Author: Paul Curwell
Intellectual assets are strategically important in business today
Intellectual Assets can exist in a variety of forms, though they are all based upon the generation, capture and protection of valuable knowledge (the ‘information lifecycle’). Their foundation is fragile as it is dependent upon the transition from tacit knowledge possessed by an individual into the organisation with which they are associated. Once transferred, organisations must convert that employee’s tacit knowledge into valuing-creating processes, products or practices. However, a diverse range of criminal and commercial activities threaten the viability of knowledge-intensive companies.
According to statistics quoted from the US Trade Representative, some aspects of “American IP theft costs between US$225bn – US$600bn annually“. These statistics relate to only one segment of the problem, so the true value is probably higher, highlighting the somewhat ‘hidden’ nature of the problem. As recognised by global accounting standards, information today is an (intangible) asset: it needs to be protected like any other tangible asset or item of value.
Companies in knowledge-intensive industries typically have a heightened awareness of the value of their Intellectual Assets and place greater emphasis on information protection as part of an overall IP strategy. However, in my direct experience Australians still lag somewhat behind our North American, European and Asian peers when acknowledging the magnitude of the threat. Here in fortress Australia, where most people and companies play by the rules, we have a tendency to think the rest of the world is like home. In reality, the border-less nature of crime today means that no-where is safe when it comes to protecting sensitive business information.
What do we mean by confidential information?
There are a range of categories of sensitive information, with sensitivity being determined by factors such as commercial value, regulatory obligations to protect the data, and competitive advantage. In my experience, Australian businesses often overlook the importance of commercially valuable information in lieu of a heightened focus on Personally Identifiable Information as a result of Notifiable Data Breach legislation and increased awareness of Privacy generally. For the purposes of this post, I have outlined three categories of ‘sensitive’ information:
- Intellectual Property (IP) – predominately in the form of copyright and patents
- Sensitive Business Information (SBI) – otherwise referred to as ‘proprietary information‘ (US terminology) or ‘confidential information‘, this category is anything with commercial value including strategic plans, customer lists, pricing and ‘trade secrets‘
- Personally Identifiable Information (PII) – information must be protected under privacy legislation, comprising any information that can be used to identify an individual
This post focuses on Sensitive Business Information protection.
‘Sensitive information’ exists along a continuum, with information being ‘sensitive’ by virtue of the fact that it is not public or widely known. For example, research data being prepared for submission in a patent by a research institute is sensitive and must be protected from theft, loss or misuse until the point where the patent is published. Upon publication, the information becomes widely known and can be consumed by anyone – noting that profiting from the information in the patent or using it commercially requires a license and payment of royalties. This means it is important to consider the ‘information lifecycle’ when we create information protection programs as security frameworks and controls must reflect the risks and information usage activities which apply at each phase of the lifecycle.
According to the literature, information has its own five-phase lifecycle (Sharma, 2011), as follows:
- Creation and Receipt – the point from which information is created (origination)
- Distribution – of the information to end users or recipients
- Use – where information is applied to a specific purpose
- Maintenance – includes storage, categorisation, and processing of information
- Disposition – includes the destruction, archiving or other retention decisions
To further highlight the importance of the lifecycle using the above patent example, research data might start out as ‘sensitive business information’ when it is created, only for it to become Intellectual Property when it is subsequently used (i.e. published as a letter patent). For this example, many security arrangements used to protect the published research data can be relaxed upon patenting, as the protection of data in this form is no longer valuable.
Threat Actors seek to compromise your sensitive information
When we discuss security problems generally Australians like to talk about risks rather than the root cause of the risk. When talking about all types of security or fraud issues, that root cause is human. Whatever their motive, threat actors seek to do or cause harm. I’ve been helping companies and governments identify and mitigate threats from hostile actors of all forms for almost 20 years. My starting point for dealing with threats is to divide them into two categories – internal and external – based on their level of access and influence within the organisation:
- Internal threats involve ‘trusted insiders‘ – employees and third parties with privileged access to the organisation by virtue of their employment or contractual arrangement
- External threats – those outside of the organisation, including organised crime, nation states, terrorists, private intelligence collectors, and competitors
External threat actors often work with trusted insiders to compromise sensitive information. This can be complicit, involving some form of collusion (i.e. the insider voluntarily steals information for bribes or some other non-financial advantage), or coercion (e.g. the insider, or their family, is threatened [extorted], or blackmailed to compromise the information).
- ASIS International (2007). Information Asset Protection Guideline, ASIS Commission On Standards And Guidelines, Alexandria.
- Centre for the Protection of National Infrastructure (2015). CPNI Passport to Good Security for Senior Executives, UK Government.
- Gelles, M. G. (2016). Insider Threat: Prevention, Detection, Mitigation and Deterrence, Butterworth-Heinemann, Oxford.
- IFRS (2022). IAS 38 – Intangible Assets, https://www.ifrs.org/issued-standards/list-of-standards/ias-38-intangible-assets/
- IP Australia (n.d.). Types of IP, https://www.ipaustralia.gov.au/understanding-ip/getting-started-ip/types-of-ip
- Moberly, M. D. (2014). Safeguarding Intangible Assets, Butterworth-Heinemann, Oxford.
- National Code of Practice for Chemicals of Security Concern (n.d.). The Trusted Insider, https://www.nationalsecurity.gov.au/chemical-security-subsite/Files/trusted-insider.PDF
- OAIC (n.d.). Notifiable data breaches, https://www.oaic.gov.au/privacy/notifiable-data-breaches
- OAIC (n.d.). What is personal information?, https://www.oaic.gov.au/privacy/guidance-and-advice/what-is-personal-information
- Pham, S. (2018). How much has the US lost from China’s IP theft?, CNN, https://money.cnn.com/2018/03/23/technology/china-us-trump-tariffs-ip-theft/index.html
- Philipps Ormonde Fitzpatrick (2018). Confidential information, know-how and trade secrets: which one is which?, Inspired – The POF blog, https://www.pof.com.au/confidential-information-know-trade-secrets-one/
- Post, R. S. and Post, P.N. (2008). Global Brand Integrity Management: How to protect your product in today’s competitive environment, McGraw-Hill, New York.
- Sharma, P. (2011). Management of Information Lifecycle, Journal of Engineering and Research Studies, Vol.II, Issue IV, October-December, 2011, pp.15-16.
- Wimmer, B. (2015). Business Espionage: Risks, Threats and Countermeasures, Butterworth-Heinemann, Oxford.
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.