Companies: Five Steps to Protecting Trade Secrets

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/companies-five-steps-to-protecting-36205/

If your management team knows it needs to better protect company trade
secrets but isn’t sure where to start, take note. CREATe.org and PwC have
put together a five-step framework to guide companies on how to identify,
assess and manage trade secrets. The full framework is included in the
CREATe – PwC report: Economic Impact of Trade Secret Theft: A framework for
companies to safeguard trade secrets and mitigate potential threats.

Here’s a quick overview.

Step 1: Identify Trade Secrets:

To best protect those trade secrets whose theft would cause the most harm
to a company, companies should first document and locate the inventory of
their trade secrets. This first step gathers key stakeholders —business and
product unit, R&D, legal, finance and risk leaders —to inventory the trade
secrets maintained by the company.  Ultimately, forming a cross-functional
team with senior management support is critical to this step and those that
follow. Discussion and debate of what constitutes a trade secret for the
company is encouraged, as stakeholders should emerge from this first step
with a broad consensus of not only the definition of a trade secret for
their company, but also a list of the company’s trade secrets aggregated
into categories such as:

- Product Information
- Research & Development
- Critical & Unique Business Processes
- Sensitive Business Information
- IT Systems & Applications

Step 2: Assess Threats and Vulnerabilities

A risk assessment focused on threats and vulnerabilities forms a critical
step in the framework. Threat actors take many different forms, each of
which poses a significant threat to misappropriate a company’s intellectual
property.  Potential threat actors are further explained in this blog post
– and could include malicious insiders, competitors, nation states,
organized crime or hactivists.

Analysis of existing trade secret protection management systems—the
compliance and security program policies, procedures and internal
controls—enable management to identify vulnerabilities in its current
protocols that may create unnecessary risk and exposure for the company.
Evaluating the maturity of the overall trade secret protection program and
the specific processes is an effective way to understand the
vulnerabilities.

Step 3: Rank Trade Secrets According to Relative Value

With only limited resources to implement new safeguards around its most
critical assets, how should management decide which trade secrets deserve
greater protections?  How should management rank its trade secrets based on
the insights garnered from the initial analyses performed by the first two
steps?

A Relative Value Ranking analysis provides the company with the means to
conduct a qualitative assessment using value-based judgments on the
relative importance of a trade secret so that it can perform an initial
selection of trade secrets that have the biggest impact on the operations
and performance of the business.

The CREATe – PwC report provides a system for ranking the value of the
trade secrets as ‘low,’ ‘medium’ or ‘high’ based on criteria such as the
impact to the company’s reputation, core business, culture, competitive
advantage or future revenues.

Step 4: Determine Economic Impact of Trade Secret Theft

In this step, the company determines the adverse economic impact to the
company if an individual trade secret asset is misappropriated.  This
process enables management to segment the total impact into manageable
building blocks. It also provides an understanding of both direct and
indirect impacts to help to establish a complete picture of the economic
losses attributable to a trade secret theft.

- Direct Impact:  A measure of the direct financial and economic losses
attributable to a trade secret theft event – i.e., lost sales/revenues,
lost market share, lost profits, and/or lost economic opportunity; and
- Indirect Impact:  An assessment of the indirect factors impacting a
companies’ short/long-term ability to compete in the marketplace due to the
theft of the output of its investment—e.g., reduction in customer trust due
to concerns about ongoing relationships or adverse press impacting the
company’s reputation in the marketplace.

The results of the impact assessment provide the basis for establishing a
workable return on investment for improving trade secret protection and
within this, IT security. In most companies, compliance is seen as a cost,
not an investment. The valuation is critical to helping companies
understand that improving trade secret protection is an investment that has
a quantifiable ROI.

Step 5:  Secure Trade Secrets

The analysis of trade secrets deemed most important to a company enables
management to make informed decisions about how best to use its existing
resources to strengthen its ability to mitigate potential threats. CREATe
has identified eight categories of effective trade secret protection. These
include:

- Policies, Procedures & Records
- Cross-functional Compliance Team
- Scope & Quality of Risk Assessment
- Management of Third Parties
- Security & Confidentiality Management
- Training & Capacity Building
- Monitoring & Measurement
- Corrective Actions & Improvements

Taking these steps provides an organizing framework for companies to better
safeguard trade secrets. For more information on the framework, download
the full report.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!