In July, Kilpatrick Townsend and Ponemon Institute released their findings from The Cybersecurity Risk to Knowledge Assets study, which confirmed most companies’ worst fears — their intellectual property is at risk every day, and theft is rampant. The 600 survey respondents also disclosed that most companies are unsophisticated when it comes to identifying their key intellectual property (particularly trade secrets) and protecting that adequately. And, most surprisingly, the expected costs associated with loss of these important assets was estimated by nearly seven out of ten respondents to total more than $100 million.
Based on the survey results and best practices, companies should consider adopting a five-prong approach to protecting their knowledge assets. This approach starts with early identification and categorization of a company’s knowledge assets and uses a broad group of employees from different divisions within a company to prioritize and identify the company’s most valuable assets. Then, a targeted protection strategy can be developed and routinely monitored. Finally, creating a protocol for educating employees on their role in protecting the company’s intellectual property is the linchpin to the successful protection of knowledge assets. These steps are described in more detail below.
Identifying Your Knowledge Assets
Protecting intellectual property from attack must involve an early identification of the critical information assets that need to be protected. For example, a trade secret that is the key to your company’s business should be protected with safeguards that involve multiple layers of security and protection. But, information that is confidential and proprietary, although important to your business, may require lower efforts of protection. Thus, the first line of defense in the war for your intellectual property is developing an identification system that prioritizes and categorizes your knowledge assets.
The study results confirm that most companies do not employ such an overall identification system to segment their intellectual property and knowledge assets based on the value to the company or the priority to the organization. Instead, most companies rely on ad hoc classification systems that are often siloed within one organization in the company. And, most often the information that is identified for protection relates to inventions for which the company may seek patent protection. Trade secrets and other confidential information are often much harder to define and therefore less often to be expressly classified for protection within an organization.
Build Cross-Functional Teams to Identify Those Assets
Because different divisions within a company use and develop information assets differently, it is important to have a cross-functional group involved in this identification. For example, having team members from legal, IT, new product development, marketing, compliance, HR, and risk management would enable a company to have a more comprehensive assessment of the most valuable knowledge assets the company has. The use of a multi-disciplined group to assist in the identification and categorization process is the next line of defense to ensure all of your company’s most important assets are protected.
Create a Protection Strategy Targeted to Your Knowledge Assets
Next, after the cross-functional team has identified your company’s critical knowledge assets, a company should develop a comprehensive protection strategy for those assets based on their value to the organization. Storing trade secrets in the cloud, for example, is highly risky, particularly because most companies do not thoroughly vet the cloud provider storing their assets, according to survey respondents. In addition, limiting access to those high value intellectual property assets only to those employees who have a need to know that information is another relatively easy way to protect this information. Equally important is changing an employee’s access rights when his or her job functions change and removing their access to trade secret information. Moreover, marking trade secret information with confidentiality indications and using additional layers of security for access to electronic files containing trade secret information are other low cost protection strategies to consider.
Although these protection strategies can be time consuming, the failure to employ them can mean that your knowledge assets are at risk from attack. Seventy-four percent of the survey respondents believe that their company likely failed to detect a data breach involving the loss of knowledge assets, and sixty percent confirm that one or more pieces of their company’s knowledge assets are likely now in the hands of a competitor. Thus, most companies know that theft is rampant but are not yet employing protection strategies targeted to protect their most important assets. As a result, a key component of a comprehensive knowledge asset protection program involves the implementation of security and measures to limit access to important knowledge assets.
Monitor Your Protection Strategies Routinely
Once a company has developed a plan to protect those critical knowledge assets, the next important step to implement is to be constantly vigilant and routinely monitor those protection strategies to ensure that they are being used by all employees and are effective. Requiring clear accountability for compliance is also important so that individuals take personal responsibility for ensuring the measures are working. When a company routinely monitors the protection of its knowledge assets, a leaky pipeline (such as a careless or disgruntled employee) can be quickly identified and addressed. Although routine monitoring requires another step in the process of protection, it is an important and relatively low cost measure to implement, and because it is ongoing, it can quickly identify a problem before millions of dollars of knowledge assets walk out the door.
Interestingly, most corporate boards and senior management are more concerned about a data breach involving credit card information or other personal identification data than they are about a loss of knowledge assets, even though survey respondents report that a data breach involving their intellectual property would impact their company’s ability to operate as a going concern. The “head in the sand” approach to knowledge asset protection, unfortunately, is often employed, but that laissez faire attitude can lead to millions of dollars in intellectual property loss. For example, almost five out of ten survey respondents assessed the costs associated with an attack of their company’s knowledge assets to total over $250 million. More importantly, from a legal perspective, once a trade secret is no longer secret, it cannot be protected as a trade secret in the future. Thus, the cost of inadequate protection strategies can be even higher than the large dollar figures estimated by the survey respondents.
Create Protocols for Employee Education
Threats to intellectual property from outside hackers have been highly publicized, but careless employees are more likely the culprits when it comes to intellectual property loss, according to survey respondents. During the onboarding process, it is important to remind new employees about their obligations not to bring another company’s confidential information with them to their new job and to educate them on your company’s policies for the protection of knowledge assets. Then, continual training for current employees about what information is confidential and trade secret is also important, as most employees’ memories of their new employee orientation tend to fade over time.
It is important to remind employees about their obligations upon their departure from the company too. Using exit interviews and reminders to departing employees about their ongoing confidentiality obligations can help ensure that departing employees do not inadvertently misuse or disclose confidential information after their departure. Many companies allow the use of personal electronics (mobile phones, laptop computers, etc.) for work purposes, and upon departure, companies should ask about the use of such personal devices and ensure that those devices no longer contain corporate information on them. For certain employees who were directly involved with developing or using your company’s crown jewels, it may even be appropriate to use software that can inspect or wipe their mobile device before they leave their employment. And, requiring all departing employees to sign an affidavit or certification of the return of corporate information before their departure is another way to reinforce the importance of their ongoing confidentiality obligations. Using these protocols during the onboarding and departure processes can help ensure that employees are more aware of the importance of protecting knowledge assets and the role they play in ensuring that key corporate information is protected.