Managing and protecting intellectual property (IP) can be a complex undertaking. Often, IP is viewed too narrowly — in many cases only as something intangible. Yet experience shows that IP is quite multi-faceted and practitioners have to think in three dimensions — mental, physical and digital — to fully grasp IP’s potential vulnerabilities. Our mobile phones are a good example. Their manufacturers certainly have people who know about highly sensitive attributes of the product (mental); proprietary information about the phone’s design and manufacturing most likely exists in printed form (physical); and nearly all of the aforementioned information about the device is stored on the network and personal computers within the organisation (digital). Protection of IP can be consistent only when sufficient controls are applied in all three dimensions.
Streamlining IP management
Think of IP in terms of information, the processes entailed in its creation, equipment used, and its distribution both inside and outside of your organisation, including unique tangible assets. Knowing where IP exists in three dimensions will help make the definition as inclusive
Consider reverse-engineering each IP asset to understand potential gaps in definition and scope. For example, if a perfume designer creates a new scent, such process of creation can be traced back to understand where sensitive information and ingredients are stored (or sourced from) as well as where they travel and how.
Assign IP asset ownership to specific functional roles within your organisation to ensure accountability. Train IP asset owners at least quarterly on their responsibilities. It is prudent to isolate IP asset ownership assignments among multiple functional leaders to avoid a total loss during a single attack.
Carefully curate IP asset movement and sharing both within and particularly outside of your organisation.
Foster frequent interaction among IP asset owners so that they could learn from each other with the objective of optimising IP asset management.
Streamlining IP protection
Focus on preventing IP loss. Once an IP asset is compromised / lost, some of the damage (operational, financial, and reputational) cannot be undone. It is crucial to make control processes consistent and continuing. Lack of incidents should not lead to complacency. Aligning protection levels with IP asset criticality levels (operational, financial, and reputational) as well as known risks and threats is the best and proven strategy.
Monitor behaviours of those with access to IP assets to identify any “red flags”. This can be done through collaboration between security, investigations, and HR functions. For example, an employee’s pattern of declining emotional health as well as occasional outbursts triggered by seemingly trivial issues should be viewed through the lens of his or her access to IP assets.
Consider frequently changing locations of IP assets on the network to help confuse internal and
external attackers. Be mindful to avoid patterns.
Codify, password-protect, and encrypt your IP asset data. For example, one IP asset owner should not know the codename for, or have access to, IP assets of another owner.
Implement exception-based monitoring of IP assets in all three dimensions. For example: consider what is not right about the current or past state of an IP asset?
Train all who touch IP assets frequently and in different formats (lecture, mobile, visual triggers, active questions, etc.) to foster vigilance. At a minimum, training should be delivered on a monthly basis.
Managing IP loss incidents
Your incident management plan should be actionable and practised at least quarterly. Remember: role-playing and visual workflows are better than a volume of dry text.
Establishing the extent of loss and its severity is key and should be done no later than in the first 30 minutes after an incident is first reported. This can only be achieved by building a robust IP asset inventory and classification system.
Understanding dimensions in which an IP asset has been compromised is critical as it will help optimise your remediation efforts.
Performing a root-cause analysis after each incident will help establish prudent mitigation measures to avoid recurring incidents.