Wooden Spoon: Blog
How to Protect Intellectual Property Without Destroying Your Budget
This Blog Was Updated in April of 2022
Intellectual property or IP is defined as any work that was created by your company that you have full rights to and could potentially copyright, trademark, or patent. It wasn’t long ago that IP was securely stored as blueprints and documents that were locked away in a company’s vault. Today, however, IP is typically stored on servers and in the cloud to make it easier to access, especially for companies with remote employees. Unfortunately, this also puts your IP at risk of being stolen by hackers or even accidentally released by an employee making a mistake. When this occurs, it can greatly damage your business.
What is Your IP?
The general definition of IP seems fairly broad, so what exactly could your IP be? Essentially, it’s anything you create. This includes technology like special hardware, software, website code, and other items you could patent. It also includes trade secrets such as recipes or processes used to create products. Employee knowledge, especially specialized knowledge that your team developed over years of trials or experimentation, can also be classified as IP. Most people think of IP as something tangible, but it doesn’t have to be.
Why Protect Your IP?
Your IP is what sets you apart from your competitors. Your code, hardware, processes, and knowledge are what allow you to create the products you sell or the services you offer. Without it, you wouldn’t be in business. Because of how unique it is, hackers often target IP during attacks. Once they have stolen it, they can ransom it back to your company, sell it to the highest bidder, or simply release it online for everyone. The Theft of Intellectual Property Commission estimates that US companies lose a combined $600 billion every year due to IP theft.
While business owners do understand that they must protect their IP, some don’t fully understand what that means. Your IP must be protected, but that protection has to work with your other priorities and goals, not against them. Many businesses quickly move to implement safeguards, especially if they’re hacked, without thinking them through. This results in inadequate protection that often still leaves your systems vulnerable.
The difficulty in protecting IP is, in part, due to how more and more is done online. Systems are more complex, with apps coming from the cloud, backups being kept on multiple servers in multiple areas, and more people sharing files and access to information. This makes it harder to see all of the vulnerabilities. Many businesses find themselves being reactive instead of proactive. They’re always on damage control because they’re constantly finding vulnerabilities or being attacked. Others may spend so much time and money on their defenses that they have no budget left for other areas of the company.
Fortunately, there are some things you can do that will help you identify where your vulnerabilities and risks are, implement protections for your IP, and still not break your budget.
First, Know Your IP
Can you make a list of all of your IP and where it’s stored in your company? Many business leaders can’t, but making this list is the first step in protecting your information. You need to know what must be protected, and you need to see where those protections need to be placed. Without knowing these two things, you simply can’t begin creating a plan that fully protects your data.
As mentioned earlier, your IP can take many different forms. When making your list, you’ll want to get input from every department. In a small company, you may even be able to get input from every employee. Consider products, services, hardware, software, processes, documents, and anything else that is unique to your business.
Next, consider where your IP may be stored or accessed. Most people think of cloud servers, laptops, tablets, and smartphones, but there are other areas, too. For example, if anyone ever prints anything related to your IP, that creates an access point at your printer. The same is true if they copy or scan IP-related documents. Then there are apps that share information, employees who use their personal devices, and any third-party systems that you might use. If you have made a partnership with another business, they may have access to your IP, too.
Prioritize your IP
Next, prioritize what IP must be protected at all costs and what IP is less important. While you may have created a unique process for submitting and approving marketing material, does that process bring you any profit or benefit? It likely isn’t as important as the design of a new engine or the unique code for your phone app. Once you’ve prioritized your data, you and your employees will know what needs to always be protected. You can also then consider who may be the most likely to attempt to steal each type of IP you have, what IP is the most at-risk, and what measures can be taken to protect that IP.
Secure Access, both Digital and Physical
While businesses originally focused on protecting their physical blueprints, plans, and documents, today everyone is focused on protecting their network and digital files from theft. However, this isn’t an either/or situation. While you may do most of your work via the cloud and need to protect your online information, you shouldn’t forget to protect physical copies, too. If someone were to steal a physical document, they can do just as much damage as a hacker who downloaded critical files.
This means you need to teach your employees about online safety and security, but you also need processes in place to protect physical access. This may include locking doors to specific areas and limiting the number of physical copies made of documents. It also needs to include basic computer workstation security such as logging out or locking your computer when leaving your desk. Keeping a log of who accesses information, both online and offline, can help track where breaches originate. Finally, destroying documents and fully wiping hard drives is also important. No one should be able to find vital IP documents in your trash.
Teach Your Employees How to Protect Data
While IP data breaches can come from hackers and malicious viruses, they can also be caused by employee carelessness. Often, employees don’t fully understand how to protect data. They may not lock their workstations or may take critical files home on their personal devices. With more and more people working remotely, it has become even more important that workers understand how to protect their computers and the information they have.
Employers should provide new hires with data protection training as part of their onboarding. However, this is often not enough to fully train employees, especially as hackers implement new ways of breaching systems. Regular data testing such as sending phishing emails should be done, plus additional training should be offered at least once a year.
You will want to put usage policies in place that help remind your employees what to do to protect data and ensure that those measures are being taken. Your team needs to understand what they need to do on a daily basis, how to identify phishing and other scams, and what steps to take when they believe they are being targeted by hackers or have noticed suspicious activity.
When an employee leaves the company, their access needs to be removed as soon as possible. You will also want a process in place that ensures they do not leave with any IP information. This may include using security programs that can remotely remove specific IP data from devices. Any access granted to vendors, partners, and other third parties should also be removed as soon as your relationship with them ends. Even if you trust these individuals not to attempt to steal your IP, leaving their accounts active does give hackers another route into your system.
Have the Right Tools
Do you know what tools you’ll need to protect your data? Physically, this may include doors with keypads, card keys, or other forms of security along with cameras, sign-out logs, locking file cabinets, and other tools that will only allow authorized people access to hard copies.
Digital security, though, can be more difficult. Protecting your data requires specific tools that not only do the job you need them to do but also can be fully incorporated into your system and work together. With physical security, you typically don’t have to worry about your door locks and cameras interfacing. With digital security, however, if your virus scanner, firewall, and account management software don’t fully work together, it can create vulnerabilities.
In addition to security tools, you also need monitoring programs. These programs will scan for intruders and lock them out if they exhibit suspicious activity. It also monitors your employee accounts and watches for out-of-the-ordinary actions. For example, an administrative assistant’s account that suddenly starts trying to access engineering data can be flagged and temporarily locked out until you can determine if their account was compromised.
You’ll also want to bring in encryption tools and create a strong user authentication system. This will ensure that only specific accounts have access to critical data. If someone doesn’t need to see that data to do their job, they should never have access to it. Even those who do need access for one project should have that access removed once the project is complete. You may even want to incorporate security tools that only give employees partial access to data to help further protect information.
When you know employees are dissatisfied or highly resentful of a supervisor or your company in general, you may want to take extra steps to monitor their access. You shouldn’t assume that someone who is unhappy with their job and is actively looking for new employment is also planning to steal your data, but this has happened to other businesses in the past. Having monitoring software can help flag those employees who may be planning to leave with data. Having all employees sign non-disclosure agreements can help you legally pursue recompense if this were to happen.
Look at Advanced Security Software
There are a number of advanced protection tools out there that involve machine learning and AI. These tools can learn how employees operate and watch for signs of any odd behavior. This information can help you see when accounts have been compromised or when disgruntled employees are looking for information they shouldn’t have access to. While monitoring your employees’ access is important, you do want to be certain you don’t go too far. Security is one thing, but creating an atmosphere and culture of excessive scrutiny can lead to employees feeling untrusted. This can result in employees leaving the company.
When You Must be Reactive, React Quickly
While the goal of all IP security is to be proactive instead of reactive, there are going to be times when you have to react to an unexpected breach or theft. Having processes and plans in place will help you react quickly and appropriately. Creating a disaster recovery plan allows you to calmly and rationally think through specific scenarios and craft the best way to respond to them. You don’t have time to do this when a disaster actually strikes, so take your time to create these plans. Each scenario should have a detailed list of steps to take, when to take them, and who to involve. The end goal of each scenario plan should be to restore the company to operating status as soon as possible, address the damage done, and prepare to move forward.
Wooden Spoon IT Can Help You Create an IP Security Plan
Creating a strong IP security plan may appear overwhelming, especially if you don’t have a team of IT experts on hand. That’s where partnering with a managed IT services company can help. Wooden Spoon IT provides security solutions for IP and other sensitive data such as customer information. Contact Wooden Spoon IT today to discuss your security needs and how we can help.