The big idea: why IP cyber theft is a bigger risk than you think

Intellectual property (IP) is what makes an organisation special: it is your company’s unique selling point.

Whether it’s a piece of analysis, a bundle of code or a patented process, the loss of IP can be catastrophic for your day-to-day operations and future strategy.

In a world of cloud servers and remote-working staff, IP theft is easier than ever. Protecting your intellectual property takes work – here’s how you can protect your most unique asset.
 

What is intellectual property?

Intellectual property in Australia is administered by IP Australia, which assesses and issues patents and trademarks. It defines intellectual property as “the property of your mind or proprietary knowledge… an invention, trademark, design, brand or even the application of your idea.” Intellectual property is intangible but precious: think of Google’s trademark (worth an estimated $44 billion) or Coca Cola’s secret recipe, a list of ingredients so legendary that the vault it’s stored in is now a tourist attraction.

We can broadly divide intellectual property into four categories:

1. Copyrighted material, such as books, reports and software, can be protected by copyright from being used by other people without permission.

2. Patents cover inventions and new processes, preventing others from copying the way they function.

3. Trademarks protect words, logos, phrases, symbols and designs that identify an organisation’s products or services.

4. Trade secrets may be processes, designs or information that give a company a competitive advantage, and is therefore kept secret. Unlike other categories, trade secrets are not registered, though their infringement or the breach of confidentiality may be a crime.

Losses from intellectual property theft can be hard to measure, but Chinese IP theft alone is estimated to cost the United States hundreds of billions of dollars annually. Some of that comes in the form of counterfeit handbags and the like, but other profit comes from the kind of materials that cybersecurity can safeguard, such as technical blueprints, chemical formulas and manufacturing data. A recent example is the breach suffered by Volvo, where one of its file repositories was illegally accessed by a third party resulting in some of their R&D property IP being stolen.

Why is cyber theft of IP on the rise?

As organisations have moved away from old-fashioned security perimeters and towards remote work and cloud services, their attack surface has soared. That has resulted in a surge in cybercrime, with the Australian Cyber Security Centre (ACSC) recording $33 billion in self-reported company losses in 2020-21, and reports increasing 13% from the previous year.

But while many organisations are increasingly aware of the risks (and regulatory costs) of a personal data breach, IP theft has escaped the spotlight. Current Australian laws such as Notifiable Data Breach (NDB) legislation are far stricter on breaches exposing personal information than they are on those that expose intellectual property, which generally do not need to be reported at all.

As geopolitics has spread into cyberspace, many industries have been targeted by foreign actors, as shown by attacks on government agencies and universities. Stolen data can give rivals companies and nations a competitive edge and cause serious reputational damage, and Australia’s knowledge-based economy is a clear target. Some argue we need a better response to IP theft, whether through stricter reporting rules or the establishment of an equivalent of the US Commission on the Theft of American Intellectual Property. But while such changes would be welcome, right now the onus is on organisations to keep their secrets safe and their cyber guard up.

How cyberattackers steal IP – and how to respond

Human error is, depressingly, one of the key sources of intellectual property breaches. Emails may be sent to the wrong address, laptops left on trains, unsecured wi-fi used for confidential messaging or phishing emails swallowed hook, line and sinker. These mistakes can result in confidential data being directly transferred, but they can also offer cyberattackers the opening they need to get a foothold on your systems.

Employees may, of course, let hackers in willingly, and insiders are one of the biggest threats to intellectual property. In Mimecast’s State of Email Security 2022 report, 93% of respondents said their organisations had experienced internal threats or data leaks initiated by compromised or careless employees in the previous 12 months, with nearly half saying the threats were higher than last year.

Your incident response must be rapid. You may catch an incursion within minutes, but hackers may have been lurking in your systems for weeks or even months. You must assess the damage promptly across your organisation, your customers and your partners, and alert stakeholders. Depending on the sensitivity of your IP, you may enlist the help of internal or external data experts, but they should be also be specialists in intellectual property, able to assess priorities and risks in the context of legal practice and competitive advantage.

Keeping your intellectual property safe

Given what’s at stake, safeguarding your intellectual property is crucial. Some key steps to follow:

1. Take an inventory of your IP, and the impact its loss would have on your business.

2. Map out where it is stored. This is rarely a simple process: the same data may live in secure storage, in the cloud, on personal devices, in email accounts, on partner storage or even with your customers.

3. Once you’ve audited, you can start building policies and technologies to keep your assets safe. This is especially important where IP is concerned: if you’re shown not to have been sufficiently careful with your intellectual property, the legal case for it being IP is undermined, which may make legal battles harder to fight.

4. Review IP access, and wherever possible ensure it is on a need-to-know basis. You may be surprised at who has the relevant privileges, including staff at third-party organisations and former employees.

5. Review who can grant those access privileges, and consider standardising or automating this process via IP management software.

6. Insider threats can be mitigated with IP-focused threat management systems and email security software focused on data loss prevention.

7. Training will never eradicate all employee mistakes, but it can significantly reduce their number. Just as importantly, it can help build a culture of awareness, in which individuals have the learning and confidence to speak up when they spot a potential leak or vulnerability. Training should be tailored to individual teams, should include legal and security elements where relevant, and should not neglect part-time or freelance workers.

Your organisation’s approach to securing intellectual property will vary based on your resources, the nature of your business and the value of your IP. For some, specialist IP protection will be appropriate. For others, a regular audit and awareness training may well be sufficient.

IP theft is another reason to work towards overall cyber resilience. Measures such as zero trust can prevent incursions spreading, and a balanced cyber strategy with multi-layered security tools will protect against a variety of attacks.


Securing intellectual property is a must

Intellectual property is crucial to every organisation. If it isn’t correctly managed and secured, it will lose its value – once your secret is out, any competitive advantage it offers will evaporate. IP theft can be catastrophic, and with cybercriminals circling, businesses must be on their guard. Organisations must audit their assets and develop an effective strategy to protect them, including awareness training, targeted software solutions and effective overall security. Intellectual property may be intangible, but you need to hold it close.