Tag Archives: Information Protection

Microsoft Purview Information Protection – an overview

Posted on by

Author: Paul Curwell

It’s April 2022 – enter, Microsoft Purview

In 2017, Microsoft introduced its cloud-based Microsoft 365 solution, offering a range of personal and business applications to customers. Then, in April 2022, the Microsoft Purview platform was unveiled, combining fuctionality previously called Azure Purview with what was then Microsoft 365 Compliance, providing a host of new tools and functionality for corporate teams involved in protecting and managing sensitive data, including:

  • Microsoft Purview Insider Risk Management
  • Microsoft Purview Data Loss Prevention
  • Microsoft Purview Data Lifecycle and Records Management
  • Microsoft Purview eDiscovery
  • Various legal holds, auditing and compliance tools, and,
  • Microsoft Purview Information Protection

These solutions are Microsoft’s answer to a range of risk, compliance and security problems which commonly arise in businesses across a range of industries. They are designed to largely be implemented out of the box with configuration (as opposed to customisation); however, more advanced technical skills are required to setup features such as APIs, perform PowerShell coding, and undertake other technical tasks.

Microsoft Purview solution catlogue
Microsoft (2022). Microsoft Purview – Solution Catalogue

Remember: technology is not the first or only step!

I’ve written numerous articles on the importance of protecting sensitive business information, Intellectual Property, and research on this blog, but irrespective of what you are protecting it all starts with a good Information Protection Program.

A well-designed Information Protection Program starts with a fit for purpose framework, supported by policies (such as a Code of Conduct, employment and IT Acceptable Use policies) to confidential information naming conventions, appropriate physical / cyber and personnel security programs, security culture and awareness training, and physical and ICT (virtual) monitoring and auditing.

Once your Information Protection Program is developed, Microsoft Purview Information Protection contains a range of tools to help implement and sustain that program over time. Like any software, Microsoft Purview Information Protection is not a substitute for a good Information Protection Program. Conversely, in today’s data and technology rich environment, Information Protection Programs are unlikely to be truly effective without tools like those offered by Microsoft.

man wearing black blazer
Photo by Caleb Oquendo on Pexels.com

Let’s cut to the chase: Microsoft Purview Information Protection is suitable to help manage a variety of information types, including:

  • Trade Secrets
  • Personally identifiable information (PII)
  • Confidential business information (pricing, customer lists, strategies, etc)
  • Research data (eg pre-patent, draft papers), and,
  • Government classified information

Whether Microsoft Purview Information Protection is suitable for managing your organisations information risk profile is subject to a few considerations, including:

  • Is your sensitive information stored outside of a Microsoft 365 environment?
  • Do your employees use offline systems, paper records, personal devices or endpoints which are not centrally managed or onboarded?
  • Do your suppliers create or replicate your sensitive information on their systems, out of reach of your management and control?

If you have answered yes to any of the above, you may only have partial protection from Microsoft Purview Information Protection without changes to the way your organisation operates.

What features does Microsoft Purview Information Protection offer?

In my opinion, Microsoft Purview offers a range of great tools out of the box which are suitable for many organisations, particularly those which generate and manage sensitive information within the Microsoft ecosystem. Primary data protection tools include:

  • Sensitivity labels – provides the tools to classify documents, files, emails and other datasets using your organisation’s information classification scheme (i.e. confidential, proprietary, commercial-in-confidence). This is one area where Microsoft Purview configuration needs to reflect the framework and polices setup in your Information Protection Program.
  • Sensitive information types – these are pattern-based classifiers, and used to find datasets containing defined data patterns, such as the format of a Medicare or Tax File Number, BSB and Bank Account etc. Microsoft Purview comes with a host of sensitive information types pre-defined out of the box, saving configuration time and effort.
  • Trainable classifiers – the ability to train in-built AI tools to identify and classify datasets based on their attributes. Like all AI tools, this requires a sufficient sample size to learn from, and works best for content not suited to manual (human) or automated-pattern matching (keywords such as ‘confidential’, text strings such as credit card numbers, and file metadata).
  • Data classification – provides a host of tools for managers of a Information Protection Program to view and understand how the program is being implemented by users, where sensitive information resides in the organisation (e.g. by type, sensitivity label, etc), and host of other features. This can help inform identification of High Risk Roles and Personnel Security Risk Assessments to inform Workforce Screening Program design, as well as inform implementation of Information Protection Programs and control improvement plans.
white caution cone on keyboard
Photo by Fernando Arcos on Pexels.com

I’m enthusiastic about the ability of Microsoft Purview to bring Information Protection, eDiscovery and Insider Risk Management capabilities to small and mid-sized organisations which otherwise might not be able to afford to implement and maintain different vendor solutions to achieve the same outcome.

Two questions I have is what the buyer profile is for E5 licensing in Australia (are these primarily large corporates, or can small to mid-sized organisations afford this as well?), and of the current E5 buyers, how many have actually turned this functionality on. I haven’t been able to find information on Microsoft’s market penetration in Australia, so answers to my questions will need to wait for another day! For organisations who are interested, Microsoft offers a 90-day free trial.

Perhaps most importantly, I strongly recommend you already have an Information Protection Program either operating or the framework development well underway before you procure or implement any technology solution. Pleasingly, so does Microsoft!

Not only will this inform your business requirements and business case, but it will ensure that the technology solution is implemented in a way that actually aligns with the way your organisation operates. There is nothing worse than when technology, rather than business need, dictates your operating model.

Operationalising your Information Protection Program

All too often, I see cases where organisations have purchased a software solution and expect this will address all their ills. Technology is an enabler that can enhance the effectiveness of an Information Protection Program, but is is not a substitute for implementing the program itself.

Like any technology solution, using Microsoft Purview requires regular attention and maintenance to ensure it does what was intended and is not impacting business users unnecessarily. Microsoft Purview will need periodic adjustment as your organisation changes, such as where new sensitive projects are setup that requiring new sensitivity labels, or in response to insider threat events.

Minimising problems for capabilities ‘in operation’ will require someone (or a team) who has an apprecation of both the Information Protection Program and Microsoft Purview, as well as change management to minimise adverse user outcomes.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Never heard of Research Security? Why safeguarding your research today is critically important

Posted on by

Paul Curwell, CPP, CFE, CISSP

How did we get here?

Research Security refers to the ability to identify possible risks to your work through unwanted access, interference, or theft and the measures that minimise these risks and protect the inputs, processes, and products that are part of scientific research and discovery.

Source: Why safeguard your research? Government of Canada (2021).

Photo by Chokniti Khongchum on Pexels.com

Followers of my blog will know that I regularly write about the scourge of Intellectual Property (IP) theft. One of my observations from working with Australian organisations of all shapes and sizes (including research and development, or R&D intensive ones which depend on commercialisation for success) is that we all too often ignore the importance of protecting our IP and early stage research.

Indeed, according to The Commission on the Theft of American Intellectual Property (2013), theft of United States IP alone is estimated in the vicinity of US$300 billion per annum impacting jobs, GDP and innovation. According to testimony given by the former US National Security Agency Director General Keith Alexander:

“The stealing of U.S. private company information and technology has resulted in the greatest transfer of wealth in history”

HEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION, 9 July 2013.

Is all research and development the target of theft?

Most commonly it is applied research which is stolen (i.e. outcomes that can be directly applied to a tangible application or outcome which can be commercialised), as opposed to basic or discovery research. The coordinated theft of IP focuses on Science, Technology, Engineering an Mathematics (STEM) domains, as opposed to social science or humanities research.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

One challenge with the R&D process is that you never know what you’re going to find – funding of R&D effectively involves placing strategic ‘bets’ to fund those programs assessed as having the greatest chance of success. So why don’t we put more time into protecting our research?

Part of the protection challenge stems from the nature of research itself, and of the knowledge creation process. Knowledge creators need to be able to operate in a creative environment that allows them to share ideas and concepts with others, and ultimately generate a positive R&D outcome over time. By their nature, many researchers are inclined to share and collaborate with others, and many (falsely) perceive the risk if IP theft as very low.

The knowledge creation process is very easily stimied through excessive security, which can inhibit creativity and innovation. But on the other hand, too little security can mean your research walks out the door either with an unscrupulous competitor or a departing employee. This is where the concept of research security comes in.

Photo by Tamu00e1s Mu00e9szu00e1ros on Pexels.com

What is research security?

Successful research and innovation requires collaboration and formal partnerships between multiple parties, including governments, businesses, and academics. These collaborations and partnerships can occur in one country or internationally, almost like a ‘patchwork quilt’ of skills, competencies and capital.

Unfortunately, some bad actors and unscrupulous organisations have taken advantage of this process for their own game. This includes nation states, some of which have been involved in state-sponsored industrial espionage (‘economic espionage’) for decades.

What is the impact of research theft?

  1. Diminished trust and confidence in your research data and results
  2. Loss of research data
  3. Loss of exclusive control over intellectual property, patent opportunities, and potential revenue
  4. Legal or administrative consequences
  5. Loss of potential future partnerships
  6. Tarnished reputation

Source: Why safeguard your research? Government of Canada (2021).

In response, countries such as the US, UK, Canada, New Zealand and more recently Australia have introduced ‘research security’ programs to help the research and innovation sector understand and manage this risk, as outlined below.

Source: US Director of National Intelligence, dni.gov

Canada’s Safeguarding Your Research program

The Government of Canada started raising research theft and research security as an issue in 2016, subsequently forming a joint Government of Canada-Universities Working Group to “advance open and collaborative research in a way that also safeguards research and maximizes benefits to Canadians”. The government has created the Safeguarding your Research portal which contains useful resources including:

  • Tools for building Security Awareness in the Academic Community
  • A checklist to help determine whether you are at risk
  • Information on mitigating economic and/or geopolitical risks in sensitive research projects
  • National Security Guidelines for Research Partnerships

United Kingdom

In contrast to Canada, the UK Government started its research security journey in 2019, with security programs being coordinated by the Center for the Protection of National Infrastructure (CPNI). With almost 20% of UK research funding coming from international sources, CPNI suggests three key actions to safeguard your research:

  • Due diligence – who are your research partners, actually? Who are their research partners or investors? Remember that affiliations and company ownership can change over time: who you partnered with on day 1 may not be who you are partnered with on day 365. Bad actors frequently materialise after you have signed the partnership agreement, so due diligence should be undertaken on an ongoing basis.
  • Conflicts of interest – identify any actual or potential conflicts and ensure they are managed. This could include your research partner’s collaborations with your competitors.
  • Segregation – use security programs to segregate your valuable research programs, both physically and logically (i.e. cyber, physical and personnel security).

United States

Since mid-2018, the US Government has introduced a range of rules, policies and regulations to address concerns about foreign interference in research and the theft of intellectual capital. Various departments and agencies have introduced new measures to address risks to the integrity of the research enterprise, such as the establishment of the Joint Committee on Research Environment by the Office of Science and Technology Policy at the White House.

In 2018, the National Institutes of Health (NIH), one of the largest R&D funding bodies in the world, took the unprecedented step of writing to NIH grant receipients to inform them of the threat of foreign interference and IP theft in relation to biomedical research. This step has set the tone in terms of the seriousness of this issue, and should highlight to the research community globally the nature of the threat – which is manageable with the right mitigations.

Australia – time for a change of attitude?

In Australia, how we protect our research and innovation is largely dependent on who the threat actor is. From a commerical perspective, we typically adopt a legalistic approach to protecting our valuable research, historically relying predominately on formal IP protections such as patents and copyright. This remains very important, but it is also largely ineffective against the threat of IP theft. By the time the matter gets to court, assuming you can find the thief, it’s too late and the only people who benefit are lawyers.

Once you have lost your valuable research, you face an expensive and time consuming battle to restrain the offending party from using the IP or gaining commercial advantage. Assuming you have the legal defence fund to pursue this course of action – noting your pockets may need to be deeper than your opponent in order to continue funding any litigation – you may not even recover 100% of what you lost. Further, if you didn’t take ‘appropriate’ actions to try and protect the information, a court may deem you also at fault.

Australia does not have formal trade secrets protection under IP law, unlike other countries. This means business is reliant on various Confidential Information provisions to protect its research and innovation, something which can be hard to defend. There is a litany of Australian case law showing companies which learned the hard way here when trying to protect their valuable information from competitors, third parties and former employees.

Where the threat actor is ultimately a nation state, Australians now have provisions in the Criminal Code 1995 (Cth) in relation to economic espionage – which also contains the first mention of the term ‘trade secret’ that I am aware of in Australian law – as well as the University Foreign Interference Guidelines. The Guidelines, which I will write about in a subsequent post, were refreshed in 2021 and provide an excellent introduction to developing what I would call a ‘research security framework’, but which can be applied to address all security threats to research and innovation, not just foriegn interference.

Photo by Pixabay on Pexels.com

I’m a research or commercialisation manager – what can I do about it?

Effectively managing this risk involves understanding what your critical information assets are, who has access to them, and how. This will allow you to identify those areas of greatest risk and focus your limited resources and effort accordingly. Doing this effectively involves a combination of cybersecurity, physical security, non-cyber information security and personnel security (insider threats) measures deployed as part of a holistic program.

The second critical aspect here is managing your research partnerships via a supply chain (third party) security program. This is broader than security – you need to perform proper due diligence (before commencing, throughout the life of the relationship, and for a period afterwards), as well as implementing the right security and legal controls to manage these risks, all whilst creating an environment where the actual researchers can collaborate and work their magic.

This is not easy and requires a good understanding of both security and research / innnovation to be successful, but it is possible. As highlighted in this post, there are plenty of resources available to support you on this journey but remember, the one thing that is clear is the risk of inaction.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Business espionage – the sale of intellectual property on the dark web

Posted on by

Paul Curwell, CPP, CFE, CISSP

What is the dark web?

For those who are new to this, concept, the dark web is the third part of the internet which is not indexed by ordinary search engines and requires a specific web browser (a ‘TOR’ browser) to access. The other two parts of the internet are the surface web (what we all think of when we hear the term ‘internet’), and the deep web, which comprises often proprietary databases and data holdings which sit behind a firewall and generally require a subscription or password to access. A database of media articles is one example.

Photo by Pixabay on Pexels.com

There are a number of illicit markets on the dark web selling everything and anything which is illegal in an anonymised way. These illicit markets also include illicit payment mechanisms for financial transactions which bypass the global financial system. Whilst it makes sense that IP would be sold here, until now this is not something I had heard much about aside from the sale of counterfeit products – shoes, medicine, passports etc. My working hypothesis is that much of the stolen IP on the dark web which is not counterfeit product is likely derived from ‘business espionage’.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What is business espionage?

We all know that information is power, but these days it is also a global currency. According to Forbes Magazine, innovation and intangible assets today comprised around 80% of a business’ value in 2014 (Juetten). In recognition of their value, the International Accounting Standards Board (IASB) adopted IAS 38 Intangible Assets in 2001 to prescribe the accounting treatment for intangible assets.

For simplicity here, I refer to all types of valuable business information, intangible assets or intellectual assets as ‘IP’. Business espionage is a term that I have borrowed from Bruce Wimmer (2015) to refer to the theft of commercial information from businesses including ‘industrial espionage’ (companies spying on their competitors) as well as ‘economic espionage’ (theft of IP by nation states for national security purposes).

Photo by cottonbro on Pexels.com

The types of IP that is stolen includes:

Research dataPricing data
Confidential informationCustomer lists
Trade SecretsProduct development data
Engineering schematicsSales figures
Proprietary software codeStrategies and Marketing plans
Chemical formulasCost analyses
‘Know how’Personnel data
Examples of IP targeted by business spies – Nasheri (2005)

If I think about it simplistically, my hypothesis is there are two main ways someone could obtain this IP for sale: licit and illicit. The licit route would arise where a party has access to the IP and is authorised to copy or use that IP for a permitted purpose (such as under license or terms of confidentiality), but then chooses to use that information for a non-permitted purpose. Examples here could include:

  • Where IP is provided to an outsourced service provider or business partner, such as a Contract Research Organisation, Contract Manufacturing Organisation, or IT managed services provider. When a contractual arrangement ceases the IP may not be properly destroyed, and could be used for unauthorised purposes later (such as to win a new contract with a previous customer’s competitor).

In contrast, the illicit route refers to cases where IP is stolen and then onsold. There are a number of potential vectors here including:

  • Theft and / or exfiltration by trusted insiders (such as employees, contractors or suppliers)
  • Targeting of business travellers in hotels, bars, etc
  • Cyber criminals and hackers breach secured networks
  • Opportunistic individuals who find valuable information on an unsecured corporate network
  • Plus other similar examples

So, to recap, we have the scenario where commercially valuable information (IP) has been stolen – sometimes employees steal IP from an employer as they see it as ‘theirs’ and feel they are the legitimate creater or owner of this information, despite typically having assigned their moral rights to their employer via their employment contract. In this scenario, my experience is that employees rarely sell this information to a third party – but they will often use this information for personal advantage in future roles or positions. However, this is not the focus of this post. In this post, we are referring to the theft and sale of commercially valuable information on a large scale.

Photo by Kindel Media on Pexels.com

Is there a criminal value chain behind the illicit market for stolen IP?

It makes sense that someone who has access to sensitive IP which is valuable in the market and who has ulterior motives would want to sell it, but how does this work? Do they sell it exclusively to the highest bidder at auction? Do they sell it multiple times to multiple parties? If you are the highest bidder at auction, how do you guarantee you are the only buyer? Also, how do you guarantee the authenticity or quality of the information?

“It does little good to steal intellectual property if you do not have the expertise to use it”

James Lewis, SVP and director of the Center for Strategic and International Studies’ (CSIS) Technology Policy Program in Gates (2020)

I have so many unanswered questions here, but the presenter I referred to earlier mentioned the prices some buyers pay for stolen IP on these illicit marketplaces is in the millions of US dollars, and that about 90% of the IP on these illicit markets is authentic. These illicit market dynamics mean this is clearly something worth examining further. As a security consultant, part of my job involves ‘thinking like a criminal’ to identify how such a scheme would work – I have developed my hypothesis below based on my experience and knowledge of how other illicit markets work:

© Paul Curwell, 2022

In my hypothesis shown above, I have assumed there is a degree of criminal specialisation in the stolen IP market, as there is in other aspects of cyber crime and cyber fraud. Just with legitimate online marketplaces, if I were a buyer I wouldn’t trust sellers I don’t know or who other people I trust haven’t verified, and I’m not going to pay anything more than a trivial amount or take the risk to buy IP which hasn’t been verified either as authentic (i.e. stolen from the company alleged to have produced it) or not fictional (i.e. garbage content). For a good overview of how online review systems work, look at this Harvard Business Review article from Donaker et al (2019).

In my mind, there must be information brokers who play a ‘trusted intermediary’ role and offer an independent validation and verification services – for a fee. However, this would also require access to pool of experts who would be paid to perform this work (e.g. scientists, doctors or engineers who are specialists in their field and open to a side hustle). Presumably some are complicit and know what they are doing, but are some also told this is legitimate and have no cause to question further? And what about the companies that are happy to take the risk both that the info might be fake and that they might get caught? As it stands I have more questions than answers, but the one thing I know is this is something I will be looking into further.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Australia’s economic espionage laws: what this means for ‘trade secrets’ protection after 2018

Posted on by

Author: Paul Curwell

Are Australian’s culturally reluctant to take steps to protect our Intellectual Property?

Throughout my career, I have worked with businesses, R&D intensive organisations and universities which make a living commercialising their Intellectual Property (IP). As an undergraduate biotechnology student, I completed a number of internships with research laboratories in Australia and the United States, before working out that wasn’t the right career for me. Later, as a Master of Technology Management student at business school in Brisbane, I wrote my thesis on the protection of IP. I then moved on to a mix of consulting and industry roles, mostly in financial services. Unfortunately, wherever I go in Australia I regularly encounter situations involving IP and trade secrets theft. For example:

  • A departing employee who blatantly stole IP from their employer, only to find in-house counsel couldn’t be bothered to take action either against the employee or their new employer (where they were using the stolen assets) as they didn’t consider IP theft a real issue
  • Another company not only failed to terminate the IT accounts for multiple employees who had left at the same time for a direct competitor, but also stole their former employer’s laptop and used it and their login credentials to login to their former employer’s IT network from their new employer’s offices to steal the IP they hadn’t already taken, as well as commercial material such as pricing which had been updated since they left
  • An employee who had a lucrative contract with a foreign third party to supply the research paid for by their primary employer to the third party, without the knowledge of the primary employer and in breach of their employment contract and fiduciary duty
Photo by Polina Tankilevitch on Pexels.com

Based on my experience, I am comfortable saying the culture of IP protection, and the maturity of associated IP protection programs in Australia is low. Australian businesses are overly reliant on legal measures to protect our IP, at the expense of adequate security and insider threat programs. Unfortunately, once your IP is gone, it is very expensive and time consuming to get it back. Having spent almost 20 years working in the fraud and security field I am still amazed at the way in which we protect our confidential information and IP in Australia and the almost complete disregard we show for both protecting these intangible assets and responding when something goes wrong: This is in complete contrast to that of the US and other R&D intensive nations. Slowly, finally, things are starting to change.

‘Trade secrets’ defined for the first time in Australian legislation

In August 2018, the National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018 recieved royal asset, and now forms part of Australia’s Criminal Code Act 1995 (Cth). Theft of trade secrets and IP is big business globally, and involves both nation states, criminal groups and individuals. The US Trade Representative estimates the cost of trade secrets and IP theft at US$200bn to $600bn annually. When the perpetrator is a nation state, or acting on behalf of a nation state, this is termed ‘economic espionage’ (as opposed to traditional espionage which focuses on theft of national security related information). When the perpetrator is a competitor or private intelligence company, this is termed ‘industrial espionage’. In Australia, economic espionage is considered a form of Foreign Interference.

Foreign interference is activity that is:

  • carried out by, or on behalf of a foreign actor
  • coercive, corrupting, deceptive, clandestine
  • contrary to Australia’s sovereignty, values and national interests

Foreign interference activities go beyond routine diplomatic influence and may take place alongside espionage activities. A range of sectors are targeted:

  • democratic institutions
  • education and research
  • media and communications
  • culturally and linguistically diverse communities
  • critical infrastructure

Most Australian’s don’t believe industrial or economic espionage happens here in fortress Australia, but unfortunately these practices are alive and well, its just they rarely make it to the courts or hit the headlines, and victim companies rarely if ever disclose this fact. So what does this new legislation do? Effectively, it “introduces a new offence targeting theft of trade secrets on behalf of a foreign government. This amounts to economic espionage and can severely damage Australia’s national security and economic interests. The new offence will apply to dishonest dealings with trade secrets on behalf of a foreign actor“.

92A.1 Division 92A – Theft of Trade Secrets involving a Foreign Government Principal

The penalty for commiting this offence is 15 years imprisonment.

Division 92A does not cover theft of confidential information or trade secrets where there is no involvement of a foreign government – these cases are addressed under other legislation as well as under common law and will be subject to a separate post.

What is a ‘Foreign Government Principal’?

Under section 90.3 of the legisiation, an offence of trade secrets theft requires the perpetrator (e.g. the employee) to be acting on behalf of a ‘foreign government principal’. Note that the legislation also defines a ‘foreign principal’, which is different. A ‘foreign government principal’ is defined as follows:

  • the government of a foreign country or of part of a foreign country;
  • an authority of the government of a foreign country;
  • an authority of the government of part of a foreign country;
  • a foreign local government body or foreign regional government body;
  • a company defined under the Act as a foreign public enterprise;
  • a body or association defined under the Act as a foreign public enterprise;
  • an entity or organisation owned, directed or controlled:
    • by a foreign government principal within the meaning of any other paragraph of this definition; or
    • by 2 or more such foreign government principals that are foreign government principals in relation to the same foreign country.

Importantly, the legislation is written quite broadly so as to encompass many of the typologies typically found with economic espionage, namely the involvement of national as well as state / province and local level government agencies, associations and similar legal entity types.

Section 70.1 of the Criminal Code 1995 provides a comprehensive definition of a ‘foreign public enterprise’ which encompasses both formal control (i.e. in the form of shareholdings) as well as influence (i.e. indirect or coercive control which might be exerted against a company’s key persons by a foreign government to ensure support).

Photo by cottonbro on Pexels.com

Three elements of the offence define expectations of employers – IP Protection programs

In addition to the involvement of a ‘foreign government principal’, a person (e.g. employee, contractor) commits an offence under Division 92A if  the person dishonestly receives, obtains, takes, copies or duplicates, sells, buys or discloses information; and the following three circumstances exist:

  • The information is not generally be known in trade or business, or in that particular trade or business concerned
  • The information has a commercial value that would be, or could reasonably be expected to be, destroyed or diminished if the information were communicated
  • The owner of the information had made reasonable efforts in the circumstances to prevent that information from becoming generally known

The first circumstance is relatively straight forward: if the information is public or in any way considered ‘common knowledge’, it is not a trade secret. Secondly, like all forms of IP, trade secrets must have some form of commercial value, for example, being used to build or do something which creates a saleable asset or generate revenue. Lastly, the owner of the trade secret(s) must have taken reasonable steps to protect that information from unauthorised disclosure – i.e., the implementation of an IP Protection program.

These elements are common to the definitions of a trade secret in other jurisdictions, such as the United States and Canada. Additionally, the legislation does not provide any guidance on what might be considered ‘reasonable efforts’ by a court to protect such information. However, there is a body of industry better practice around what IP Protection programs should look like which can be used by employers and IP Rights holders to inform these decisions. For more information, have a read of my earlier post on this subject.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

How is confidential information compromised?

Posted on by

Paul Curwell, CPP, CFE, CISSP

Introduction

In this previous post, I discussed what we mean by intellectual assets and confidential information, and who might want to compromise it. I again pick up the topic of confidential information which is the foundation of any trade secrets protection in Australia. This post provides an overview of what I consider the nine main attack vectors for confidential information, why it is important to understand the value of your critical information assets before spending money to protection them, and how managers can build a confidential information protection program for their business.

Research and development is one category of confidential information
Photo by Tom Swinnen on Pexels.com

Confidential information can be compromised through 9 main ‘attack vectors’

Sensitive, non-public information can be compromised through a range of avenues (attack vectors) by external parties or trusted insiders. The following list, whilst not exhaustive, illustrates the sheer number of avenues by which sensitive business information can be compromised:

  • Espionage techniques – whether perpetrated by competitors, ‘information brokers’ or nation states
  • Cyber attacks – by far one of the easiest, lowest risk and most successful vectors if recent events are any indicator
  • Insider threats – including theft, copying, unauthorised disclosure, ‘innocent disclosure’ (i.e. intentional disclosure made to look like an accident) and large scale data leaks
  • Technology transfer – through acquisitions and licensing
  • Research partnerships
  • Staff exchanges, secondments and laboratory visits
  • Direct investments – including venture capital and private equity
  • Listings on foreign stock exchanges – where foreign governments may seek to forcibly access premises or IT systems and copy information
  • Supply chain infiltration – including of Contract Research Organisations and Contract Manufacturing Organisations

Each of the above is an example of a vector used to obtain sensitive business information. Typically, threat actors start with the easiest and least expensive option. Professionals who engage in wholesale sensitive information theft, whether of PII or intellectual property, are typically very patient and may be willing to wait years for the right opportunity. Companies which create valuable information assets often have better security and greater staff security awareness (i.e. are a harder target), thus they are likely to be on the receiving end of more sophisticated methods by opponents. Fortunately, this does not mean protecting sensitive information is impossible. Rather, what it requires is a robust framework to mitigate the risk.

Renewable energy technology is highly competitive and a target of research theft.
Photo by Gustavo Fring on Pexels.com

Before protecting information, we need to understand its value

It is not practical or cost-effective to protect every asset in an organisation to the same standard, and this goes double for information. A foundation principle of security is only apply controls to assets of value. This is relatively simple to determine for tangible, physical assets, but in practice is somewhat difficult for intangible assets. In my consulting practice, I have worked with a number of knowledge-intensive organisations to identify and assess their sensitive information. This exercise is really all about balance, compounded by the fact that information at the start of a process (e.g. commencement of R&D) may not be valuable, whilst at some point along the way the confluence of events means information becomes highly sensitive.

Trade Secrets are another category of confidential information
Photo by Erik Mclean on Pexels.com

The challenge is to identify the point at which that happens, as too many controls will affect the productivity of knowledge-workers who instinctively want to share and learn. Locking information away in silos goes against the innate behaviour of knowledge workers and will also impact your organisations ability to innovate. In contrast, inadequate control coverage means valuable information is not adequately protected and could easily be lost. Coincidentally, I completed my Master’s level research project on this very topic as part of the Technology Management program at the University of Queensland Business School.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

When working with clients I typically follow a five step process to complete this exercise:

  1. Compile an inventory of all types of information within the organisation, the creator (originator) and recipients, and where it is stored
  2. From this inventory, group the information into categories such as public, Personally Identifiable Information, non-sensitive business information and Sensitive Business Information. This activity can quickly become unwieldy, so you will probably need to sub-categorise information as you go
  3. Rank or prioritise your information from most to least sensitive. This might be on the basis of value (i.e. potential future revenue generating capacity), regulatory compliance or reputation / commercial damage if disclosed (e.g. loss of market share)
  4. Identify your internal control environment in relation to your most sensitive information. Is this information adequately protected?
  5. Focus your information protection program on these areas and develop a plan to uplift internal controls were gaps exist, leaving information unprotected
Confidential information needs to be identified and protected
Photo by Pixabay on Pexels.com

How do you build a confidential information & trade secrets protection program?

In larger companies, sensitive information protection programs typically comprise a specialised element of the enterprises’ broader corporate security program, which provides the security foundation on which information protection builds. Smaller organisations, however, may not have a robust security program in place beyond a limited IT Security capability and a security manager responsible for security guard-force management. Corporate security programs today involve far more than security guards – they have evolved to a high level of sophistication to address the diverse range of complex threats faced by companies operating domestically and overseas. More on this in future posts.

There are seven key components of a confidential information protection program

The seven key elements of a confidential information protection program are as follows:

  1. A framework which brings together all relevant program elements, identifiers risk owners and stakeholders, and sets the tone from a policy implementation and guideline perspective. This framework should be subordinate to other organisational frameworks, such as Risk and Compliance
  2. An appropriate Information Registration, Classification, Marking, Tracking & Destruction scheme to ensure sensitive information is clearly identified and can be protected at each phase of the lifecycle
  3. Security awareness training for all staff, but particularly those working with (or creating) the sensitive information
  4. Tone from the top, with the importance of information protection being clearly recognised and with executives and the board following internal procedures
  5. A threat and risk assessment, to clearly identify the threats and risks to the sensitive information and the associated controls
  6. A risk-based protective security program comprising physical, cyber, information (non-cyber) and personnel security elements to address the risks, and
  7. Appropriate detection, incident management and investigation capabilities to enable timely detection and response to any incident, minimising further damage

To ensure adequate stakeholder engagement and ownership, sensitive business information programs should be led by the business risk owner who has the most to lose if the information is compromised. A working group or steering committee should be formed involving representatives from legal, finance, human resources, IT, marketing, R&D, sales and distribution, and corporate security. These programs need to be owned by the business – information protection programs owned by ‘security’ are doomed to fail through inadequate stakeholder engagement and support.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

In business, confidential information is a critical asset

Posted on by

Author: Paul Curwell

Intellectual assets are strategically important in business today

Intellectual Assets can exist in a variety of forms, though they are all based upon the generation, capture and protection of valuable knowledge (the ‘information lifecycle’). Their foundation is fragile as it is dependent upon the transition from tacit knowledge possessed by an individual into the organisation with which they are associated. Once transferred, organisations must convert that employee’s tacit knowledge into valuing-creating processes, products or practices. However, a diverse range of criminal and commercial activities threaten the viability of knowledge-intensive companies. 

According to statistics quoted from the US Trade Representative, some aspects of “American IP theft costs between US$225bn – US$600bn annually“. These statistics relate to only one segment of the problem, so the true value is probably higher, highlighting the somewhat ‘hidden’ nature of the problem. As recognised by global accounting standards, information today is an (intangible) asset: it needs to be protected like any other tangible asset or item of value.

Companies in knowledge-intensive industries typically have a heightened awareness of the value of their Intellectual Assets and place greater emphasis on information protection as part of an overall IP strategy. However, in my direct experience Australians still lag somewhat behind our North American, European and Asian peers when acknowledging the magnitude of the threat. Here in fortress Australia, where most people and companies play by the rules, we have a tendency to think the rest of the world is like home. In reality, the border-less nature of crime today means that no-where is safe when it comes to protecting sensitive business information.

Photo by ThisIsEngineering on Pexels.com

What do we mean by confidential information?

There are a range of categories of sensitive information, with sensitivity being determined by factors such as commercial value, regulatory obligations to protect the data, and competitive advantage. In my experience, Australian businesses often overlook the importance of commercially valuable information in lieu of a heightened focus on Personally Identifiable Information as a result of Notifiable Data Breach legislation and increased awareness of Privacy generally. For the purposes of this post, I have outlined three categories of ‘sensitive’ information:

  • Intellectual Property (IP) – predominately in the form of copyright and patents
  • Sensitive Business Information (SBI) – otherwise referred to as ‘proprietary information‘ (US terminology) or ‘confidential information‘, this category is anything with commercial value including strategic plans, customer lists, pricing and ‘trade secrets
  • Personally Identifiable Information (PII) – information must be protected under privacy legislation, comprising any information that can be used to identify an individual
Photo by Donald Tong on Pexels.com

This post focuses on Sensitive Business Information protection.

‘Sensitive information’ exists along a continuum, with information being ‘sensitive’ by virtue of the fact that it is not public or widely known. For example, research data being prepared for submission in a patent by a research institute is sensitive and must be protected from theft, loss or misuse until the point where the patent is published. Upon publication, the information becomes widely known and can be consumed by anyone – noting that profiting from the information in the patent or using it commercially requires a license and payment of royalties. This means it is important to consider the ‘information lifecycle’ when we create information protection programs as security frameworks and controls must reflect the risks and information usage activities which apply at each phase of the lifecycle.

According to the literature, information has its own five-phase lifecycle (Sharma, 2011), as follows:

  • Creation and Receipt – the point from which information is created (origination)
  • Distribution – of the information to end users or recipients
  • Use – where information is applied to a specific purpose
  • Maintenance – includes storage, categorisation, and processing of information
  • Disposition – includes the destruction, archiving or other retention decisions

To further highlight the importance of the lifecycle using the above patent example, research data might start out as ‘sensitive business information’ when it is created, only for it to become Intellectual Property when it is subsequently used (i.e. published as a letter patent). For this example, many security arrangements used to protect the published research data can be relaxed upon patenting, as the protection of data in this form is no longer valuable.

Photo by Valeria Boltneva on Pexels.com

Threat Actors seek to compromise your sensitive information

When we discuss security problems generally Australians like to talk about risks rather than the root cause of the risk. When talking about all types of security or fraud issues, that root cause is human. Whatever their motive, threat actors seek to do or cause harm. I’ve been helping companies and governments identify and mitigate threats from hostile actors of all forms for almost 20 years. My starting point for dealing with threats is to divide them into two categories – internal and external – based on their level of access and influence within the organisation:

  • Internal threats involve ‘trusted insiders‘ – employees and third parties with privileged access to the organisation by virtue of their employment or contractual arrangement
  • External threats – those outside of the organisation, including organised crime, nation states, terrorists, private intelligence collectors, and competitors

External threat actors often work with trusted insiders to compromise sensitive information. This can be complicit, involving some form of collusion (i.e. the insider voluntarily steals information for bribes or some other non-financial advantage), or coercion (e.g. the insider, or their family, is threatened [extorted], or blackmailed to compromise the information).

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.