The steps below are the minimum you should to top keep your IP safe.
- Know what you've got. If all employees understand what needs to be protected, they can better understand how to protect it, and from whom to protect it. To do that, CSOs must communicate on an ongoing basis with the executives who oversee intellectual capital. Meet with the CEO, COO and representatives from HR, marketing, sales, legal services, production and R&D at least once a quarter. Corporate leadership must work in concert to adequately protect IP.
- Prioritize it. CSOs who have been protecting IP for years recommend doing a risk and cost-benefit analysis. Make a map of your company's assets and determine what information, if lost, would hurt your company the most. Then consider which of those assets are most at risk of being stolen. Putting those two factors together should help you figure out where to best spend your protective efforts (and money).
- Label it. If information is confidential to your company, put a banner or label on it that says so. If your company data is proprietary, put a note to that effect on every log-in screen. This seems trivial, but if you wind up in court trying to prove someone took information they weren't authorized to take, your argument won't stand up if you can't demonstrate that you made it clear that the information was protected.
- Lock it up. Physical and digital protection is a must. Lock the rooms where sensitive data is stored, whether it's the server farm or the musty paper archive room. Keep track of who has the keys. Use passwords and limit employee access to important databases.
- Educate employees. Awareness training can be effective for plugging and preventing IP leaks, but only if it's targeted to the information that a specific group of employees needs to guard. When you talk in specific terms about something that engineers or scientists have invested a lot of time in, they're very attentive. As is often the case, humans are often the weakest link in the defensive chain. That's why an IP protection effort that counts on firewalls and copyrights, but doesn't also focus on employee awareness and training, is doomed to fail.
- Know your tools. A growing variety of software tools are available for tracking documents and other IP stores. Data loss prevention (DLP) tools are now a core component of many security suites. They not only locate sensitive documents, but also keep track of how they are being used and by whom.
- Take a big picture view. If someone is scanning the internal network and your intrusion detection system goes off, somebody from IT typically calls the employee who's doing the scanning and tells him to stop. The employee offers a plausible explanation, and that's the end of it. Later, the night watchman sees an employee carrying out protected documents, and his explanation is "Oops...I didn't realize that got into my briefcase." Over time, the human resources group, the audit group, the individual's colleagues, and others all notice isolated incidents, but nobody puts them together and realizes that all these breaches were perpetrated by the same person. This is why communication gaps among infosecurity and corporate security groups can be so harmful. IP protection requires connections and communication between all the corporate functions. The legal department has to play a role in IP protection. So does human resources, IT, R&D, engineering, graphic design and so on.
- Apply a counter-intelligence mindset. If you were spying on your own company, how would you do it? Thinking through such tactics will lead you to consider protecting phone lists, shredding the papers in the recycling bins, convening an internal council to approve your R&D scientists' publications, or other ideas that may prove worthwhile for your particular business.
- Think globally. Over the years, France, China, Latin America and the former Soviet Union states have all developed reputations as places where industrial espionage is widely accepted, even encouraged, as a way of promoting the country's economy. Many other countries are worse. A good resource for evaluating the threat of doing business in different parts of the world is the Corruption Perceptions Index published each year by Transparency International. In 2016, the Corruption Perceptions Index ranked the following 12 countries as being "perceived as most corrupt": Somalia, South Sudan, North Korea, Syria, Yemen, Sudan, Libya, Afghanistan, Guinea-Bissau, Venezuela, Iraq and Eritrea.
Sign up for CIO Asia eNewsletters.