Intellectual property - How protected is yours?

Almost every company has intellectual property of some sort, even if they don’t know it.

Intellectual property (IP) theft is running rampant these days. Some organisations know it and disclose any loss of IP that occurs. Other organisations know it, but keep their IP disclosures under wraps for as long as they can. The rest… well, they may be leaking IP at this very second and be none the wiser.

Lack of information classification, information security policies, and access control measures protecting IP can make for a very sticky situation. Almost every company has intellectual property of some sort, even if they don’t know it. So how do you know if you have IP? And how can you protect it once you figure out what it is? Read on!

Oh, IP - Where art thou? What intellectual property is and how to protect it

The first thing you need to do is sit down and ask yourself - what does our organisation do? If you’re a manufacturer of fine gadgets and gizmos, the chances are that your IP revolves around blueprints or schematics. If you’re a software development shop, your IP is most likely your source code. If you make the absolute best chocolate chip cookie in the world, your IP is definitely your recipes.

The threats to your intellectual property: Inside and out

If your user base doesn’t know what your intellectual property is, where it resides, or how they should handle it, there is a good chance that they’ll leak at least a bit of it (the insider threat in action!), so it’s up to you to provide not only education, but also parameters around how they deal with data. You need to be able to identify and classify your IP, provide written policies to govern access to it, and implement the technical controls to monitor user activity and enforce access control on your IP.

Then there’s the external threat. If your network happens to have some low-hanging fruit that permits attackers into your environment, your data is at serious risk. Allowing an entry point to your network means that your intellectual property is ripe for the picking. If your data isn’t properly protected, attackers can and will get away with your crown jewels.

Information security policies

It’s pretty hard to protect data and keep a business running smoothly without information security policies. An information security policy should provide information on which data needs to be protected and which level of protection is required, who should have access, where the data resides, and how the data needs to be protected. You should also note how the data needs to be transported, as well as methods for its destruction once it’s outlived its purpose.

Data identification and classification

In order to protect the data outlined in your policies, data in your environment needs to be identified and classified. Identifying the data means sitting down with business owners and gaining an understanding of the organisation’s core business objectives, the data that supports those objectives, and the data generated as a result of those objectives. Once you identify the crown jewels of the organisation, you can classify them as restricted.

Next, define a core team that requires access to the data, and give them access. Nobody else should be given access without written consent from the business owner.

Education and awareness

Once you’ve classified your data, you can then start educating users as to how they’ll be accessing and using it. You’ll need to provide basic security awareness training, then ensuring you fine-tune that training for users who’ll be accessing restricted data. 

Once training is complete, users need to understand that actions such as saving IP to their laptop, emailing IP unencrypted or through a personal webmail service, or putting IP on a personal USB key can and/or will be seen as data theft – potentially resulting in dismissal. Make it clear that  attempts to compromise IP will be taken seriously!

Access control to data - principle of least privilege

While educating your users is essential to IP protection, you need to ensure that should they forget some of the rules you taught them, that there are security controls in place to prevent them going where they shouldn’t.. Filesystem permissions, firewall rules, and group policies are examples of access control, and implementing access control measures gives you flexibility to provide or revoke permissions on a specific IP resource and helps keep the user honest. 

Endpoint protection and data loss prevention

It’s always a great idea to install endpoint protection. Endpoint protection suites usually come with some sort of antivirus, intrusion prevention, firewall, and data loss prevention (DLP) capability.

Endpoint DLP provides protection for data in use, data being accessed by a user at a given point in time. A prime function of endpoint data loss prevention is USB key enforcement. You can block all USB drive file transfers, and most popular vendors can even dictate whether or not a file transfer is permitted based on USB drive brand identifiers. Endpoint DLP can generally also provide full disk encryption, rendering any data useless to an attacker who steals a user’s laptop. Just remember to store your encryption keys in a safe place.

Data encryption

Encrypting data at rest is a very good idea. If you have large archives of data, or you have a database of customer information including contact info and credentials, they should be encrypted. If you have any externally-facing databases being accessed by a Web portal, the database should be encrypted. If there is a chance that your data could end up in the wrong hands, it should be encrypted, no “ifs”, “ands” or “buts”. If, or when, an attacker happens to get a hold of your data, it’s best that they not be able to view it!

When it comes to securing your intellectual property, your crown jewels, there are many steps you can take to be successful in your endeavours. The key is to lay the groundwork for your security policies and controls. If you don’t understand which data is considered intellectual property, you can’t classify it. If you can’t classify your IP, you can’t build policies around protecting it. If you have no policy around data handling, protection and destruction, you cannot build security controls that ensure that your IP does not fall into the wrong hands. Information, especially IP, is powerful stuff. The information about your information (also known as “metadata”) is even more important – after all, it’s impossible to protect that which you do not know exists!

Jamie Graves, CEO, ZoneFox
Image source: Shutterstock/Tashatuvango