The value of intellectual property was $329 billion worldwide in 2013, accounting for 1.5% of the $22.2 trillion of the financial flows tracked by the World Trade Organization. In the United States, the $128 billion in intellectual property (royalty and licensing income) generated by US companies accounted for 5.6% of the $2.28 trillion in US exports, making intellectual property revenues second only to food and agriculture exports1. Moreover, given that organizations worldwide lose five percent of their revenue to fraud2, much of it attributable to the theft of intellectual property, protection of this content must be a top priority for any organization.
IP MUST BE CAREFULLY PROTECTED
Clearly, intellectual property must be managed properly and carefully protected from various kinds of data breaches in order to guard the critical information assets an organization possesses, as well as to protect its ongoing revenue. However, organizations today are not doing enough to protect their intellectual property, largely because the growing number of venues and threats from which intellectual property can be leaked, stolen or lost is increasing at a rapid pace, overwhelming IT organizations that do not have the mechanisms in place to protect it. For example:
- Email continues to be the primary method of communication in most organizations, accounting for more employee communication than the telephone, instant messaging, text messaging and social media combined. Despite the growth of alternative methods of communication, the use of email continues to hold steady or grow for more than 95% of employees according to several Osterman Research end-user surveys. Email represents an easy channel for the loss of intellectual property because so much information is shared without any sort of encryption, classification or other protection of sensitive information.
- In addition to its use as a communications tool, email is also the primary file transfer system in most organizations. Osterman Research has calculated that 98% of the bits flowing through the typical corporate email system are actually files attached to emails – in fact, one in four emails contains some sort of attachment, most of which are sent unencrypted or unmanaged in any way. This represents a key avenue for loss of intellectual property, such as when a file is sent to the wrong party, if former employees remain on email distribution lists, or if a recipient forwards sensitive information to someone that should not have it. To the last point, relatively few organizations impose any sort of digital rights management on intellectual property, allowing sensitive or confidential information to be shared, copied, printed or otherwise distributed without the control or consent of its owner.
- Osterman Research surveys have found that roughly five percent of all corporate data is stored on mobile devices, many of which are owned and controlled by individual users. Moreover, mobile devices – many of which are not encrypted and cannot be wiped by corporate IT – are easy to lose, along with the intellectual property they contain.
- Phishing attacks are an increasingly common problem, many of which are specifically designed to steal corporate intellectual property or money from corporate financial accounts. While IT departments have collectively invested billions of dollars over the years in addressing the phishing problem, the severity and frequency of phishing attacks are increasing. For example, Verizon has found that 23% of phishing recipients have opened these messages and 11% have clicked on a malicious link3, despite warnings, training and systems designed to prevent these incursions.
- Malicious users – which represent a small proportion of total users in a company – can steal intellectual property fairly easily and create enormous problems for an organization. For example, employees who have received a layoff notice, those who have accepted another job and want to take useful proprietary data with them, or those who are treated badly are all potential sources of intellectual property loss. The law firm of DrinkerBiddle has discovered that employees who are abused by their supervisors are the most likely to steal intellectual property or commit fraud of some kind.
- Various Web threats are another source of intellectual property loss because of the rather leaky nature of many Web browsers and the threats they can introduce.
- Well-meaning users are one of the major sources of intellectual property loss because of their oversharing on social media, through geolocation, by inappropriately forwarding emails, etc. To the last point, an email user can inadvertently divulge intellectual property simply by forwarding an email that contains sensitive information buried deep in an email thread of which they are a part.
WHAT TO DO ABOUT IT
Osterman Research recommends several steps to protect intellectual property in an organization:
- First and foremost, organizations must establish policies about what is and is not considered intellectual property. These policies should focus on defining the types of content, communications and other information that the organization deems to be intellectual property and so needs protection and appropriate governance.
- Next, it is essential to be able to classify intellectual property in email, on file servers, on mobile devices, and in any other venue it might reside or through any system through which it might be transmitted. There are various ways of classifying intellectual property, such as using purely manual methods or some sort of automatic classification, but classification of intellectual property based on corporate policies is essential so that every communication and file can be properly managed in line with corporate requirements.
- Finally, capabilities should be implemented that will ensure the proper management of intellectual property. These will vary based on the specific requirements of the organization, the regulatory framework in which it operates and so forth, but should include:
- Logging of all communications and file access so that forensic examinations can be conducted accurately and completely in the event that intellectual property is shared in violation of corporate policies or is somehow lost.
- Real time recognition of intellectual property classification so that appropriate actions can be taken if a policy violation occurs. This might include a simple pop-up message to an employee who is going to send a sensitive file in a clear text email, automatic encryption of intellectual property embedded in a message, or routing an email to a compliance officer for review before it is sent.
In short, good information governance of intellectual property is essential for any organization to prevent its unauthorized disclosure and the various consequences that can arise from that loss.
3 Verizon 2015 Data Breach Investigations Report