Protecting Your Intellectual Property From Cyberattacks: An Overview

Protecting Your Intellectual Property (IP) From Cyberattacks

Most businesses have something unique, like a product, process, innovation, code, ingredient, recipe, or idea. It’s their “special sauce” or “better mouse trap.” It sets them apart from the competition and will help them change or disrupt the world (hopefully for the good). It’s called “intellectual property” (IP), and protecting it from bad cyber actors is critical.

Why? 

Because if you don’t safeguard your IP, you are putting it at risk of theft. For businesses in the U.S., estimates for IP losses are $225-$600 billion per year. That’s a lot of money, which makes it sound like only the government and large enterprises lose their IP. But that’s just what bad actors want you to think. Individuals (including solopreneurs) and small and mid-sized businesses (SMBs) are also targeted. They may not have billions in the bank, but their secret sauce will still be valuable to criminals, especially if it’s easily accessible. 

What is IP, and do you need to safeguard it?

How many companies have IP? Not every single one does, but most do. Remember that IP exists even if it seems very “small.” A line of computer code or a photo of a hand-written recipe could count as IP. If you have a single asset like a trademark, patent, or copyright, you have IP. Franchises, trade secrets, digital assets — these are all considered IP. For our purpose, let’s define IP as a non-physical asset you own, legally protected from unauthorized use.

Intellectual Property (IP) is a non-physical asset you own, legally protected from unauthorized use.

Is your business susceptible to IP theft? If you’ve never really thought about it, start now. You can begin with the same approach you’d take in assessing the likelihood that your business will suffer a cyberattack. With cyberattacks, it’s pretty simple: if you have money or data, someone will eventually try to take it. With IP, a good rule of thumb is that if your idea is unique enough to invest your time and money into, someone else will also think so, attracting bad actors' attention. 

Who steals IP, and how do they do it?

To safeguard your IP, consider the persons you’re safeguarding it from. These could be competitors, cybercriminals, nation states, or even the businesses across the street that heard you built a “better” widget than theirs. They have a variety of tactics to steal your IP. Over the years, I’ve seen enough attacks to group them into two categories: non-technical and technical.

Non-technical (social engineering) attacks

In the internet age, where most business activity contains at least some digital element, social engineering attacks are considered a subset of cybercrime. But the approach is more of a classic con, and the technology is a means to an end. They call it “social” engineering because it manipulates people's naturally sociable character into exposing sensitive information. Consider these four schemes:

  • Excessively inquisitive vendor: In this case, a vendor starts asking questions about your business details that go behind the scope of your work. Be on the lookout for phrases like, “Tell me about your business and what makes you unique.”

  • Suspect angel investor: If you’re ever approached by an angel investor who says, “We want to invest in your idea, but we need to understand all the specifics,” you should be on alert.

  • Survey to play: In this case, some third party dangles an offer — usually money — that sounds something like, “We will pay you to complete our survey,” where the survey asks specific questions about the details of your business or security measures. 

  • Fake “magazine” editor: When you receive an unsolicited message from a publication you have never heard of before, like, “You are a finalist in our ‘Innovator of the Year Award,’ but first we need specific details on your innovation.” 

In each case, the bad actor tries to massage IP from an alleged business relationship. They try to leverage human nature — flattering you with attention, accolades, or prying into your unique business operations — to get you to “willingly” hand over your IP. Let’s be honest; all my shared examples could be legitimate and benign. For example, an investor will ask questions about your business and IP (to a degree). Therein lies the challenge, deciphering the legitimate from the illegitimate. It also makes the perfect cover for a social engineering attack. My main point here is to be vigilant and aware.

Technical attacks

Technical attacks are more cut and dry. They narrowly focus on extracting IP from the jaws of your computer systems and networks. They try to leverage flaws with your technology to steal your IP. Ultimately, they’re nothing more than cold, hard cyberattacks. Here are some common ones:

  • Use of phishing emails: When you receive an unexpected email with dubious attachments or links.

  • Business email compromise: When bad actors impersonate legitimate partners with misspelled email addresses that end in similarly spelled but illegitimate domains, like @azamon.com or @micorsoft.com.

  • Data breach: When bad actors exploit security lapses in your or your supplier networks.

  • Insider threat: When people inside your organization use their privileged access to steal sensitive data.

In these situations, the human victim never agrees to hand over the IP. It’s just taken from them against their will. 

How do you defend your IP?

So, how can you defend against non-technical and technical forms of IP theft? One way is to build a fortress around your IP. It’s rumored that Coca-Cola locks its “secret formula” in a safe. Maybe it is that simple, but probably not.

Follow a 3-step process

Organizations that value protecting their IP will follow a straightforward process, which I distill into three steps:

  1. Awareness: Understand that you have something worth protecting.

  2. Identification: Name precisely what that special something is.

  3. Action: Take steps to protect that something.

Processes like this sometimes seem too simple to be true. But think about what happens if you miss a step. Suppose you’re unaware of everything that makes your business unique. In that case, you risk being unable to identify all your IP, which means you’re less likely to take specific measures to protect everything.

Check, monitor, and remain proactive in these 6 areas

The cybersecurity war against bad actors will never end. You’ve got to stay proactive, especially regarding specific actions that safeguard your IP. Here are six ways to do that.

  1. Deploy multi-layered defense in depth protective measures of your systems and networks to recognize and stop deceitful behavior. 

  2. Regularly scan for vulnerabilities and patch them as soon as possible. Bad actors are scanning your systems for vulnerabilities nonstop, so you have to stay ahead of them.

  3. Monitor email forwarding to personal accounts, competitors’ domains, and non-business domains (like yahoo.com or gmail.com), and train your employees to learn how to spot suspicious email activity, like phishing

  4. Check and re-check cloud, network, or system settings with an eye on misconfigurations, including using default credentials and passwords — especially third-party.

  5. Keep an eye on data dumps to online storage, including One-Drive, Google Cloud, DropBox, and others. Data downloads by persons not required (or authorized) to download data are worth paying extra attention to, i.e., “Why did Bob from Accounting just download R&D’s product roadmap?”

  6. Be wary of overly inquisitive persons, whether job seekers, employees, outsiders, or vendors. An intern once asked me for our “entire security setup.” When asked, “Why?” he said, “I don’t know.” I asked some more questions before he left. It may have been innocent enough, but I always err on the side of caution.

Remember 5 essential facts about IP theft

We’ve barely scratched the surface of this subject, but the rest is up to you. As we wind down, I’d like to establish five facts about safeguarding IP. 

Want to write for us?

If you're passionate about simplifying cybersecurity, we want you to join us—request to become a decodingCyber contributor.

  1. If you have something to protect — and you probably do, no matter the size of your enterprise — you must protect it.

  2. Copyrights, patents, and legal agreements are essential but won’t secure your secrets from determined adversaries.

  3. A law like the Protecting American Intellectual Property Act is also good and necessary, but to bad actors, it’s not a significant barrier. 

  4. You probably don’t need a full “Counterintelligence, Counter-Insider Threat” program to deal with the threats; a security team should suffice. In addition, building cybersecurity awareness within your organization can help empower your employees to protect your IP.

  5. You have allies — IP theft can be reported to the Internet Crime Complaint Center. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) has created an excellent resource for gaining more insights into IP threats like insider threats.

Conclusion

Intellectual property includes all your unique business assets, the things you never want bad actors to steal. You must have defenses against social engineering and more technical attacks to protect them. By devising a protective process, being proactive, and focusing on the essentials, you’re decreasing the chance that your IP will be stolen — and increasing the likelihood that you’ll always be running your business as usual.


Ready for more epic articles?


First… a martini. Shaken, not stirred… then I will share this article with my BBF, Goldfinger!

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD

Jeff Johnson

Jeff Johnson is an accomplished corporate security professional and leader. Jeff has held other security positions, including Head of Security, Global Head of Cyber Security Defense and Intelligence, Senior Director, Information Security, Global Lead - Information Security Competence, Awareness, and Training, and Data Privacy and Information Security Manager. He also holds the honor of the coveted One2Watch distinction.

https://www.linkedin.com/in/jeffrey-johnson-0623018/
Previous
Previous

Operational Technology Security: The Silent Guardian of Industry

Next
Next

How to Guard Against Ransomware on a Budget