Intellectual property (IP) is likely one of the most valuable assets your business owns. For that reason, taking steps to prevent intellectual property theft — which can occur in many ways — is a critical step toward protecting your business’s health and maintaining an edge over competitors.
This guide explains how to do that by defining intellectual property theft, how it happens, and the best practices businesses should follow to prevent it from happening.
What is intellectual property theft?
Intellectual property theft, or IP theft, is the appropriation of unique ideas, inventions or other information by parties without permission to borrow or reuse it.
With the world moving into a knowledge-worker-based economy, companies derive less and less value from widgets and more from the processes, ideas and innovations they create — their IP.
IP doesn’t live in static databases. It’s what your marketing teams create daily, what your product designers are mapping and what your engineers are building. It lives on endpoints and in various cloud applications and may include source code, go-to-market plans, customer lists and CAD drawings.
Examples of intellectual property theft
While stealing private data like a patent through data exfiltration may be the first example of IP theft that comes to mind, there are numerous ways it can occur.
Here’s a closer look at the three most common IP theft scenarios:
One behavior that leads to IP theft is the insecure use of cloud services or applications due to human error. If an employee uploads data to a cloud service and exposes it by making it publicly viewable, it becomes available to anyone with an internet connection.
Additionally, the intermixing of company applications and storage services with personal devices and services is a common vector for IP theft, as personal devices are black holes for most security and IP tracking systems.
Unlike when employees inadvertently expose IP to theft, some may deliberately steal data.
Corporate spies — i.e., employees who use espionage techniques for commercial or financial purposes—or workers stealing data for their own use may seek out sensitive information from file shares hosted by corporate servers. Similarly, disgruntled employees who have put in their notice to quit might intentionally leak private business data to competitors to take revenge on their soon-to-be former employer.
Malicious actors outside an organization, like hackers, don’t typically steal IP, but it happens occasionally. They use phishing or other social engineering attacks to steal regulated data like Personally Identification Information (PII) and credit card details that they can monetize by impersonating individuals.
Types of intellectual property
Whichever way IP theft occurs, the damage to your company will likely be the same. That’s why businesses must understand the types of information employees and others could expose through IP breaches, then take steps to protect it.
There are three primary types of IP:
Trademarks are symbols that represent your brand. They could be visual, such as a logo or seal, but they could also be written expressions or sayings associated with your business. This data certainly isn’t confidential, but it’s almost impossible to isolate.
Say you’ve got a contractor with access to your OneDrive Corporate Brand folder—a folder that also includes brand strategies and draft press releases announcing a divestiture. You don’t really care what that contractor does with the brand elements, but if they copy that whole folder to their personal drive, they introduce significant exposure risk. Not even Microsoft can see that type of data movement today.
It’s not the trademarked articles themselves but how your company shares them that could expose your organization to data exfiltration.
A patent is a form of IP that grants a business the exclusive right to monetize an idea or product. Typically, acquiring a patent requires a company to disclose information about how the concept works, and other businesses can’t use that information as long as the patent remains in effect.
Patent theft can be highly nuanced, like when Anthony Levandowski downloaded circuit board designs and testing documentation from his Waymo corporate computer to use in his new role at Uber. It took nearly five years and hundreds of millions in lawsuits that a patent didn’t help to protect.
A trade secret is any type of information generally not known to the public and can potentially create economic value for the business that has access to it.
If one of your remote software engineers takes a branch of code, commits it locally, and then pushes that to their personal Git repository instead of to the corporate hosting tool, they’ve exposed trade secrets.
Additionally, remote employees don’t usually use their corporate VPN, making monitoring the movement of trade secrets via browsers and email more challenging.
Trade secrets are often the most challenging IP to protect because they’re the work your employees create, change, move and share daily—they’re the lifeblood of how work gets done. Trade secrets are hard to lock down and catastrophic when exposed.
7 best practices for intellectual property theft prevention
Preventing IP theft can be challenging, especially when you don’t want to slow down how employees accomplish legitimate work. You can achieve both imperatives successfully by watching for untrusted movement and stopping the activity before damage happens.
Here are seven best practices your company can implement to prevent IP from falling into unauthorized hands while empowering employees to work in the most efficient ways possible.
1. Create acceptable use policies
The first method of reducing IP theft is to create policies that clearly define how, where, when and by whom information owned by your business can be shared. Then, promote the guidelines internally, making them highly visible to your employees, contractors and other stakeholders who may have access to sensitive data.
For example, you could broadcast the policies by posting them on the lock screen of corporate laptops or requiring stakeholders to review electronic copies of the guidelines periodically.
Not sure where to start? Download our free Acceptable Use Policy Template.
2. Maintain transparency with employees and contractors
Being transparent with employees and contractors about how your business manages data related to them is another step toward preventing IP theft. It’s also a legal requirement in states like New York and California, which mandate that employers disclose how they monitor employees.
For both of these reasons—not to mention the ethical imperative of operating transparently—it’s a best practice to be clear about which types of information you collect about workers, how you gather it and whether and how your company shares it with third parties.
Moreover, transparency creates a culture of trust. When security and employees see themselves as partners in safety, they let the security team know when they see something wrong happening or when they make a mistake. Learning from previous data security errors also develops better security habits within your entire organization.
3. Monitor all of your data and its movement
Instead of deciding which types of data qualify as IP, it’s easier and more efficient to treat all data as potential IP and monitor its movement accordingly. Inadvertent data exposure occurs up to 34 times per user every day, so protecting all data as if it’s IP helps minimize the risk of accidentally moving sensitive information and creating a situation for IP theft.
Ensure you clarify to employees that monitoring data movement to untrusted locations isn’t the same as surveillance. Instead of looking for irregular employee behavior by monitoring activity, tracking keystrokes, taking pictures of screens, watching performance or other invasive activities, monitoring the data a company owns is in the interest of employees and a company since it protects innovation and competitive edge.
Additionally, data monitoring produces an audit trail you can use to investigate an IP incident. It helps you establish a “baseline” of normal events, empowering you to detect untrusted movement that could be a sign of IP risk.
Lastly, manually tagging and creating policies to police data movement is incredibly difficult, if not impossible, so using tools that allow you to monitor data movement automatically is essential. Your tools should also generate alerts when someone moves data in ways that could signal IP risks.
4. Flag your most at-risk IP
To protect yourself from IP theft, identify which types of IP are at risk. Determine where trademarks, patents, trade secrets and other susceptible data exist within your business and how much potential exposure to theft that data faces.
This practice is crucial because it helps you deploy theft prevention resources most efficiently. It can also reduce the “noise” within data monitoring operations by allowing you to focus on tracking high-risk data and ignore alerts about mundane information that’s not particularly sensitive.
Like data monitoring, manually determining sensitive IP isn’t feasible for most businesses. You’ll need tools that can automatically detect where at-risk information lies, then set up dashboards to track risk activity related to that information in real-time.
Looking for an automated solution for preventing IP theft without blocking productivity? Download the white paper on How Code42’s Incydr™ Solution Works.
5. Stop breaches before they happen
The average cost of a data breach is 4.35 million dollars, so an ounce of IP theft prevention is worth many pounds of cure. When you stop violations before they happen, you can save your company considerable sums in legal costs, reputational harm to the brand, loss of competitive advantages and beyond.
Remember that preventing breaches shouldn’t mean blocking data movement, so collaboration and communication within your business become difficult. Instead, strive to protect sensitive information to prevent violations without hindering normal business operations.
6. Situationally train and drive secure work habits
An alarming 96% of U.S. security leaders and practitioners believe their company needs to improve data security training. To make education effective, offer interactive programs rather than long videos or training methods that employees will write off as a yearly “checklist item.”
Training is also more effective when it takes place at strategic times. For example, you could offer training right when employees are doing something that puts data at risk. Patented information going to an unapproved shared drive? Contain the damage and send the employee a brief reminder on approved sharing.
You could have security teams train employees themselves or send all these videos manually, but they’re fighting fires every day. Ideally, you train employees proactively and responsively — all in an automated but still customizable way to fit your workflows and organizational structure.
7. Use the right tools
Deploying the right tools is critical to identifying at-risk IP and monitoring risky data movement. In addition, having software that provides real-time alerts upon risk detection is crucial in addressing threats before they become active breaches.
Organizations with IP assets of any size and with employees working in a mobile, flexible, fast and dynamic environment need automated tooling to protect sensitive information at scale.
Start preventing IP theft without blocking productivity
The problem of IP theft isn’t going away. With the changing ways that employees work and how markets increasingly value businesses based on their IP instead of physical assets, it’s only growing in scope and impact.
That’s why protecting IP should be a key consideration for every organization. And while tackling IP theft may seem daunting due to the volume of the data at stake, the ever-changing nature of data and the difficulty of identifying risks in real-time, IP theft prevention is possible with the right tools.
Code42 gives you the visibility, context and controls you need to stop valuable data from going to places you don’t trust without slowing down your business. Our products and services prevent data leaks and reduce your organization’s Insider Risk over time. We analyze your risk exposure and show you activities requiring security intervention, so you can confidently respond before damage occurs.