The costs of an IP breach

Posted on October 15, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

8 minutes

Think IP theft will never happen to you?

After finishing business school, I worked for a biotechnology company based at The University of Queensland. As part of my work on campus, I interacted with many companies and came across a case which would become commonplace throughout my career – theft of IP by departing employees.

The company concerned had employed a number of scientists to perform research, with the intent of commercialising that research to generate a Return on Investment (ROI) when it was ready to take to market. Unfortunately, once the research was effectively complete a number of researchers resigned and went to a competitor, where they were offered higher pay and more senior positions.

people sitting inside well lit room — Photo by Pixabay on Pexels.com

A short time after the former employees left that business, their new employer started pursuing patents and other IP Rights for the same research. Ultimately, the former employees were taken to court and their new employer found to have acted inappropriately. Whilst this insider threat case ultimately had a positive outcome, it was at the expense of considerable time, effort and legal fees.

Could this situation have been avoidable?

An IP breach will cost your business big time

Entrepreneurs and business leaders of startups get really invested in their business, and can sometimes develop ‘tunnel vision’ where a small number of issues consume their focus and energy.

Unfortunately, in my experience leaders who are not familiar with legal issues often fail to fully grasp what is involved in remediating any data breach and are often overwhelmed when faced with managing incident response.

To illustrate the true costs of a security incident, the 2016 Deloitte report entitled ‘The hidden costs of an IP breach’ places remediation costs in two categories:

Category	Costs
Above the surface (better known cyber incident costs)	a) Customer Breach Notification b) Post-breach customer protection c) Regulatory compliance remediation d) Media and public relations campaign e) Legal and litigation fees f) Technical investigation g) Cybersecurity program uplift
Below the surface (hidden or less visible costs)	a) Insurance premium increases b) Increased costs to raise debt c) Impact of operational disruption or destruction d) Lost value of customer relationships e) Value of lost contracts f) Devaluation of trade name g) Loss of Intellectual Property

Mossburg et al (2016). The hidden costs of an IP breach

Like everything in life, timing is important. If your IP leaks before you are ready to commercialise or have formalised your IP rights, it can have disastrous effects, often resulting in a small or medium-sized businesses (SMB) being shut down. Surely more can be done?

Protecting your IP through legal mechanisms – such as patents, copyright, trademarks, plant breeders rights, circuit layout rights and ‘trade secrets’ – are very important, as is use of Non-Disclosure Agreements. But you also need to consider Information Security as part of your toolbox to protect IP.

court room bench — Photo by Zachary Caraway on Pexels.com

Just because you have legal protections in place doesn’t mean your IP can’t be compromised. A worst case scenario for many organisations is that their research is leaked before they have successfully obtained a patent, or that their trade secret is published. In these situations, competitors and other actors can exploit your hard work to:

Quickly replicate your work and bring it to market before you have obtained full IP Rights (i.e. they beat you to the patent)
Bring a competing product to market, perhaps in jurisdications where you have not applied for IP Rights (most organisations cannot afford to lodge patents in every country worldwide, and do so selectively) which competes for market share – these products are often cheaper as R&D costs do not need to be recovered, but over time may cannibalise your market share and revenue
Engage in successive rounds of litigation and legal red tape, aiming to exhaust your legal defence funds and bankrupt your business so as to obtain the rights for free or cheaply under licence.

Thinking “it will never happen to me” and placing your investment and hard work in the hands of blind faith is an avenue walked by many entrepreneurs and researchers, many of whom learn the hard way.

Starting early to properly protect your IP through BOTH legal and information security approaches is essential. Doing only one or the other is not suifficient.

How do VCs and Angel Investors view IP?

Whilst you may be comfortable with your current IP protection arrangements, as your business starts to grow and you need capital to scale leaders need to turn their minds to what investors will think. Investors have a scarce commodity – money – and there are a lot of companies vying to help them spend it.

Investment attraction in innovative industries requires protecting your IP. In 2015, Forbes wrote an article entitled ‘Do Venture Capitalists Care About Intellectual Property?’. The answer, as you might imagine, was a resounding yes.

The article identifies two types of Business Angels – those who invest on blind faith (perhaps a friend or family member), and those who do solid due diligence. The article quotes Brian Cohen, author of ‘What Every Angel Investor Wants You To Know‘, as saying “for many startups, the IP is the sole basis for the valuation of the company, so investors need to be confident that it is real”.

Venture Capitalists and Private Equity investors get even more serious about their IP assets:

“ Many founders make mistakes in the first 12 months of business that cost them dearly as they build their companies. These mistakes revolve around intellectual property, founding team members, initial product that is built and market validation.”
Quoting Entrepreneur-turned-VC Mark Suster in Jutten (2015)

To be positioned as an attractive investment, you need to do everything reasonable to ensure the business is as attractive as possible.

white paper with print on a typewriter — Photo by Markus Winkler on Pexels.com

You need to protect your IP from Day One

One of the mistakes I see is that founders or company management often fail to pay sufficient attention to security. Information Security – which is broader than the more technical cyber security – is focused on your organisation’s most important information assets (that is, your research or technology), understanding who has access to them, and how they could be compromised.

Many innovative or technology companies pay attention to legal protections for their IP early, but information security and insider risk management is left until later. Some start-ups are founded by groups of friends who never consider they may fall out or have a falling out or rogue employee in the future.

The most critical elements of protecting your IP and trade secrets from an information security perspective include:

Identifying your critical information assets
Identify who has access to them
Performing a risk assessment to understand how these assets could be compromised and identifying controls and control gaps in your current processes
Implementing auditing and logging tools to facilitate detection, investigation and response to potential incidents
Implementing a fit-for-purpose information security program to properly manage your cybersecurity, workforce (people), supply chain and business partner risks in relation to your IP
Building an organisational culture which appreciates the importance of a positive security culture and high levels of security awareness

6 steps to improving security and integrity culture in the workplace

What can Small Medium Businesses do to mitigate these risks?

ISO27001:2022 Information Security Management System and ISO27002:2022 Information security, cybersecurity and privacy protection — Information security controls provide an excellent foundation for any business seeking to implement IP and proprietary information protection, in addition to legal avenues.

As a small organisation, it may be overkill for you to develop the complete ISMS required under 27001, but applying 27001 selectively in a measured way will help you mitigate security risks whilst at the same time providing a strong foundation to seek external investment.

This approach means your ISMS can be progressively uplifted or enhanced as your business grows and risk profiles change – in time, you will have an ISO27001 ready ISMS to seek ISO/IEC Certification should you chose or it becomes a condition of your investment.

Further Reading

Cohen, B. (2013). What Every Angel Investor Wants You To Know, McGrawHill Education
Curwell, P. (2023). 6 steps to improving security and integrity culture in the workplace
ISO/IEC 27001:2022 Information Security Management Systems, https://www.iso.org/standard/27001
ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls, https://www.iso.org/standard/75652.html
Jutten, M. (2015). Do Venture Capitalists Care About Intellectual Property?, www.forbes.com
Mossburg, E., Fancher, J.D., Gelinne, J. (2016). The hidden costs of an IP breach, Deloitte Review, Issue 19, www.deloitte.com

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Diversion of critical technology – a byproduct of global competition?

Posted on October 1, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

6 minutes

Global competition for science and technology is heating up

Unless you have been sleeping under a rock these past five years or so, you will be aware that the world is again in an era of great power competition. One key area in which this geostrategic competition is playing out is in science and technology. In addition to the omnipresent competition between businesses, nations are now trying to gain the upper hand for economic and national security reasons in a way we haven’t seen since the end of the Cold War.

Developing a high level of scientific and technological capability maturity takes decades and requires substantial infrastructure, starting with basic education systems all the way to post-doctoral research. The research needs to be supported by a legal, regulatory and financial environment conducive to commercialisation, such as Intellectual Property law, sources of capital investment, and the right government policy settings. Lastly, countries need to have companies capable of converting consumer-ready ideas into products, and the ability to take these products to market.

Where countries or companies cannot or do not wish to take a product to market, they use Technology Transfer mechanisms to assign ownership or control. If you can’t or won’t build these capabilities organically, the alternative offers a fast-track option: Steal it. If you want to take the illicit path, you have three main options: Theft, patent infringement and counterfeiting, or diversion.

medival professionals holding test samples — Photo by Tima Miroshnichenko on Pexels.com

What is Diversion in the context of Technology Transfer?

To understand the diversion of critical technology we need to establish some definitions, starting with Technology Transfer. I spent quite a bit of time learning about Technology Transfer at university, but it seems the inherent complexity hasn’t changed in many years. According to a 2011 World Health Organisation (WHO) report, the term “technology transfer has been notoriously difficult to define precisely”.

WHO have chosen to go with a World Intellectual Property Organization (WIPO) definition which defines technology transfer as “a series of processes for sharing ideas, knowledge, technology and skills with another individual or institution (e.g. a company, a university or a governmental body) and of acquisition by the other of such ideas, knowledge, technologies and skills”.

“Diversion” refers to the unauthorised or unintended redirection of technology, confidential information, or components / materiel from its intended (authorised) receipient or use to a different party or for use in a different purpose.

Diversion is different to Theft (although they often arise simultaneously): Theft is effectively taking something that isn’t yours without permission (and often without paying for it). For example, going on a laboratory visit, picking up a laboratory notebook and discreetly putting it in your bag for later is theft, not diversion. Although I cannot find evidence of it being discussed in this way in the literature, I consider Diversion a type of Fraud as it typically involves obtaining a benefit (the confidential information or technology) by deception.

faceless operator examining drone in modern studio — Photo by Pok Rie on Pexels.com

Why should we care about the Diversion of critical technology?

The impact of diverted technology depends on the what the technology actually is and the identity of the perpetrator. Diversion is commonly perpetrated by nation states, competitors, private intelligence collectors, non-state actors (e.g. terrorist groups), and trusted insiders (e.g., employees, supplier’s workforce). Diverted technology can have a number of national security and market competitiveness impacts, which over time erode competitive advantage and can expose companies and countries to undue risk, including:

Military Superiority: Critical technologies often underpin a national defence capabilities. If adversaries or third parties access these technologies, your competitive edge can be eroded.
Economic Competitiveness: Advanced technologies drive economic growth and national competitiveness. At the start of this 4th Industrial Revolution, science and technology goes hand in hand with economic prosperity.
Critical Infrastructure Vulnerabilities: Critical technologies are often used to support critical national infrastructure like energy, transportation, and communication. Diverted technology could be used to identify novel vulnerabilities in systems (including zero-day cybersecurity vulnerabilities), which could be exploited by adversaries leading to widespread disruptions.
Proliferation of Weapons of Mass Disruption and Dual-Use Technologies: Defence and dual-use technologies (those with both military and civil applications) can be diverted to sanctioned groups or nation states, destabilising global security.
Diminished Strategic Autonomy: In this new ere of geostrategic competition, being reliant on another country is a strategic vulnerability (we saw this from the effects of the COVID-19 pandemic). Diversion can lead to increased dependence, potentially compromising a nation’s independence.
Foreign Interference and Espionage: Diverted technology can provide adversaries with insights into a nation’s capabilities, strategies, and operations, potentially undermining its diplomatic and security efforts.

There are many ways in which technology can be diverted, such as False End Users, front companies, use of brokers or intermediaries to obtain information, joint ventures or mergers and acquisitions, IP Licensing agreements, insider threats, foreign student arrangements, and many more. In some cases, once the diverted technology is obtained by the adversary, it will be copied or reverse engineered before going into production (manufacturing). The benefit here means that companies can build a competing product (or military capability) at a cheaper price. without the overheads of having to recover the costs of research and development.

SOCI Act 101 – Operational Information explained

Posted on July 15, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Understanding SOCI is inherently complex

I’ve said it before and I’ll say it again – Australia’s Security of Critical Infrastructure Act, or SOCI for short, is a big, complex piece of legislation comprising the Act itself, supported by (5) legislative instruments (Rules) which provide more guidance on implementation. Anyone who claims the legislation is simple really hasn’t read it!

Working with legislation like this is likely to be completely new for many Australian executives and security professionals unless they have prior experience in highly regulated industries or in regulatory compliance.

If you are new to compliance or would like to understand how to build an ISO 37301:2021 Compliance Obligation Register, have a read of this article I wrote in March 2023:

Developing an compliance obligation register for your business

Each time I read the legislation I pick up something new – this often requires my flicking back and forth throughout the various documents and sections of the Act to cross-reference each obligation or definition and understand its intent.

With legislation like this, you only start to understand it’s nuances as you apply it to real world examples, decomposing each element of a critical asset and applying the legislative tests to determine the appropriate treatment.

Developing a compliant CIRMP whilst minimising unnecessary costs and the impact on a critical infrastructure operators business, workforce and supplier ecosystem is the challenge.

SOCI creates two key documents

Information or data (as opposed to information system security) is a domain of SOCI, just like Personnel referenced in my previous article on Critical Workers:

Who are SOCI Act Critical Workers?

Under SOCI, there are effectively two key documents which relate to information and information protection:

Register of Critical Infrastructure Assets – this Register is not public and is maintained by the Secretary of Home Affairs. It comprises information on specific critical assets and beneficial ownership and control information for every piece of Australian critical infrastructure.
Critical Infrastructure Risk Management Plan (CIRMP) – all Reporting Entities are required to have a complete RMP by six months after the day of commencement of the Rules, or 18 August 2023.

The Register needs to include your Operational Information

Operational Information is different to Sensitive Operational Information under SOCI. Divn 2 (19) of the Act requires Responsible Entities to provide an initial version of their Operational Information to the Department for inclusion in the Register.

Under s26 of the Act, should a Notifiable Event arise then an updated version of the Responsible Entities’ Operational Information must be provided to Home Affairs. Presumably, this information will enable the Australian Government to rapidly perform a damage assessment and to support any crisis or national security response that may be required.

big waves under cloudy sky — Photo by GEORGE DESIPRIS on Pexels.com

Under SOCI, Operational Information related to a Critical Infrastructure Asset means:

The asset’s location and a description of the area the asset services;
Information about each organisation that is the Responsible Entity for (or an operator of) the asset, comprising: the entity’s name, business registration number, head office or principal place of business address, and country of incorporation or formation
Information about the CEO (or equivalent) comprising their full name and citizenship(s),
A description of the arrangements under which each operator operates the asset (or a part of the asset), including details of any control system of the asset if it is managed by a separate body;
A description of the arrangements under which data prescribed by the rules relating to the asset is maintained;
Information prescribed by the Rules for the purposes of this paragraph (see below)

The ‘information prescribed by the Rules‘ referenced above is currently only defined in Division 2.2 of the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021, where Operational Information comprises six categories:

Personal Information for at least 20,000 people (as defined in the Privacy Act 1998)
Sensitive Information (as defined in the Privacy Act 1998)
Critical Infrastructure Asset related Research and Development information
Information on systems needed to operate the Asset
Information about risk management (including security) and business continuity / crisis management / operational resilience about the Asset
Other sector-specific information as defined in 2.2 (17) (1) (vi) of these Rules

How is confidential information compromised?

For any of the above Operational Information, Responsible Entities must provide a description of the arrangements for the Department’s Register that comprises:

The name of the entity that maintains the data; and
If that entity is not the responsible entity for the asset (e.g. Microsoft, Google etc), the entity’s business registration number, head office or principal place of business address, and country of incorporation; and,
The address where the data is held (e.g. where computers or servers holding the data are located) and whether the computers or servers are part of a cloud service; and if using a cloud service—the name of the cloud service (e.g. Microsoft) and the kind of data that the entity maintains in these computers / servers / cloud environment.

What is Sensitive Operational Information?

Sensitive Operational Information is only mentioned in the CIRMP Rules in relation to identifying Material Risks to a Critical Infrastructure asset. These Rules list six examples of what would be constitute sensitive information:

Layout diagrams
Schematics
Geospatial information
Configuration information
Operational constraints or tolerances information
Data that a reasonable person would consider to be confidential or sensitive about the asset

The above category of information is primarily technical in nature – such as pertaining to engineering or ICT applications – but is focused on minimising the disclosure of information about a critical infrastructure asset’s vulnerabilities, particularly where this information is stored, transmitted or processed outside of Australia.

In business, confidential information is a critical asset

Microsoft Purview Information Protection – an overview

Posted on March 18, 2023 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

It’s April 2022 – enter, Microsoft Purview

In 2017, Microsoft introduced its cloud-based Microsoft 365 solution, offering a range of personal and business applications to customers. Then, in April 2022, the Microsoft Purview platform was unveiled, combining fuctionality previously called Azure Purview with what was then Microsoft 365 Compliance, providing a host of new tools and functionality for corporate teams involved in protecting and managing sensitive data, including:

Microsoft Purview Insider Risk Management
Microsoft Purview Data Loss Prevention
Microsoft Purview Data Lifecycle and Records Management
Microsoft Purview eDiscovery
Various legal holds, auditing and compliance tools, and,
Microsoft Purview Information Protection

These solutions are Microsoft’s answer to a range of risk, compliance and security problems which commonly arise in businesses across a range of industries. They are designed to largely be implemented out of the box with configuration (as opposed to customisation); however, more advanced technical skills are required to setup features such as APIs, perform PowerShell coding, and undertake other technical tasks.

Microsoft Purview solution catlogue — Microsoft (2022). Microsoft Purview – Solution Catalogue

Remember: technology is not the first or only step!

I’ve written numerous articles on the importance of protecting sensitive business information, Intellectual Property, and research on this blog, but irrespective of what you are protecting it all starts with a good Information Protection Program.

A well-designed Information Protection Program starts with a fit for purpose framework, supported by policies (such as a Code of Conduct, employment and IT Acceptable Use policies) to confidential information naming conventions, appropriate physical / cyber and personnel security programs, security culture and awareness training, and physical and ICT (virtual) monitoring and auditing.

Once your Information Protection Program is developed, Microsoft Purview Information Protection contains a range of tools to help implement and sustain that program over time. Like any software, Microsoft Purview Information Protection is not a substitute for a good Information Protection Program. Conversely, in today’s data and technology rich environment, Information Protection Programs are unlikely to be truly effective without tools like those offered by Microsoft.

man wearing black blazer — Photo by Caleb Oquendo on Pexels.com

Let’s cut to the chase: Microsoft Purview Information Protection is suitable to help manage a variety of information types, including:

Trade Secrets
Personally identifiable information (PII)
Confidential business information (pricing, customer lists, strategies, etc)
Research data (eg pre-patent, draft papers), and,
Government classified information

Whether Microsoft Purview Information Protection is suitable for managing your organisations information risk profile is subject to a few considerations, including:

Is your sensitive information stored outside of a Microsoft 365 environment?
Do your employees use offline systems, paper records, personal devices or endpoints which are not centrally managed or onboarded?
Do your suppliers create or replicate your sensitive information on their systems, out of reach of your management and control?

If you have answered yes to any of the above, you may only have partial protection from Microsoft Purview Information Protection without changes to the way your organisation operates.

What features does Microsoft Purview Information Protection offer?

In my opinion, Microsoft Purview offers a range of great tools out of the box which are suitable for many organisations, particularly those which generate and manage sensitive information within the Microsoft ecosystem. Primary data protection tools include:

Sensitivity labels – provides the tools to classify documents, files, emails and other datasets using your organisation’s information classification scheme (i.e. confidential, proprietary, commercial-in-confidence). This is one area where Microsoft Purview configuration needs to reflect the framework and polices setup in your Information Protection Program.
Sensitive information types – these are pattern-based classifiers, and used to find datasets containing defined data patterns, such as the format of a Medicare or Tax File Number, BSB and Bank Account etc. Microsoft Purview comes with a host of sensitive information types pre-defined out of the box, saving configuration time and effort.
Trainable classifiers – the ability to train in-built AI tools to identify and classify datasets based on their attributes. Like all AI tools, this requires a sufficient sample size to learn from, and works best for content not suited to manual (human) or automated-pattern matching (keywords such as ‘confidential’, text strings such as credit card numbers, and file metadata).
Data classification – provides a host of tools for managers of a Information Protection Program to view and understand how the program is being implemented by users, where sensitive information resides in the organisation (e.g. by type, sensitivity label, etc), and host of other features. This can help inform identification of High Risk Roles and Personnel Security Risk Assessments to inform Workforce Screening Program design, as well as inform implementation of Information Protection Programs and control improvement plans.

white caution cone on keyboard — Photo by Fernando Arcos on Pexels.com

I’m enthusiastic about the ability of Microsoft Purview to bring Information Protection, eDiscovery and Insider Risk Management capabilities to small and mid-sized organisations which otherwise might not be able to afford to implement and maintain different vendor solutions to achieve the same outcome.

Two questions I have is what the buyer profile is for E5 licensing in Australia (are these primarily large corporates, or can small to mid-sized organisations afford this as well?), and of the current E5 buyers, how many have actually turned this functionality on. I haven’t been able to find information on Microsoft’s market penetration in Australia, so answers to my questions will need to wait for another day! For organisations who are interested, Microsoft offers a 90-day free trial.

Perhaps most importantly, I strongly recommend you already have an Information Protection Program either operating or the framework development well underway before you procure or implement any technology solution. Pleasingly, so does Microsoft!

Not only will this inform your business requirements and business case, but it will ensure that the technology solution is implemented in a way that actually aligns with the way your organisation operates. There is nothing worse than when technology, rather than business need, dictates your operating model.

Operationalising your Information Protection Program

All too often, I see cases where organisations have purchased a software solution and expect this will address all their ills. Technology is an enabler that can enhance the effectiveness of an Information Protection Program, but is is not a substitute for implementing the program itself.

Like any technology solution, using Microsoft Purview requires regular attention and maintenance to ensure it does what was intended and is not impacting business users unnecessarily. Microsoft Purview will need periodic adjustment as your organisation changes, such as where new sensitive projects are setup that requiring new sensitivity labels, or in response to insider threat events.

Minimising problems for capabilities ‘in operation’ will require someone (or a team) who has an apprecation of both the Information Protection Program and Microsoft Purview, as well as change management to minimise adverse user outcomes.

Prototype product protection: a step by step guide

Posted on October 15, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What is prototyping?

“A prototype is a draft version of a product that allows you to explore your ideas and show the intention behind a feature or the overall design concept to users before investing time and money into development” (usability.gov). Prototyping is an essential step in product development as it provides an opportunity to qualify feedback from potential customers, size the market, inform investment and financial decisions, and support go/no-go decisions.

Not every product idea will be a commercial success, meaning innovators can spend a lot of money on new product development without financial return. Prototyping helps minimise this risk by regular and repeated feedback. The generic product development process begins with the idea (ideation), which leads to development of a Product Definition prior to prototyping. Usability.gov identifies two categories of prototype:

Low-fidelity prototypes are often paper-based and without user interactions. They are prepared quickly and are cheaper than high-fidelity prototypes whilst helping potential users understand the product concept and how it might benefit them. Feedback collected from user interviews (customer interviews) should be incorporated into the iterative new product development process to inform the Minimal Viable Product (MVP).
High-fidelity prototypes are effectively early models of the future product. They are as realistic as possible with working components, meaning they are often expensive to produce and may require support from the product developer’s supply chain to design and build custom components. The need for custom components may require suppliers to develop their own prototypes and perform custom R&D as a prerequisite for being able to produce their customer’s new product, adding to development timelines and commercial complexity. There may be multiple iterations of high-fidelity prototypes, with latter models being closer to the model which will go into production and on to a product launch for sale.

Photo by Andrea Piacquadio on Pexels.com

How are prototypes vulnerable? What are the risks?

Part of the challenge with protecting prototypes is the need to balance secrecy with feedback. Failure to provide adquate secrecy or protection could mean innovators lose commercial advantage or are usurped by competitors who are faster, more agile and better resourced. However, the flip side of any product is that it needs to be tested and product developers need as much real life feedback as possible, both from customers on whether the product meets their needs and also real-life applications on whether the product solves the problem as intended under realistic conditions.

The inherent risks associated with a prototype are a reflection of how advanced the prototyping activity actually is. At the early stages, risks are primarily associated with information security and personnel security, where leaks or compromises can occur which tip-off the market to what is under development. As prototypes are produced and tested, these risks remain but new risks including physical theft or loss and third party or supplier risks also come into play. The spectrum of risks is illustrating in the following figure and overlaid on the reseach and development process:

(c) Paul Curwell (2022). *Prototype Product Protection illustrated: Security risks aligned to the R&D process*

Taking steps to ensure legal protections for your Intellectual Property, such as Patents, Copyright or Design Rights are addressed is an important step in prototype protection, but these legal protections are not the sole actions required. Litigation cases can turn into a ‘war of attrition’ with the winner having the deepest pockets, so reliance on a purely legal strategy may not be prudent. Selected security and fraud risks which also need consideration include:

Physical theft of the prototype – which can occur during storage, production, transport and field trials.
Theft of test data, plans or designs – arising through virtual (cyber) and physical (e.g. paper, human) vectors.
Theft or disclosure of pricing and commercial data – this is likely of particular interest to competitors and ‘fast followers’, but potentially also to industry media and investors.
Contract Manufacturer agreements – outsourcing may confer less control over your information and who has acess to it. Additionally, there are many examples of contract manufacturers with undeclared conflicts of interest or a lack of integrity who disclose this information to third parties or competitors irrespective of any legal agreements in place.
Theft or unauthorised use of tooling, molds etc for production – parts of your supply chain, including contract manufacturers, may use your custom tooling or manufacturing molds intended for developing the prototype for unauthorised manufacturing activities during periods of factory downtime. Tooling agreements which specify ownership of IP, and access control associated with tooling, are essential to manage product diversion risk.
Third Parties – many businesses will need to involve their suppliers in prototyping and new product development. This requires providing information, access to designs or prototypes, and go to market plans and timelines, all of which are commercially valuable and potentially market sensitive if the company is publicly listed. Use of external experts including product development specialists, product engineers, graphic or industrial designers, product quality consultants, computer-aided design (CAD) specialists can increase the chance of success. However, the more people ‘in the know’ the greater the opportunity for compromise.
Data Management and Information Protection – ideally, much of your product development information will be online rather than paper-based to provider greater control over access, versions, and dissemination. A data management plan incorporating risk-based data security and information protection is essential, and being able to evidence appropriate security and protections can give greater confidence to business angel, venture capital and private equity investors to fund product development.

In addition to these inherent risks, two contextual factors influence your risk exposure, being time and the number of people who are in the know. As with anything you want to keep under wraps, the longer the time you need to keep something secret the more effort required. The quicker you go from ideation to commercialisation, the less the chance of compromise or accidental disclosure. Related to time is the number of people ‘in the know’. Typically, longer product development timeframes mean more people in the know. There is presumably a relationship between the number of people who know and the likelihood of intentional or unintential compromise.

Most importantly with prototype protection is that it’s not just the prototype itself which needs protecting: it’s also information pertaining to it, as well as any externally-facing indicators of what you are doing that can tip off competitors which need to be carefully managed.

The prototype threat and risk assessment

Some industries are much more competitive and cut-throat than others, with competition arising not just from business competitors but also nation states. Innovators, research managers and commercialisation teams are often reluctant to talk about security, but according to ‘The report of the Commission on the theft of American Intellectual Property’ (2013), the cost of IP theft in the USA alone is likely to exceed US$300 billion.

The ongoing theft of IP is “the greatest transfer of wealth in history.”
GENERAL KEITH ALEXANDER, Commander of the United States Cyber Command and Director of the National Security Agency

Industries with commercially lucrative or national security applications at the cutting edge of science, technology, engineering and mathematics and some consumer sectors are most likely to be targeted, with targets ranging from applied research through to trade secrets, prototypes and commercial information. Understanding who might be interested in obtaining information about your prototype (‘threat actors’), such as competitors, competitive intelligence collectors, media, and foreign governments, is a crucial first step. A threat assessment can help identify these actors, understand their tactics and level of sophistication (their capability and intent), and provide insights on how they are most likely to target your R&D.

A Risk Assessment complements the Threat Assessment. Risk Assessments look inward and focus on what can go wrong (risks) and what is present to prevent this (internal controls), whilst threat assessments focus on the outside looking in. The bottom line is that every material risk should have adequate control coverage, with the most critical assets (including people, information and physical items) having multiple redundant layers of protection. Threat and Risk Assessments provide a strong foundation for a Prototype Protection Plan.

Developing the Prototype Protection Plan

The Prototype Protection Plan (PPP) documents what steps a business will take to protect prototype versions associated with a given new product development project. This plan considers the threats and risks identified through the assessment process (above), and outlines the ‘who, what, when, where, why and how’ of each risk treatment option. The PPP should cover the full spectrum of risks – physical, cyber, information/ IP, personnel (insider threats) and supply chain.

Better practice involves assigning a dedicated security manager for the duration of the project (either full or part-time), whose role includes not only coordinating the overall PPP program but is also able to assess, investigate, evaluate and respond to incidents and potential compromises. Industries where products have rapid product life and profit cycles may also undertake a variety of counterintelligence practices given the level of ongoing scruitiny performed by competitors.

In summary, as outlined in this article protecting your prototype takes effort, however in many cases the benefits from doing so exceed the costs. Failure to properly identify, understand and manage these risks can lead to a loss of market share, future revenue, shareholder returns and brand damage, whilst being overzealous with security can mean your business never gets out of the starting blocks in its product development race. This balance must be carefully managed in prototype security.

Never heard of Research Security? Why safeguarding your research today is critically important

Posted on July 9, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

How did we get here?

Research Security refers to the ability to identify possible risks to your work through unwanted access, interference, or theft and the measures that minimise these risks and protect the inputs, processes, and products that are part of scientific research and discovery.

Source: Why safeguard your research? Government of Canada (2021).

Photo by Chokniti Khongchum on Pexels.com

Followers of my blog will know that I regularly write about the scourge of Intellectual Property (IP) theft. One of my observations from working with Australian organisations of all shapes and sizes (including research and development, or R&D intensive ones which depend on commercialisation for success) is that we all too often ignore the importance of protecting our IP and early stage research.

Indeed, according to The Commission on the Theft of American Intellectual Property (2013), theft of United States IP alone is estimated in the vicinity of US$300 billion per annum impacting jobs, GDP and innovation. According to testimony given by the former US National Security Agency Director General Keith Alexander:

“The stealing of U.S. private company information and technology has resulted in the greatest transfer of wealth in history”
HEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION, 9 July 2013.

Is all research and development the target of theft?

Most commonly it is applied research which is stolen (i.e. outcomes that can be directly applied to a tangible application or outcome which can be commercialised), as opposed to basic or discovery research. The coordinated theft of IP focuses on Science, Technology, Engineering an Mathematics (STEM) domains, as opposed to social science or humanities research.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

One challenge with the R&D process is that you never know what you’re going to find – funding of R&D effectively involves placing strategic ‘bets’ to fund those programs assessed as having the greatest chance of success. So why don’t we put more time into protecting our research?

Part of the protection challenge stems from the nature of research itself, and of the knowledge creation process. Knowledge creators need to be able to operate in a creative environment that allows them to share ideas and concepts with others, and ultimately generate a positive R&D outcome over time. By their nature, many researchers are inclined to share and collaborate with others, and many (falsely) perceive the risk if IP theft as very low.

The knowledge creation process is very easily stimied through excessive security, which can inhibit creativity and innovation. But on the other hand, too little security can mean your research walks out the door either with an unscrupulous competitor or a departing employee. This is where the concept of research security comes in.

Photo by Tamu00e1s Mu00e9szu00e1ros on Pexels.com

What is research security?

Successful research and innovation requires collaboration and formal partnerships between multiple parties, including governments, businesses, and academics. These collaborations and partnerships can occur in one country or internationally, almost like a ‘patchwork quilt’ of skills, competencies and capital.

Unfortunately, some bad actors and unscrupulous organisations have taken advantage of this process for their own game. This includes nation states, some of which have been involved in state-sponsored industrial espionage (‘economic espionage’) for decades.

What is the impact of research theft?

Diminished trust and confidence in your research data and results
Loss of research data
Loss of exclusive control over intellectual property, patent opportunities, and potential revenue
Legal or administrative consequences
Loss of potential future partnerships
Tarnished reputation

Source: Why safeguard your research? Government of Canada (2021).

In response, countries such as the US, UK, Canada, New Zealand and more recently Australia have introduced ‘research security’ programs to help the research and innovation sector understand and manage this risk, as outlined below.

Source: US Director of National Intelligence, dni.gov

Canada’s Safeguarding Your Research program

The Government of Canada started raising research theft and research security as an issue in 2016, subsequently forming a joint Government of Canada-Universities Working Group to “advance open and collaborative research in a way that also safeguards research and maximizes benefits to Canadians”. The government has created the Safeguarding your Research portal which contains useful resources including:

Tools for building Security Awareness in the Academic Community
A checklist to help determine whether you are at risk
Information on mitigating economic and/or geopolitical risks in sensitive research projects
National Security Guidelines for Research Partnerships

United Kingdom

In contrast to Canada, the UK Government started its research security journey in 2019, with security programs being coordinated by the Center for the Protection of National Infrastructure (CPNI). With almost 20% of UK research funding coming from international sources, CPNI suggests three key actions to safeguard your research:

Due diligence – who are your research partners, actually? Who are their research partners or investors? Remember that affiliations and company ownership can change over time: who you partnered with on day 1 may not be who you are partnered with on day 365. Bad actors frequently materialise after you have signed the partnership agreement, so due diligence should be undertaken on an ongoing basis.
Conflicts of interest – identify any actual or potential conflicts and ensure they are managed. This could include your research partner’s collaborations with your competitors.
Segregation – use security programs to segregate your valuable research programs, both physically and logically (i.e. cyber, physical and personnel security).

United States

Since mid-2018, the US Government has introduced a range of rules, policies and regulations to address concerns about foreign interference in research and the theft of intellectual capital. Various departments and agencies have introduced new measures to address risks to the integrity of the research enterprise, such as the establishment of the Joint Committee on Research Environment by the Office of Science and Technology Policy at the White House.

In 2018, the National Institutes of Health (NIH), one of the largest R&D funding bodies in the world, took the unprecedented step of writing to NIH grant receipients to inform them of the threat of foreign interference and IP theft in relation to biomedical research. This step has set the tone in terms of the seriousness of this issue, and should highlight to the research community globally the nature of the threat – which is manageable with the right mitigations.

Australia – time for a change of attitude?

In Australia, how we protect our research and innovation is largely dependent on who the threat actor is. From a commerical perspective, we typically adopt a legalistic approach to protecting our valuable research, historically relying predominately on formal IP protections such as patents and copyright. This remains very important, but it is also largely ineffective against the threat of IP theft. By the time the matter gets to court, assuming you can find the thief, it’s too late and the only people who benefit are lawyers.

Once you have lost your valuable research, you face an expensive and time consuming battle to restrain the offending party from using the IP or gaining commercial advantage. Assuming you have the legal defence fund to pursue this course of action – noting your pockets may need to be deeper than your opponent in order to continue funding any litigation – you may not even recover 100% of what you lost. Further, if you didn’t take ‘appropriate’ actions to try and protect the information, a court may deem you also at fault.

Australia does not have formal trade secrets protection under IP law, unlike other countries. This means business is reliant on various Confidential Information provisions to protect its research and innovation, something which can be hard to defend. There is a litany of Australian case law showing companies which learned the hard way here when trying to protect their valuable information from competitors, third parties and former employees.

Where the threat actor is ultimately a nation state, Australians now have provisions in the Criminal Code 1995 (Cth) in relation to economic espionage – which also contains the first mention of the term ‘trade secret’ that I am aware of in Australian law – as well as the University Foreign Interference Guidelines. The Guidelines, which I will write about in a subsequent post, were refreshed in 2021 and provide an excellent introduction to developing what I would call a ‘research security framework’, but which can be applied to address all security threats to research and innovation, not just foriegn interference.

I’m a research or commercialisation manager – what can I do about it?

Effectively managing this risk involves understanding what your critical information assets are, who has access to them, and how. This will allow you to identify those areas of greatest risk and focus your limited resources and effort accordingly. Doing this effectively involves a combination of cybersecurity, physical security, non-cyber information security and personnel security (insider threats) measures deployed as part of a holistic program.

The second critical aspect here is managing your research partnerships via a supply chain (third party) security program. This is broader than security – you need to perform proper due diligence (before commencing, throughout the life of the relationship, and for a period afterwards), as well as implementing the right security and legal controls to manage these risks, all whilst creating an environment where the actual researchers can collaborate and work their magic.

This is not easy and requires a good understanding of both security and research / innnovation to be successful, but it is possible. As highlighted in this post, there are plenty of resources available to support you on this journey but remember, the one thing that is clear is the risk of inaction.

Business espionage – the sale of intellectual property on the dark web

Posted on May 14, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What is the dark web?

For those who are new to this, concept, the dark web is the third part of the internet which is not indexed by ordinary search engines and requires a specific web browser (a ‘TOR’ browser) to access. The other two parts of the internet are the surface web (what we all think of when we hear the term ‘internet’), and the deep web, which comprises often proprietary databases and data holdings which sit behind a firewall and generally require a subscription or password to access. A database of media articles is one example.

There are a number of illicit markets on the dark web selling everything and anything which is illegal in an anonymised way. These illicit markets also include illicit payment mechanisms for financial transactions which bypass the global financial system. Whilst it makes sense that IP would be sold here, until now this is not something I had heard much about aside from the sale of counterfeit products – shoes, medicine, passports etc. My working hypothesis is that much of the stolen IP on the dark web which is not counterfeit product is likely derived from ‘business espionage’.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What is business espionage?

We all know that information is power, but these days it is also a global currency. According to Forbes Magazine, innovation and intangible assets today comprised around 80% of a business’ value in 2014 (Juetten). In recognition of their value, the International Accounting Standards Board (IASB) adopted IAS 38 Intangible Assets in 2001 to prescribe the accounting treatment for intangible assets.

For simplicity here, I refer to all types of valuable business information, intangible assets or intellectual assets as ‘IP’. Business espionage is a term that I have borrowed from Bruce Wimmer (2015) to refer to the theft of commercial information from businesses including ‘industrial espionage’ (companies spying on their competitors) as well as ‘economic espionage’ (theft of IP by nation states for national security purposes).

The types of IP that is stolen includes:

Research data	Pricing data
Confidential information	Customer lists
Trade Secrets	Product development data
Engineering schematics	Sales figures
Proprietary software code	Strategies and Marketing plans
Chemical formulas	Cost analyses
‘Know how’	Personnel data

Examples of IP targeted by business spies – Nasheri (2005)

If I think about it simplistically, my hypothesis is there are two main ways someone could obtain this IP for sale: licit and illicit. The licit route would arise where a party has access to the IP and is authorised to copy or use that IP for a permitted purpose (such as under license or terms of confidentiality), but then chooses to use that information for a non-permitted purpose. Examples here could include:

Where IP is provided to an outsourced service provider or business partner, such as a Contract Research Organisation, Contract Manufacturing Organisation, or IT managed services provider. When a contractual arrangement ceases the IP may not be properly destroyed, and could be used for unauthorised purposes later (such as to win a new contract with a previous customer’s competitor).

In contrast, the illicit route refers to cases where IP is stolen and then onsold. There are a number of potential vectors here including:

Theft and / or exfiltration by trusted insiders (such as employees, contractors or suppliers)
Targeting of business travellers in hotels, bars, etc
Cyber criminals and hackers breach secured networks
Opportunistic individuals who find valuable information on an unsecured corporate network
Plus other similar examples

So, to recap, we have the scenario where commercially valuable information (IP) has been stolen – sometimes employees steal IP from an employer as they see it as ‘theirs’ and feel they are the legitimate creater or owner of this information, despite typically having assigned their moral rights to their employer via their employment contract. In this scenario, my experience is that employees rarely sell this information to a third party – but they will often use this information for personal advantage in future roles or positions. However, this is not the focus of this post. In this post, we are referring to the theft and sale of commercially valuable information on a large scale.

Is there a criminal value chain behind the illicit market for stolen IP?

It makes sense that someone who has access to sensitive IP which is valuable in the market and who has ulterior motives would want to sell it, but how does this work? Do they sell it exclusively to the highest bidder at auction? Do they sell it multiple times to multiple parties? If you are the highest bidder at auction, how do you guarantee you are the only buyer? Also, how do you guarantee the authenticity or quality of the information?

“It does little good to steal intellectual property if you do not have the expertise to use it”
James Lewis, SVP and director of the Center for Strategic and International Studies’ (CSIS) Technology Policy Program in Gates (2020)

I have so many unanswered questions here, but the presenter I referred to earlier mentioned the prices some buyers pay for stolen IP on these illicit marketplaces is in the millions of US dollars, and that about 90% of the IP on these illicit markets is authentic. These illicit market dynamics mean this is clearly something worth examining further. As a security consultant, part of my job involves ‘thinking like a criminal’ to identify how such a scheme would work – I have developed my hypothesis below based on my experience and knowledge of how other illicit markets work:

In my hypothesis shown above, I have assumed there is a degree of criminal specialisation in the stolen IP market, as there is in other aspects of cyber crime and cyber fraud. Just with legitimate online marketplaces, if I were a buyer I wouldn’t trust sellers I don’t know or who other people I trust haven’t verified, and I’m not going to pay anything more than a trivial amount or take the risk to buy IP which hasn’t been verified either as authentic (i.e. stolen from the company alleged to have produced it) or not fictional (i.e. garbage content). For a good overview of how online review systems work, look at this Harvard Business Review article from Donaker et al (2019).

In my mind, there must be information brokers who play a ‘trusted intermediary’ role and offer an independent validation and verification services – for a fee. However, this would also require access to pool of experts who would be paid to perform this work (e.g. scientists, doctors or engineers who are specialists in their field and open to a side hustle). Presumably some are complicit and know what they are doing, but are some also told this is legitimate and have no cause to question further? And what about the companies that are happy to take the risk both that the info might be fake and that they might get caught? As it stands I have more questions than answers, but the one thing I know is this is something I will be looking into further.

What is an ‘IP Audit’ anyway?

Posted on April 2, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Intangible Assets – easily overlooked

I still remember performing my first ever Intellectual Property (IP) audit on my consulting journey. I had just graduated from business school which had opened my eyes to the world of commercialisation and IP assets, and how they could be exploited or misplaced. My client was a large player in global airport infrastructure services, and as part of their work the Executive Officer to the CEO thought it was important to identify and map their IP asset holdings. As I worked my way through the organisation, interviewing staff and cataloguing their IP, I still remember stumbling across the engineering laboratory hidden in one corner of a floor, out of sight.

As I spoke to the team members there, I discovered not only did they maintain specialised electronic components for equipment used in delivery of their services, but in their spare time and with discretionary budget the team of engineers worked to invent their own solutions to airport infrastructure problems. This activity flew completely under the radar of the organisation’s executive, meaning not only did their work potentially miss out on dedicated funding which might generate a revenue stream or licensing opportunity for the organisation, but the IP was not properly protected – including from theft should those employees decide to resign and move to a competitor or start their own business.

Photo by RODNAE Productions on Pexels.com

This type of situation is encountered time and time again in Australian businesses. Our level of awareness and maturity in relation to IP is relatively low in most sectors, and my experience has been that in sectors which are aware of the fundamental concepts, IP assets are either managed very selectively or in many cases not at all. As an advanced economy with a strong STEM-based population and research capability, we need to get better at protecting our IP if we are to compete and thrive as a nation in a knowledge-driven world. Completing an IP Audit is one of the first steps to doing this.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What are intellectual assets?

Intellectual Assets are intangibles that have value to an enterprise including but not limited to “information, intellectual property, credibility and reputation, and brand identity”. Whilst the term ‘intellectual property’ is often used to commonly refer to sensitive information, six types of IP are recognised by the World Intellectual Property Organisation (WIPO):

Patents
Trade Marks
Copyright
Industrial designs
Geographical Indicators (e.g. ‘champagne’)
Trade Secrets

In Australia, we have another category of IP called ‘Plant Breeders Rights‘, and Geographical Indicators are registered under our ‘Certification Trade Mark system‘. Unlike other jurisdictions such as the U.S., Australian law does not explicitly recognise ‘trade secrets’ as a category of IP – instead, ‘trade secrets’ are considered a category of ‘Confidential Information’ (Dighe & Lewis, 2020, Twobirds.com). More on this in a future post.

According to IP Australia, “a trade secret can be any confidential information of value. Unlike other IP rights, trade secrets are protected by keeping them a secret, and are not registered with IP offices. The protection of a trade secret will cease if the information is made public, and trade secrets do not prevent other people from independently inventing and commercialising the same product or process”.

What is an IP audit?

According to the Queensland Government, “an IP audit is a review of the IP owned, used or acquired by an organisation. It aims to find out what IP is within an organisation, who owns it, the value of that IP, its legal status, and what to do with it“. Once identified, in addition to focusing on the legal status of your IP, you also need to understand whether it is adequately protected. For example:

Which threat actors might seek to steal or sabotage your intellectual assets? Employees, competitors, nation states (‘economic espionage’) or someone else?
What are the actual risks posed by these threat actors? Examples include theft, sabotage and IP infringement.
What internal controls do you have in place in terms of your holistic security programs to address the identified threats and risks? These may need to address insider threats, supply chain threats, and external threats (e.g. competitors).

How are IP audits performed?

Once you have decided to undertake an IP audit, you need to develop your scope and methodology. This starts with developing your audit plan and audit team. I find its easier to divide the audit into two or three parts, as follows:

Step1 – data collection: systematically catalogue confirmed or potential IP and confidential information in a register. I use the organisation chart as a starting point for this.
- Tip: its easy to get bogged down and start to catalogue every document. Instead, focus on categories of information (e.g. financials) and then narrow down in key areas.
Step 2 – initial assessment: once you’ve compiled your initial register, assess it to remove all unnecessary content by ensuring each entry meets the criteria for an asset. If not relevant, delete it. Hopefully you’re left with a relatively small number of manageable entries, the output of which is your register of ‘critical information assets’.
Step 3 – commercial evaluation: use your register of ‘critical information assets’ to review potential commerical opportunities (e.g. licensing), develop monitoring programs for infringement, or even sell the IP Rights to another party if no longer used or relevant to your strategy.
Step 4 – risk management: review your register of critical assets to ensure the information is adequately protected. This includes legal provisions (e.g. patents), employment contracts (e.g. non-disclosure and IP assignment clauses), information security programs, and supply chain or third party risk programs. Make sure your critical information assets are appropriately marked, secured (e.g. encrypted), access is controlled, and unauthorised dissemination is limited.

Using the findings of your IP audit to better protect these assets

All to often, businesses take a purely legalistic approach to protecting their IP and Confidential Information assets. It is important to remember that just because your research is patented or because you have a non-disclosure agreement in place with your suppliers or employees it is not completely protected. Particularly in the case of confidential information, courts expect businesses to have implemented appropriate security programs to safeguard their information – it is not sufficient to rely purely on legal protections in the courts if something happens. Further, this sort of reactive response is not productive, is very expensive, and consumes substantial amounts of time from your board, executives and senior staff – time that could be more productively spent elsewhere.

Prevention and early detection is the key, but to do this you need to understand what your IP assets are (such as via the IP audit process), work out where their associated vulnerabilities or exposures lie (are they limited to your employees or do you divulge this information to your third parties too? if so, who has access…). Then you can wrap a combination of cybersecurity (e.g. networks, systems, encryption) and what I refer to as ‘non-cyber information security’ programs around this to build your protective bubble. These relationships are illustrated below:

Curwell (2002) – the relationship between IP and Confidential Information assets and Security

As you can see, there is more to protecting your IP and Confidential Information than patents, copyright and design rights. If you’re unfamiliar with how to build a program to protect your confidential information, take a look at my previous post here.

Australia’s economic espionage laws: what this means for ‘trade secrets’ protection after 2018

Posted on September 26, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Are Australian’s culturally reluctant to take steps to protect our Intellectual Property?

Throughout my career, I have worked with businesses, R&D intensive organisations and universities which make a living commercialising their Intellectual Property (IP). As an undergraduate biotechnology student, I completed a number of internships with research laboratories in Australia and the United States, before working out that wasn’t the right career for me. Later, as a Master of Technology Management student at business school in Brisbane, I wrote my thesis on the protection of IP. I then moved on to a mix of consulting and industry roles, mostly in financial services. Unfortunately, wherever I go in Australia I regularly encounter situations involving IP and trade secrets theft. For example:

A departing employee who blatantly stole IP from their employer, only to find in-house counsel couldn’t be bothered to take action either against the employee or their new employer (where they were using the stolen assets) as they didn’t consider IP theft a real issue
Another company not only failed to terminate the IT accounts for multiple employees who had left at the same time for a direct competitor, but also stole their former employer’s laptop and used it and their login credentials to login to their former employer’s IT network from their new employer’s offices to steal the IP they hadn’t already taken, as well as commercial material such as pricing which had been updated since they left
An employee who had a lucrative contract with a foreign third party to supply the research paid for by their primary employer to the third party, without the knowledge of the primary employer and in breach of their employment contract and fiduciary duty

Photo by Polina Tankilevitch on Pexels.com

Based on my experience, I am comfortable saying the culture of IP protection, and the maturity of associated IP protection programs in Australia is low. Australian businesses are overly reliant on legal measures to protect our IP, at the expense of adequate security and insider threat programs. Unfortunately, once your IP is gone, it is very expensive and time consuming to get it back. Having spent almost 20 years working in the fraud and security field I am still amazed at the way in which we protect our confidential information and IP in Australia and the almost complete disregard we show for both protecting these intangible assets and responding when something goes wrong: This is in complete contrast to that of the US and other R&D intensive nations. Slowly, finally, things are starting to change.

‘Trade secrets’ defined for the first time in Australian legislation

In August 2018, the National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018 recieved royal asset, and now forms part of Australia’s Criminal Code Act 1995 (Cth). Theft of trade secrets and IP is big business globally, and involves both nation states, criminal groups and individuals. The US Trade Representative estimates the cost of trade secrets and IP theft at US$200bn to $600bn annually. When the perpetrator is a nation state, or acting on behalf of a nation state, this is termed ‘economic espionage’ (as opposed to traditional espionage which focuses on theft of national security related information). When the perpetrator is a competitor or private intelligence company, this is termed ‘industrial espionage’. In Australia, economic espionage is considered a form of Foreign Interference.

Foreign interference is activity that is:

carried out by, or on behalf of a foreign actor
coercive, corrupting, deceptive, clandestine
contrary to Australia’s sovereignty, values and national interests

Foreign interference activities go beyond routine diplomatic influence and may take place alongside espionage activities. A range of sectors are targeted:

democratic institutions
education and research
media and communications
culturally and linguistically diverse communities
critical infrastructure

Most Australian’s don’t believe industrial or economic espionage happens here in fortress Australia, but unfortunately these practices are alive and well, its just they rarely make it to the courts or hit the headlines, and victim companies rarely if ever disclose this fact. So what does this new legislation do? Effectively, it “introduces a new offence targeting theft of trade secrets on behalf of a foreign government. This amounts to economic espionage and can severely damage Australia’s national security and economic interests. The new offence will apply to dishonest dealings with trade secrets on behalf of a foreign actor“.

92A.1 Division 92A – Theft of Trade Secrets involving a Foreign Government Principal

The penalty for commiting this offence is 15 years imprisonment.

Division 92A does not cover theft of confidential information or trade secrets where there is no involvement of a foreign government – these cases are addressed under other legislation as well as under common law and will be subject to a separate post.

What is a ‘Foreign Government Principal’?

Under section 90.3 of the legisiation, an offence of trade secrets theft requires the perpetrator (e.g. the employee) to be acting on behalf of a ‘foreign government principal’. Note that the legislation also defines a ‘foreign principal’, which is different. A ‘foreign government principal’ is defined as follows:

the government of a foreign country or of part of a foreign country;
an authority of the government of a foreign country;
an authority of the government of part of a foreign country;
a foreign local government body or foreign regional government body;
a company defined under the Act as a foreign public enterprise;
a body or association defined under the Act as a foreign public enterprise;
an entity or organisation owned, directed or controlled:
- by a foreign government principal within the meaning of any other paragraph of this definition; or
- by 2 or more such foreign government principals that are foreign government principals in relation to the same foreign country.

Importantly, the legislation is written quite broadly so as to encompass many of the typologies typically found with economic espionage, namely the involvement of national as well as state / province and local level government agencies, associations and similar legal entity types.

Section 70.1 of the Criminal Code 1995 provides a comprehensive definition of a ‘foreign public enterprise’ which encompasses both formal control (i.e. in the form of shareholdings) as well as influence (i.e. indirect or coercive control which might be exerted against a company’s key persons by a foreign government to ensure support).

Three elements of the offence define expectations of employers – IP Protection programs

In addition to the involvement of a ‘foreign government principal’, a person (e.g. employee, contractor) commits an offence under Division 92A if the person dishonestly receives, obtains, takes, copies or duplicates, sells, buys or discloses information; and the following three circumstances exist:

The information is not generally be known in trade or business, or in that particular trade or business concerned
The information has a commercial value that would be, or could reasonably be expected to be, destroyed or diminished if the information were communicated
The owner of the information had made reasonable efforts in the circumstances to prevent that information from becoming generally known

The first circumstance is relatively straight forward: if the information is public or in any way considered ‘common knowledge’, it is not a trade secret. Secondly, like all forms of IP, trade secrets must have some form of commercial value, for example, being used to build or do something which creates a saleable asset or generate revenue. Lastly, the owner of the trade secret(s) must have taken reasonable steps to protect that information from unauthorised disclosure – i.e., the implementation of an IP Protection program.

These elements are common to the definitions of a trade secret in other jurisdictions, such as the United States and Canada. Additionally, the legislation does not provide any guidance on what might be considered ‘reasonable efforts’ by a court to protect such information. However, there is a body of industry better practice around what IP Protection programs should look like which can be used by employers and IP Rights holders to inform these decisions. For more information, have a read of my earlier post on this subject.

How is confidential information compromised?

Posted on June 13, 2021 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Introduction

In this previous post, I discussed what we mean by intellectual assets and confidential information, and who might want to compromise it. I again pick up the topic of confidential information which is the foundation of any trade secrets protection in Australia. This post provides an overview of what I consider the nine main attack vectors for confidential information, why it is important to understand the value of your critical information assets before spending money to protection them, and how managers can build a confidential information protection program for their business.

Research and development is one category of confidential information — Photo by Tom Swinnen on Pexels.com

Confidential information can be compromised through 9 main ‘attack vectors’

Sensitive, non-public information can be compromised through a range of avenues (attack vectors) by external parties or trusted insiders. The following list, whilst not exhaustive, illustrates the sheer number of avenues by which sensitive business information can be compromised:

Espionage techniques – whether perpetrated by competitors, ‘information brokers’ or nation states
Cyber attacks – by far one of the easiest, lowest risk and most successful vectors if recent events are any indicator
Insider threats – including theft, copying, unauthorised disclosure, ‘innocent disclosure’ (i.e. intentional disclosure made to look like an accident) and large scale data leaks
Technology transfer – through acquisitions and licensing
Research partnerships
Staff exchanges, secondments and laboratory visits
Direct investments – including venture capital and private equity
Listings on foreign stock exchanges – where foreign governments may seek to forcibly access premises or IT systems and copy information
Supply chain infiltration – including of Contract Research Organisations and Contract Manufacturing Organisations

Each of the above is an example of a vector used to obtain sensitive business information. Typically, threat actors start with the easiest and least expensive option. Professionals who engage in wholesale sensitive information theft, whether of PII or intellectual property, are typically very patient and may be willing to wait years for the right opportunity. Companies which create valuable information assets often have better security and greater staff security awareness (i.e. are a harder target), thus they are likely to be on the receiving end of more sophisticated methods by opponents. Fortunately, this does not mean protecting sensitive information is impossible. Rather, what it requires is a robust framework to mitigate the risk.

Renewable energy technology is highly competitive and a target of research theft. — Photo by Gustavo Fring on Pexels.com

Before protecting information, we need to understand its value

It is not practical or cost-effective to protect every asset in an organisation to the same standard, and this goes double for information. A foundation principle of security is only apply controls to assets of value. This is relatively simple to determine for tangible, physical assets, but in practice is somewhat difficult for intangible assets. In my consulting practice, I have worked with a number of knowledge-intensive organisations to identify and assess their sensitive information. This exercise is really all about balance, compounded by the fact that information at the start of a process (e.g. commencement of R&D) may not be valuable, whilst at some point along the way the confluence of events means information becomes highly sensitive.

Trade Secrets are another category of confidential information — Photo by Erik Mclean on Pexels.com

The challenge is to identify the point at which that happens, as too many controls will affect the productivity of knowledge-workers who instinctively want to share and learn. Locking information away in silos goes against the innate behaviour of knowledge workers and will also impact your organisations ability to innovate. In contrast, inadequate control coverage means valuable information is not adequately protected and could easily be lost. Coincidentally, I completed my Master’s level research project on this very topic as part of the Technology Management program at the University of Queensland Business School.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

When working with clients I typically follow a five step process to complete this exercise:

Compile an inventory of all types of information within the organisation, the creator (originator) and recipients, and where it is stored
From this inventory, group the information into categories such as public, Personally Identifiable Information, non-sensitive business information and Sensitive Business Information. This activity can quickly become unwieldy, so you will probably need to sub-categorise information as you go
Rank or prioritise your information from most to least sensitive. This might be on the basis of value (i.e. potential future revenue generating capacity), regulatory compliance or reputation / commercial damage if disclosed (e.g. loss of market share)
Identify your internal control environment in relation to your most sensitive information. Is this information adequately protected?
Focus your information protection program on these areas and develop a plan to uplift internal controls were gaps exist, leaving information unprotected

Confidential information needs to be identified and protected — Photo by Pixabay on Pexels.com

How do you build a confidential information & trade secrets protection program?

In larger companies, sensitive information protection programs typically comprise a specialised element of the enterprises’ broader corporate security program, which provides the security foundation on which information protection builds. Smaller organisations, however, may not have a robust security program in place beyond a limited IT Security capability and a security manager responsible for security guard-force management. Corporate security programs today involve far more than security guards – they have evolved to a high level of sophistication to address the diverse range of complex threats faced by companies operating domestically and overseas. More on this in future posts.

There are seven key components of a confidential information protection program

The seven key elements of a confidential information protection program are as follows:

A framework which brings together all relevant program elements, identifiers risk owners and stakeholders, and sets the tone from a policy implementation and guideline perspective. This framework should be subordinate to other organisational frameworks, such as Risk and Compliance
An appropriate Information Registration, Classification, Marking, Tracking & Destruction scheme to ensure sensitive information is clearly identified and can be protected at each phase of the lifecycle
Security awareness training for all staff, but particularly those working with (or creating) the sensitive information
Tone from the top, with the importance of information protection being clearly recognised and with executives and the board following internal procedures
A threat and risk assessment, to clearly identify the threats and risks to the sensitive information and the associated controls
A risk-based protective security program comprising physical, cyber, information (non-cyber) and personnel security elements to address the risks, and
Appropriate detection, incident management and investigation capabilities to enable timely detection and response to any incident, minimising further damage

To ensure adequate stakeholder engagement and ownership, sensitive business information programs should be led by the business risk owner who has the most to lose if the information is compromised. A working group or steering committee should be formed involving representatives from legal, finance, human resources, IT, marketing, R&D, sales and distribution, and corporate security. These programs need to be owned by the business – information protection programs owned by ‘security’ are doomed to fail through inadequate stakeholder engagement and support.

Think IP theft will never happen to you?

An IP breach will cost your business big time

How do VCs and Angel Investors view IP?

You need to protect your IP from Day One

What can Small Medium Businesses do to mitigate these risks?

Global competition for science and technology is heating up

What is Diversion in the context of Technology Transfer?

Why should we care about the Diversion of critical technology?

Further Reading

SOCI creates two key documents

The Register needs to include your Operational Information

What is Sensitive Operational Information?

Further Reading

It’s April 2022 – enter, Microsoft Purview

Remember: technology is not the first or only step!

What features does Microsoft Purview Information Protection offer?

Operationalising your Information Protection Program

Further Reading

How are prototypes vulnerable? What are the risks?

The prototype threat and risk assessment

Developing the Prototype Protection Plan

Further Reading

How did we get here?

Is all research and development the target of theft?

What is research security?

Canada’s Safeguarding Your Research program

United Kingdom

United States

Australia – time for a change of attitude?

I’m a research or commercialisation manager – what can I do about it?

Further reading

What is the dark web?

What is business espionage?

Is there a criminal value chain behind the illicit market for stolen IP?

Further reading

Intangible Assets – easily overlooked

What are intellectual assets?

How are IP audits performed?

Using the findings of your IP audit to better protect these assets

Further reading

‘Trade secrets’ defined for the first time in Australian legislation

What is a ‘Foreign Government Principal’?

Three elements of the offence define expectations of employers – IP Protection programs

Further reading

Before protecting information, we need to understand its value

How do you build a confidential information & trade secrets protection program?

There are seven key components of a confidential information protection program

Further reading