The cost of Intellectual Property (IP) theft is not one to be taken lightly. From steep financial losses to the irreparable damage to brand perception, IP theft can swiftly and unapologetically dismantle an organization from within, leaving investments, of both time and money, in ruin.
While many feel that IP protection resides somewhere in legal documentation, the truth is that the threat of theft exists all around us, perhaps now more so than ever, and should be addressed in everyday governing methodologies, policies, and workplace practices.
Of course, vulnerabilities don’t exist solely to threaten an organization’s IP. They also threaten the consumers that use them. Although different in nature, both can be addressed and mitigated with proper precautionary steps:
1.) Develop a Secure Supply Chain Protection Policy:
The supply chain is arguably one of the most vulnerable pieces of the IP protection puzzle. This is true in part because of the human aspect, which is subject to error or, in worst cases, malice. In addition, your IP is constantly at risk simply due to the general nature of the cyber reality. Gone are the days when a lock and key kept trade secrets safe. Today’s complex internet driven society provides access points of various nature and severity.
A supply chain protection policy will ensure that your IP is protected on all fronts, from internal development teams to external suppliers and manufacturers, all the way to the consumers. As such, it should address a variety of concerns including where and how you manage the integrity of your IP through the supply chain, how your organization employs logical and physical employee and contractor access to sensitive materials, how an audit trail is kept, how often penetration tests and security audits are conducted, how security risks are mitigated, etc.
As an added bonus, establishing a supply chain policy can help expedite certain aspects of your certification and validation initiatives, as much of these types of protection measures are required for security certifications. For that reason, many organizations find that completing security certifications like FIPS 140-2, Common Criteria and the DoD’s APL prior to product launch can actually help solidify supply chain security.
2.) Work with Trained Professionals & Educated Partners:
Proper training, education, and precautions are essential to ensuring that your product and IP are both secure. While most organizations implement internal training programs and vet their own employees (professional backgrounds, clearances, skill sets), this same standard should extend into the partners you choose to work with. It’s imperative that those responsible for maintaining the integrity of your product understand the risks and impacts of security breaches and the countermeasures available for use to prevent them.
Keep in mind that the individuals working with your product should understand and educate themselves on the nuances of your unique business. For example, an individual or team sent to work with your product development team may have access to the most sensitive and crucial information – source code, trade secrets, competitive strategies, customer data, etc. It’s imperative that you’re confident they can be trusted.
3.) Validate The Facility and Security Policies of a Potential Partner:
Evaluating the credibility of an organization’s employees is one way to limit threats to your product and IP, but there is another step that is of equal importance – evaluating the physical location of the organizations that store your product. This is particularly true if you plan to use an outside partner to undergo FIPS 140-2 validation, Common Criteria evaluation, or listing for the DoD’s APL, which, if not properly secured, can represent a significant risk to your IP.
Before providing any confidential information to a partner, verify the security of their physical location as well as their supply chain protection. Everything from the policies an organization does or does not implement to the overall security of their facilities should be evaluated.
Is the organization housed in a secure building complete with access control? Or is it in a basement or someone’s garage? It’s easy to assume that every security organization or testing lab is highly secure and has been analyzed for security, but that’s not always the case.
Equip your organizational decision makers with a list of questions that address and determine the overall security of a potential partner. And when possible, send a representative of your company to visit the facility in person. Any reputable company will welcome this request.
As a resource to our customers and to you, Corsec has developed a guide for partners in order to better understand their needs as well as shed light on questions you should be asking – Prospective Client Questionnaire.
Corsec understands the importance of caring for this sensitive knowledge and therefore our employees not only have passed background checks, but have also been vetted and cleared to work with sensitive and even classified information. They are also highly trained in threats, risk mitigation, and overall product and procedural security. Corsec also implements and utilizes FIPS 140-2 and Common Criteria evaluated Unified Threat management tools and systems, including VPN, Firewall, and Intrusion Prevention.
The plans and policies that protect your IP are unique to your organization and will continue to evolve with outside technology and internal and external requirements. The three steps above are a great start to protecting not only your IP, but your brand and customers as well.
Corsec is happy to offer services that can help you improve your overall security, which will both directly and indirectly solidify your IP protection. Contact us today to get started!
Subscribe to Corsec emails!