With an overnight WFH revolution, a chance for companies to reassess their IP security

The year 2020 continues to witness a parade of upheaval, but in tech it will be remembered as the year the global workforce became remote overnight. This tectonic shift has forced enterprise businesses to reconsider every part of their operation, from office space to HR practices to tech stack—and reassess their security risks along the way. And in an age where intellectual property (IP) is the beating heart of tech companies, IP security should be top of mind for the C-suite of any enterprise with knowledge worth guarding.

I’ve been working in digital intelligence for more than 30 years and have assisted the U.S. Secret Service, FBI, U.S. Marshals Service, and other agencies to prevent IP theft and find IP violators. BlackBag was recently acquired by Cellebrite to become part of a comprehensive suite of IP security tools, so I’ve seen how huge the international impact of IP theft is. The value of all U.S. IP is estimated at $12 trillion[1] growing up to $800 billion annually, and Deloitte estimates[2] IP breaches can end up costing companies billions (with a “b”) when all the knock-on consequences are factored in.

Chinese theft of American IP is estimated to cost the economy between $225 and $600 billion each year[3] , and Russian, Iranian, and Indian actors are also considered considerable threats[4]. All those billions of dollars mean IP remains a tempting target for malicious actors as long as there are vulnerabilities to be exploited. The sudden shift to widespread remote work has exposed even more of those vulnerabilities. But it is also a perfect moment in time for enterprises to reassess how they are safeguarding their IP.

While some more forward-thinking companies have been preparing for a more remote future, no one expected it to happen so quickly in such a sweeping manner.

What makes the work-at-home shift so challenging from an IP security perspective?

• We can no longer take physical access to devices for granted. Security protocol may assume physical access to a device. Previously, when an employee was preparing to leave an organization and foul play was suspected, the standard operating procedure of collecting devices for review was as simple as walking into their office. Now, security teams might never see those devices again, or have to wait weeks or months before they can perform data extractions on the physical units. This means even more time lost before the enterprise can respond to any breaches (or even know if one occurred).

Universal remote work requires equally remote ways of monitoring, detecting, and responding to security threats. Of course, these technologies exist in abundance—but if a company’s IP strategy assumed easy access to devices, they’re in for an uphill battle for the foreseeable future.

• Widespread remote work means even less information for the detection and prevention of IP theft. In one case of IP theft, an employee stopped by the office late at night, after a kid’s school event, to pick up something they’d forgotten. They happened upon another employee trying to access their desktop. The incident was immediately escalated, and while the employee caught in the act was successful in taking the data they desired, the company was able to recover the data shortly thereafter.

This is indeed a serendipitous event, but it serves to illustrate that without human beings in a physical office, companies will be missing out on many of the tell-tale physical clues that might indicate suspicion, like sudden changes in behavior or appearance. It’s obvious in an office when someone is somewhere they are not supposed to be. In the new digital “office space,” that’s an entirely different challenge. 

• When the cat’s away, the mice will play. The remote work pendulum is not swinging in a vacuum: this is a period of watershed change in all sectors of economy, society, and government. And in times of uncertainty, we can be sure of one thing: malicious actors are looking to take advantage of this unexpected moment of uncertainty, hoping to be lost in the considerable noise. Employees might even feel emboldened to attempt IP theft if they feel they’re no longer “in the sights” of company security because they’re working remotely.

Executives, distracted by business upheavals, or even dismissive of IP security, should remember: if Jeff Bezos’ phone can be hacked, so can theirs. These are exactly the types of global conditions which call for buckling down and the need for companies to utilize Digital Intelligence (DI), which is the data that is extracted from data sources, including smartphones, drones, computers CCTV, apps, cloud, and many other sources. And the process by which agencies access, manage, and leverage data to more efficiently run their operations. Having a DI strategy (and the right tools and trained personnel) in place to help pinpoint security breaches, assess what IP theft may have occurred, and help identify perpetrators is critical. And, as with many corporate efforts, security focus has to start at the top.

The challenges are myriad. But companies are also presented with a great opportunity to shore up their defenses and prepare even more thoroughly for a more remote future of work—and of IP security.

Here’s why right now is a great time for enterprises to reassess how they protect their IP

• With blended systems comes the need for blended security and awareness. The confluence of computer, mobile, and Cloud across business and personal devices is forcing companies to change the way they approach their tech in general. Tech employees today are bouncing between three to four devices per day and expect seamless access to all the cloud-based tools they need. The “safehouse” environment of the office no longer exists. Reliable, cloud-based security is more critical than ever, and goes hand-in-hand with retooling a company’s tech stack to handle a remote workforce. This needs to include significant forethought for a whole new blended battlefield of IP threats.  

• This is a time to reassess what is truly important to your enterprise. Across industries, businesses are having to take a long, hard look at their operations—the status quo no longer exists. As part of this process, they need to reassess what they actually have to protect. Put another way, what are the Crown Jewels of IP for your company? Who should have access to this information, and who actually has access today?

  Too often companies design their security protocols before answering the basic question of what, indeed, they are protecting. Just as the pandemic and lockdown have exposed some fundamental flaws in what seemed like basic business assumptions, it’s probably led many to realize they’re either not protecting what matters or wasting huge amounts of time and energy protecting something that doesn’t.

• The only better time than today to ensure your IP is protected is yesterday. Of course, this is always true: there’s no such thing as “retroactive security.” The unfortunate reality is that IP theft is a matter of when, not if. In many cases, IP theft goes undetected until well after the fact. Preparedness is everything when it comes to protecting critical IP, and if the worst scenario unfolds, enterprises should feel confident they have the tools, processes and expertise in place to handle the fallout and protect themselves financially and legally.

• The experts are paying even closer attention to the evolving IP threat landscape. Outside expertise can give your company a leg up, and I can tell you from personal experience the security community is rising to the challenge of post-COVID remote business. It can be hard to know where to start when it comes to protecting IP. Luckily, there are many experienced, reputable experts out there who can help. Even if the ultimate goal is to have an in-house team handle your IP security, external consultants are critical for establishing the right foundation for security protocols.

The challenge of adapting to a world being reshaped beneath our feet also presents an opportunity to build the security infrastructure to protect IP in the new enterprise reality that is unfolding before us. So, as your company rises to the challenge of the post-COVID tech landscape, take the time to ensure your most valuable assets—your intellectual property—are unquestionably secure.

Sources:

[1] Retrieved August 14, 2020 from https://money.cnn.com/2018/03/23/technology/china-us-trump-tariffs-ip-theft/index.html

2 Retrieved August 14, 2020 from https://www2.deloitte.com/content/dam/insights/us/articles/loss-of-intellectual-property-ip-breach/DR19_TheHiddenCostsOfAnIPBreach.pdf

3 Retrieved August 14, 2020 from https://money.cnn.com/2018/03/23/technology/china-us-trump-tariffs-ip-theft/index.html

4 Retrieved August 14, 2020 from the Foreign Economic Espionage in Cyberspace Report 2018

Retrieved August 14, 2020 from https://www.whitehouse.gov/wp-content/uploads/2020/04/IPEC-2019-Annual-Intellectual-Property-Report.pdf

Retrieved August 14, 2020 from https://www.whitehouse.gov/wp-content/uploads/2020/04/IPEC-2019-Annual-Intellectual-Property-Report.pdf