IP theft?
To better protect against intellectual property theft, companies say they want to improve detection of security events (68%) and implement security safeguards (63%).
We also recommend the following best practices:
- Gain visibility into sensitive data. Knowing exactly what sensitive data you have and who has access to is the initial step in building strong security posture. Using an automated data classification solution will help you dealing with the loads of data being created or modified daily.
- Establish a data security policy. A security policy defines how security threats are addressed, specifies which controls are needed to mitigate IT security vulnerabilities, and defines a recovery plan should a network intrusion occur. Your security policy must be verified by your legal department and signed by your CEO. The document should contain what actions will be taken and what penalties will be applied if these policies are violated and your investigation identifies the culprit.
- Monitor employee activity. Even if you trust those who have access to your sensitive data, they are still are the biggest threat, because even people without bad intentions can make critical mistakes. That’s why it is important to establish user behavior monitoring. Pay particular attention to abnormal spikes in activity, which are a sign that something could be wrong.
- Involve HR. It’s a good idea to coordinate with HR and be notified whenever an employee is leaving so you can watch for suspicious activity, such as bulk file copying, before they leave and disable their accounts promptly when they are gone.
- Provide training to employees. Poor cybersecurity awareness of employees increases the risk of IP loss. We recommend establishing training programs for employees based on their roles and the level of access they have in your network. Explain what a potential attack (such as phishing) looks like, how it works and what the consequences are. Remind everyone about your password policies and encourage employees to report security incidents. Work to avoid misunderstandings; your IT department should be open to questions and concerns from regular users regarding your security program.
Conclusion
Intellectual property helps drive a company’s competitiveness and growth, so trademark, patent, trade secret and copyright protection should be an integral part of every security strategy. Building a strong line of defense requires a company-wide involvement, from regular users to top executives. Knowing that risks are rising, companies should ensure they have proper security policies around sensitive data protection and continue working with their employees to minimize risks coming from insiders.