Protecting intellectual property (IP) when it is on the corporate network or in the cloud is difficult enough when a company has control of the network defenses, but when IP must be shared with a business partner, threats increase exponentially. Although contractual obligations and insurance can reimburse a company with some monetary relief, putting the proverbial genie back in the bottle when corporate secrets become public or fall into the hands of competitors is impossible.
From a pure technology standpoint, CISOs can employ technologies that limit user access, such as switching to a zero-trust network architecture (ZTNA) tool rather than the traditional virtual private network (VPN) remote access. Or perhaps they employ a role-based access control (RBAC) based on data classification, tokenization, or other security control. Additionally, limiting access by identity access management (IAM) is common.
Not all IP is the same, nor does all IP require the same security controls, notes Aaron Tantleff, a partner in the Technology Transactions, Cybersecurity, and Privacy practice groups at the law firm Foley & Lardner LLP.
Determining which controls are required and to what level depends on the value of the IP, both monetarily and to the operations of the company. It is difficult to generalize about IP protection because each organization has different types of IP that they protect differently, Tantleff notes. Organizations would not be implementing the same security controls necessarily through the vendor train because the controls depend on critical IP versus lesser value IP, he adds.
Traditional technologies — and even some emerging zero-trust-based approaches — do help limit the possibility of compromising IP, but they do little to provide security when the IP must be shared with partners. Traditionally, companies shared just small parts of their IP, having various business partners do their work without having access to all of the IP for a product. For example, a business partner might build a single part for a larger project but not have enough knowledge to duplicate everything. In some cases, false "steps" are included in how something works, salting the database the company shared, Tantleff says.
Another way companies can modify their IP to make it less useful if obtained by someone not intended to see it is to obfuscate some details, such as project code names. One can rename certain functionality, such as renaming encoding, which is the core functionality of changing a video from one format to another.
While controlling the type and amount of data shared is one strategy, a company can limit vulnerabilities by holding onto all IP on its own system and allowing its direct partners to access what they need locally, adds Jennifer Urban, co-chair for Cybersecurity & Data Privacy within Foley & Lardner's Innovative Technology sector.
A major vulnerability of corporate IP is third-party risk management (TPRM), where business partners share a company's IP with their own third parties.
"It's hard with third-party or fourth-party or fifth-party risk to really contain it because it's not in your environment," she says. One recommendation "is obviously not to send any IP to the extent that you can, and certainly prioritize vendors by the type of IP that they receive."
Ideally, a company will keep IP on its protected network and only share the parts a partner needs via a secure connection to the corporate network. Limiting access by need and by specific data improves corporate defenses.
Peter Wakiyama, an intellectual property expert and partner at the law firm Troutman Pepper, says there are two important IP issues that many CISOs and corporate executives get wrong.
"CISOs may think that if there's no harm, [such as] a data breach or loss, there's no foul. That is not true," he says. "Simply failing to enact adequate protections may have legal consequences because a trade secret owner must consistently use reasonable efforts to keep trade secrets and other confidential information secure. As new threats emerge, new protections must be continuously implemented to ensure that trade secret legal rights are not compromised."
As to the second issue, "Many CISOs and other IT professionals believe that if you pay for it to be created, you own it. Not true. Depending on the facts and circumstances, the vendor/developer may retain significant IP ownership rights to inventions [patents] and copyrights," Wakiyama notes. "For example, if a vendor is hired to design, build, and implement a custom security program, unless the vendor agrees in writing to assign over all of its IP rights, it will retain invention rights and copyrights and may be free to use and share those rights with others."
Andi Mann, founder of the management advisory firm Sageable, said protecting IP needs to be viewed as a human issue as much as a technological one. While organizations can do audits to track the use of IP, employing an array of monitoring and network visibility tools, it normally comes down to a people issue.
"You have to have controls in place," Mann says.
The technology component is important, but contractual agreements to limit what a third party can know and do with that knowledge is still a cornerstone.
"You've got to provide incentives," he adds. "You've got to understand why people are accessing this kind of content in this data, like if one of my engineers goes and looks up our patent database or innovation plan. Why? Talk to me about why you need it. And you can restrict access to some of this data and some of this information."