Cybersecurity and intellectual property: How protected are you?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2015/09/01/cybersecurity-and-intellectual-property-how-protec

The biggest threats to your company's intellectual property may reside
inside your own organization. Employees are frequently the primary threat
to data security, whether it's a departing employee stealing trade secrets,
a well-intentioned employee placing valuable intellectual property on an
unsecured computer or device, or a hapless employee accidentally installing
dangerous malware.

Employees need access to sensitive internal data and trade secrets, but
this access creates security risks. Some companies deal with this issue by
relying on employee non-disclosure or confidentiality agreements. But
sophisticated companies use information-security standards from the
healthcare and financial services industries to safeguard their IP. These
standards help companies protect their IP from negligent or malicious
employee conduct.

So how can protect your intellectual property from employee piracy or
negligence?

Restrict Access to Confidential Information. Employees should only have
access to confidential information when there is a business reason for it.
Only the highest-level executives or those with an absolute need should
have unfettered access to the company's IP. Restricting access helps
monitor the flow of data, limit opportunities for piracy and demonstrates
that efforts have been undertaken to maintain the secrecy of trade secrets.

Monitor Access to Confidential Information. Companies should monitor and
track network activity with respect to IP. Activity logs help determine how
and when information was leaked. Companies should utilize tools that
generate alerts when larger files are exported or emailed outside the
organization. These tools allow companies to detect suspicious activity and
take action. Likewise, HR should notify IT when an employee tenders his or
her notice of resignation to ensure that the employee's network activity is
closely monitored.

Encrypt Your IP. Confidential information should be encrypted when stored
or transmitted. Employees who use confidential information to perform their
jobs or who may store documents locally should receive encrypted computers.

Develop Clear Policies and Procedures Regarding the Handling, Storage and
Disposal of Confidential Data.The company should clearly communicate: what
constitutes confidential information or a trade secret; how that
information should be handled, safeguarded and stored; how confidential
information should be securely transmitted and under what circumstances;
whether confidential information may be accessed via personal or mobile
devices; and the methods and circumstances under which an employee should
dispose of confidential information.

Train Your Employees. If employees are not motivated to care, or simply do
not understand the consequences of violating policies, their lax attitude
increases the risk of a security breach. Effective employee training
programs utilize realistic examples and common situations to demonstrate
best practices.

Enforce Company Policies and Procedures. If the company has a policy that
prohibits employees from emailing confidential information to a personal
device or email account but supervisors routinely allow or ignore the
practice, the company has very little hope of safeguarding its confidential
information.

Develop an Incident Response Plan. Every company should have an incident
response plan that, in the event valuable intellectual property is lost or
stolen, clearly defines the relevant stakeholders (including the immediate
involvement of the appropriate business executives, legal counsel, and
relevant IT or forensics support) and who leads the response team.

Perform Security Audits. To assess and address security vulnerabilities,
the company should audit and test its security program. Upon identifying
vulnerabilities, the company must strengthen and reinforce its security
controls to ensure compliance.

These steps will help companies protect their IP from negligent or
malicious employee conduct. If you’re ever in a legal proceeding relating
to the theft or misappropriation of your company's confidential
information, you’ll need to demonstrate the steps taken to protect that
information. Developing and enforcing a strong information-security regime
helps protect the company on the front end and the back end.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!