Tuesday, 15 November 2016

Trade secret asset management: cyber issues revisited

Secrets can't be squirreled
away any more, and we need
more protection than Secret
Squirrel can provide
This weblog has mentioned in the past that trade secrets are in a way the last frontier for effective intellectual property management: trade secrets are often amorphous, difficult to protect and to license safely, hard to value and complicated to deal with in terms of in-house rights management [for a helpful review of management issues click here; for a case study click here]. Being unregistered and having so very little publicly accessible profile, they also pose a huge challenge for the discipline of IP analytics.

The piece that appears below, "Cyber security & trade secret asset management", is by Donal O'Connell (Managing Director of Chawton Innovation Services Ltd and the author of a number of articles that have appeared on this blog over the past year and a half).  Its focus is directed to guarding against cyber theft of trade secrets, a practical topic that falls outside the scope of traditional intellectual property practice but which has to be factored into all levels of trade secrecy management since a secret that is stolen is no longer an asset that can be confidently and profitably managed.
Making money from cyber crime

Spam emails, in the form of phishing, continue as a way for cyber criminals to make money. One study estimated that although the click-through rate on spam is phenomenally low, the criminals can make millions of dollars a year out of these campaigns. People actually buy stuff advertised in spam messages, and it is often spam advertising pharmaceuticals.

Stealing from internet bank accounts is also highly profitable for the cyber criminals. Malware on an infected machine waits until the person connects to a bank's internet service. It allows the person to do the authentication, but then takes over the connection and injects its own money transfer commands into the system and often hides those transactions when the person looks at the balance.

Denial of service attacks also generate money for the cyber criminals. The cyber criminals search out businesses in particular that do a lot of commercial activity online. The cyber criminals then threaten to bring down the business's website unless the business pays them. It is extortion, pure and simple.

Another extortion racket is ransomware. This attack encrypts vital business information and essentially holds the organization hostage until an agreed upon ransom is paid at which time the criminals may or may not decrypt the information. Ransomware is not traditionally malware as it is merely an encryption algorithm that the victim does not have a key to perform the decryption. The ransomware either encrypts the victim's hard drive so the information becomes inaccessible or locks the browser. The cyber criminals then demands payment to decrypt the drive or unlock internet access.

However, there is another way for the cyber criminals to make money.

Trade secrets

A trade secret is defined as any information that:

* is not generally known

* confers some sort of economic benefit on its owner.
* must have been subject to reasonable steps to keep it secret.
Broadly speaking, any confidential business information which provides an enterprise a competitive edge may be considered a trade secret.

Stealing trade secrets from companies

A growing source of income for the cyber criminals is generated from the theft of such corporate trade secrets.

Theft of trade secrets means the theft of ideas, plans, methods, processes, technologies, data or any sensitive information.

These secrets are owned by the company and give it a competitive edge. Theft of trade secrets damages the competitive edge and therefore the economic base of a business.

Trade secrets are plans for a more advanced computer, designs for a more fuel-efficient engine, a company's new manufacturing process, supplier agreements, user data, etc.

Trade secrets exist in almost all companies across all industry sectors, and many trade secrets are extremely valuable indeed.

Three years ago, the Wall Street Journal estimated that the cost of cyber-crime in the USA alone was approximately $100 billion. In 2015, the British insurance company Lloyd’s estimated that cyber-crime cost companies as much as $400 billion a year.

The World Economic Forum (WEF) said that a significant portion of cyber-crime goes undetected, particularly industrial espionage where access to confidential documents and data is difficult to spot.

The spy agencies in the UK believe that industry networks are targeted by sophisticated cyber espionage attacks on an almost continuous basis, with many of these attacks being suspected of being state-sponsored. The head of cyber for MI5 in the UK has said that having a foreign spy agency attack your business system is now as certain as “death and taxes”.

The cyber criminals are after any trade secrets that can be harvested and monetized. They are not seeking to steal what is on the menu in the company canteen. They do not want to know what colour paint is on the wall of the offices of the CEO. They are not after information which has already been put into the public domain by the company [though this information, in the form of patent and trade mark applications, design and copyright registrations etc., can alert cyber criminals to the likely presence of specific types of trade secret and thus help focus their efforts]. Rather, these cyber criminals are after the trade secrets of the company, the confidential business information which provides an enterprise with a competitive edge.

How the cyber criminals attack

The cyber criminals leverage a variety of different approaches and techniques to identify the vulnerabilities in the IT network of the company and then attack.

The cyber criminals may leverage backdoors into the IT network. They may try a denial-of-service attack or even a direct-access attack. They may try eavesdropping, spoofing, and even tampering directly with the IT network of the company. The cyber criminals may use privilege escalation, phishing, clickjacking or social engineering techniques. In some cases, they create a false environment of stealing non-pertinent data, diverting the attention of incident responders only to exfiltrate trade secret data residing elsewhere on the network. Regardless of what, where and how they attack, they are after the trade secrets of the company.

Trade secrets within companies

Given that the cyber criminals are after a company’s trade secrets, one would expect to see mature and sophisticated trade secret management practices deployed by most companies. However, this is not the case.

The typical findings within companies are that:

* knowledge of trade secret legislation is limited
* companies are not properly managing their trade secrets, with no clear ownership of the trade secret management process or the secrets themselves.
* documentation about the trade secrets is often poor.
* access to and access control around its trade secrets is very ad hoc.  
* protection mechanisms (administrative, legal and technical) deployed to safe-guard its trade secrets is poor or non-existent.
* there is a lack of any classification of the trade secrets by the company.

* details on whether trade secrets has already been shared with third parties was often missing
* information of any trade secrets belonging to third parties but entrusted to the company is scarce. 
* there is often no audit trail. 
Final thoughts

If the cyber criminals are to be stopped from stealing the trade secrets within companies, it requires that the IT folks and the Legal & IP folks work together as both advanced computer and network security as well as proper trade secret asset management are required.
“If you knew which horses were the thoroughbreds, you wouldn’t have to guard the entire herd” - Rich Weyand, The Trade Secret Office Inc.
This article was first posted by Donal to LinkedIn, here.

A Cipher analysis of patents for cybersecurity technologies can be read here.

No comments:

Post a Comment