Author Archives: Paul Curwell

About Paul Curwell

I help businesses protect their Intellectual Property (IP), revenue and product from fraud and security threats. My content provides clear steps to protect your Trade Secrets, attract investors, and accelerate business growth from startup to commercialisation using my RTP Playbook.

Protecting Your R&D When Outsourcing Rapid Prototyping

Posted on by

Paul Curwell

5–7 minutes

3 Key Takeaways:

  • Outsourcing rapid prototyping is essential for speed and cost efficiency but poses serious trade secret and IP risks.
  • Real-world cases show that failing to protect your R&D can lead to trade secret theft, fraud, and competitive loss.
  • A proactive strategy—including legal safeguards, secure operations, and ongoing monitoring—can mitigate risks.

Rapid Protyping offers many benefits, but be sure to manage your risk

Outsourcing rapid prototyping is a game-changer for R&D-driven businesses. It accelerates innovation, slashes development costs, and opens doors to specialist skills and cutting-edge tech that would be costly to build in-house. With the global rapid prototyping market projected to soar from $3.33 billion in 2024 to over $21 billion by 2034, it’s clear that more businesses are embracing this approach to stay ahead of the curve. Fixing design flaws early during prototyping can be up to 100 times cheaper than post-release corrections—a compelling reason why prototyping is no longer a luxury, but a business imperative.

Types of Rapid Prototyping Techniques

Common prototyping methods include:

  • Stereolithography (SLA): High-detail resin printing.
  • Fused Deposition Modeling (FDM): Budget-friendly plastic extrusion.
  • Selective Laser Sintering (SLS): Durable powder-based prints.
  • Direct Metal Laser Sintering (DMLS): Precision metal parts.
  • CNC Machining: Subtractive manufacturing for high-strength components.

Each technique has its own supply chain risks, making security considerations essential from the outset.

But here’s the catch—outsourcing means sharing your most valuable assets: trade secrets, proprietary designs, and sensitive R&D data. Whether you’re working with a niche 3D printing firm or a global manufacturing partner, the risk of IP theft, insider threats, or accidental disclosure is real. In fast-moving industries like automotive, biotech, and consumer tech—where time-to-market is everything—balancing speed with security is critical. This article explores how founders can unlock the full potential of prototyping and outsourcing, while putting practical guardrails in place to protect their intellectual property and business viability.

The Need for Outsourcing Rapid Prototyping

Startups and SMEs often lack the in-house capabilities for advanced prototyping. Outsourcing helps by:

  • Cutting costs—no need for expensive machinery or full-time specialists.
  • Providing access to world-class expertise in emerging technologies.
  • Accelerating product development and market entry.

But with these benefits come significant risks. Handing over your prototype means exposing critical trade secrets to external partners—some of whom may not be as trustworthy as they claim.

Example of additive manufacturing used in rapid prototyping
Photo by FOX ^.ᆽ.^= ∫ on Pexels.com

Case Study: IP Theft in Outsourcing

A U.S. medical device startup learned this lesson the hard way. They outsourced prototyping to a foreign manufacturer, only to discover a near-identical product in the market months later. The culprit? Their own supplier, who exploited weak contractual protections to replicate and commercialise the design. The result: financial loss, legal battles, and an irreparably damaged competitive advantage.

Lesson learned? If you don’t protect your trade secrets, someone else will profit from them.

Startup Sabotage: A Trade Secret Theft Case Study & How to Protect Your Company

Understanding IP Protection for Prototypes

Trade Secrets vs. Patents

Patents are great—until they aren’t. They require public disclosure and take years to secure. Trade secrets, on the other hand, remain confidential as long as they are actively protected. Most prototypes fall under trade secrets because early-stage innovation needs secrecy, not immediate disclosure.

Copyright automatically applies to design files and software components. However, international enforcement can be tricky, making additional legal steps essential when working with overseas partners.

Risks Associated with Outsourcing R&D and Rapid Prototyping

The top risks include:

  • Trade secret theft—unauthorised copying or sharing of designs.
  • Copyright infringement—misuse of software and design blueprints.
  • Ownership disputes—who really owns the prototype files and production molds?
  • Loss of core expertise—outsourcing critical R&D can weaken in-house innovation.
  • Reputational damage—a security breach can erode investor and customer trust.

International Considerations for Australian Businesses

Australia’s trade secret and IP laws are predominately enforced via civil means, but overseas is another story, especially if you’re outsourcing to less developed countries. Many jurisdictions have weaker protections, making stolen IP difficult to recover or your IP rights difficult to enforce.

Don’t forget – you actually need to have funds available for any legal dispute. If you can’t afford it, then don’t rely on legal battles and contractual enforcement: A good security program is your friend!

Specific Risks for Australian Businesses

Countries with high rates of IP theft pose unique challenges. Contracts mean little if enforcement is lax. This is why due diligence on foreign partners is just as important as the contract itself.

pexels-photo-20326699.jpeg
Photo by Jakub Zerdzicki on Pexels.com

Steps to Protect Your R&D When Outsourcing

Before Outsourcing

  • Identify and classify critical trade secrets.
  • Research suppliers’ security track records.
  • Assess the legal landscape in the outsourcing country.
  • Perform a security risk assessment to ensure you understand the risks (including supply chain risks and country-specific laws), and what you need to do to manage them.
  • Develop your Research and Technology Protection Program to ensure you understand the risks and know what controls you need to implement in your contractual measures and operational safeguards
How can Insider Threats manifest in the Supply Chain?

Contractual Measures

  • Use watertight non-disclosure agreements (NDAs).
  • Clearly define IP ownership and usage rights in contracts.
  • Specify dispute resolution mechanisms.
  • Include post-collaboration IP return/destruction clauses.

Operational Safeguards

  • Limit access to sensitive data—adopt a need-to-know approach.
  • Use secure data transfer methods (encrypted channels, VPNs).
  • Implement strict version control on prototype files.

Monitoring and Control

  • Conduct regular audits of outsourcing partners.
  • On-site visits to assess security practices.
  • Track prototypes through serial numbering and logging systems.
  • Obtain signed attestations or legally-binding declarations to confirm that all products, materials and designs / data / information have been destroyed or returned on completion of the work.
  • Maintain detailed documentation of all proprietary designs.
  • Register copyrights where applicable.
  • Seek legal counsel in the outsourcing country for enforcement advice.

Conclusion

Innovation thrives on collaboration, but unprotected outsourcing can be a goldmine for IP theft. Trade secrets, fraud, and supply chain risks aren’t hypothetical—they’re real threats with billion-dollar consequences. Protecting your R&D requires a mix of legal safeguards, operational discipline, and continuous oversight.

Want to secure your innovation while staying ahead of the competition? Start by reviewing your outsourcing agreements today—before someone else commercialises your ideas.

Further Reading

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Crafting Security Business Cases for Executive Buy-in

Posted on by

Paul Curwell

6–9 minutes

Key Takeaways:

  1. Here’s the bottom line: Executives don’t fund security initiatives; they fund outcomes. A strong business case is essential to get their support.
  2. Focus on Impact, Not Activity: Executives care about how your proposal boosts business outcomes, not your list of security tasks.
  3. Show Value Beyond Compliance: Prove that security investments enable growth, reduce risk, and give your company a competitive edge.
  4. Quantify Risks and Benefits: Use statistics and real-world examples to demonstrate how security measures can save money or prevent significant losses.

What’s the Real Deal with Business Cases for Security?

Let’s be real: writing a business case for security, fraud, or IP protection can feel like trying to convince your dog to do your taxes—it’s tough and often gets ignored. Unlike departments that directly generate revenue, these functions are often viewed as “cost centers.” But the truth is, they’re vital for preventing catastrophic losses. Think about it: how much would a major data breach, insider threat, or IP theft cost your company? Exactly. That’s where your business case comes in.

If you want executives to take your proposal seriously (and fund it), you need more than just a list of security threats or the need for more budget. You need to speak their language. Executives want to know how your proposal will reduce risk, drive growth, and improve profitability. If your business case doesn’t hit those marks, expect a polite nod and zero budget. So how do you get the green light? You need to answer these seven crucial questions in your security business case.

an exhausted woman reading documents
Photo by Mikhail Nilov on Pexels.com

7 Key questions executives care about – linking security to strategic outcomes

The challenge is proving that security isn’t just about checking boxes or avoiding fines—it’s about tangible business outcomes: protecting revenue, improving customer trust, and enabling expansion into new markets. If you can’t connect security investments to these results, your proposal won’t make it past the trash can. So, let’s dive into the key questions executives are really asking when reviewing your case.

Question 1: What’s the Impact?

Executives want to know how your security investment will improve business resilience, customer trust, or revenue. Security isn’t just about defending against threats; it’s about keeping the lights on, ensuring smooth operations, and even opening new markets. Can your proposal do that? If not, it’s not going to get approved.

Useful strategy metrics for security business cases include:

  • Brand Equity (measured through surveys)
  • Customer Lifetime Value (CLV)
  • Net Promoter Score (NPS)
  • Revenue impact from security investments
  • Customer Trust Index (measured through surveys)
  • Employee Engagement Score

Question 2: Will This Stop Downtime (and Make Us Look Good)?

Downtime is the nightmare that keeps executives up at night. Every minute of downtime can cost your company thousands of dollars. Worse, it leads to frustrated customers and a PR disaster. You need to show how your security initiative prevents downtime, ensures business continuity, and (let’s be honest) makes the execs look like rockstars.

Useful strategy metrics for security business cases include:

  • Cost of Downtime
  • Recovery Time Objective (RTO)
  • Recovery Point Objective (RPO)
  • System Uptime Percentage
  • Mean Time Between Failures (MTBF)
  • Mean Time to Resolve (MTTR)
  • Customer Satisfaction Scores

Question 3: Can This Help Us Expand Into New Markets?

Want to expand into new geographies or high-compliance industries? Security plays a key role here. New markets require solid compliance and security frameworks. Prove that your security investment is the gateway to growth, not just a cost center.

Useful strategy metrics for security business cases include:

  • Market Penetration Rate
  • Revenue from New Markets
  • Market Share in New Segments
  • Compliance Rate with Market-Specific Regulations
  • Profit Margin in New Markets

Question 4: Does This Make Us Better Than Competitors?

In today’s world, security is a competitive differentiator. Customers stick with companies they trust to protect their data. Your company’s security posture could be the reason a customer chooses you over the competition. Show how your security proposal will improve customer retention and acquisition rates.

Useful strategy metrics for security business cases include:

  • Customer Retention Rate (churn)
  • Customer Acquisition Cost (CAC)
  • Security Breach Incident Rate (compared to industry average)
  • Brand Trust Index (measured through surveys)
  • Competitive Benchmarking Scores

Question 5: Are We Saving Money or Just Spending It?

Let’s face it—compliance fines can be crippling. A solid fraud detection, Trade Secrets or IP protection system can save your company millions. Demonstrate how your security investment prevents financial losses, whether from regulatory fines, operational downtime, or reputational damage.

Useful strategy metrics for security business cases include:

  • Return on Security Investment (ROSI)
  • Total Cost of Ownership (TCO) for Security Solutions
  • Operational Cost Savings
  • Compliance Fine Avoidance (measured in cost savings)
  • Automation Efficiency Gains

Question 6: How Much Risk Does This Actually Remove?

No one can eliminate risk entirely, but you can reduce it. How much are you saving by investing in security today to avoid a breach tomorrow? Help your execs understand the cost-benefit—are you spending $100K today to avoid a $5M loss in the future? Make the numbers clear.

Useful strategy metrics for security business cases include:

  • Risk Mitigation Rate
  • Expected Loss Reduction
  • Risk Score Improvement
  • Vulnerability Management Efficiency
  • Reduction in Security Incidents

Question 7: What’s the Brand Damage if We Don’t?

Nobody wants to be the next big breach in the headlines. Think Target, Equifax, or Sony. Show how your proposal protects the company’s reputation and brand equity, which can take years to build and mere seconds to destroy.

Useful strategy metrics for security business cases include:

  • Brand Valuation
  • Media Sentiment Analysis Score
  • Social Media Engagement Rates
  • Employee Net Promoter Score (eNPS)
  • Employee Turnover Rate
positive senior man in eyeglasses showing thumbs up and looking at camera
Photo by Andrea Piacquadio on Pexels.com

Writing Business Cases for Non-Revenue Generating Functions: The Struggle Is Real

It’s not easy to sell risk and compliance functions because they don’t directly generate revenue. But that doesn’t mean they don’t provide value. Here’s how to make your case:

  • Focus on Cost Avoidance and Risk Mitigation: A solid security program prevents disasters before they happen. Consider the massive fine HSBC faced for anti-money laundering violations: $1.9 billion. Your security measures are the front lines against such catastrophic fines and reputational damage. Use metrics like Annualised Loss Expectancy (ALE) to show how much risk you’re removing.
  • Emphasise Indirect Revenue Enablement: Compliance and security aren’t just about avoiding risks—they also enable growth. A strong security posture can open doors to new markets, especially if you’re meeting the right regulatory standards. By investing in security, you can unlock new opportunities for revenue without worrying about fines or legal issues.
  • Link Security to Strategic Goals: Non-revenue functions like risk management enable other revenue-generating activities. Think about how security protects supply chains, ensures smooth operations, and allows for market expansion. Security supports business continuity, which directly impacts the company’s ability to generate revenue.
  • Qualitative Benefits Matter Too: Not all benefits can be measured in dollars, but that doesn’t mean they’re less important. Enhanced trust, better customer relationships, and a positive corporate culture all contribute to the company’s long-term success.
Developing an compliance obligation register for your business

The Bottom Line: Get Your Security Business Case Right

Security business cases should focus on outcomes, not just activities. Link your proposals to business strategy and demonstrate how security helps reduce risk, save money, and enable growth. Link your business case to your strategy by addressing the seven questions executives care about and you’ll put yourself in a strong position to secure the budget you need.

What’s Your Next Step?

Take a fresh look at your security business case. Does it speak to business outcomes? Does it quantify risk reduction and highlight opportunities for growth? If not, it’s time to rewrite it. Trust me, your executives will thank you.

Further Reading

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

How to help your business survive the global Economic Coercion wrecking ball

Posted on by

Paul Curwell

5–7 minutes

Key Takeaways:

  1. Economic Coercion is now a core weapon in global power struggles, directly impacting industries like tech, agriculture, and critical infrastructure.
  2. The biggest risks? Supply chain disruption, IP theft, and regulatory nightmares.
  3. Businesses that diversify, protect their trade secrets, and strengthen partnerships will be the ones who survive this new era.

Introduction

In 2025, the global geopolitical balance is shifting. Economic Coercion has become a core strategy for many governments aiming to secure competitive advantages that will define their economies for the next 50 years.

While governments are playing this game, the impact is felt by the real targets – businesses and commercial operations — particularly those in technology, critical infrastructure, and those with global supply chains. From China’s export bans on rare earth minerals to U.S. semiconductor restrictions, Economic Coercion is no longer abstract: it’s hitting balance sheets and boardrooms in real-time.

If you’re a senior executive, ignoring this reality is like leaving your front door open during a storm. So, how do you protect your business from becoming collateral damage?

The Playbook of Economic Coercion

Economic Coercion is the strategic use of trade restrictions, investment controls, and export regulations to force political or commercial outcomes. Think of it as geopolitics in a suit and tie.

The Top Targets:

  • Technology & Semiconductors (e.g. U.S. export controls on chips to China)
  • Agriculture & Food Supply Chains (e.g. Australian wine and barley, frequently susceptible due to the perishable nature of many products and difficulties finding alternative markets quickly)
  • Critical Minerals & Energy Infrastructure (e.g. China’s dominance in rare earths)
  • Biotechnology & Research Commercialisation (e.g. IP theft and data manipulation)
  • Financial Services (e.g. exposed to sanctions and currency manipulation)
  • Tourism (e.g., targeted through restrictions on group tours to specific countries)
  • Higher Education (e.g. Universities reliant on foreign students are vulnerable to geopolitical and economic shocks, as well as rapid changes in consumer sentiment)
  • Critical Infrastructure (e.g. critical component and part supply chains)
a barley field, agriculture is one of many industries subject to economic coercion.
Photo by Tetyana Kovyrina on Pexels.com

Industries particularly vulnerable to economic coercion often exhibit these factors:

  • Raw materials – Industries dealing with raw materials are often heavily affected by coercive measures
  • Strategic industries – Sectors with strong political lobbies in the targeted country are often chosen for coercion.
  • Niche, high-value products – Industries producing specialised goods where consumer tastes can change may face longer-term impacts from temporary market losses.
  • Industries dominated by a single country or region – Sectors where one nation has significant market dominance are more susceptible to coercion.

The Risks to Your Business

Economic Coercion isn’t just about tariffs and sanctions. It’s about supply chain fragility, intellectual property theft, and regulatory traps that can cripple your operations overnight.

Under Australia’s Security of Critical Infrastructure Act Supply Chain Hazard Rules, businesses are now required to assess the availability of critical components from offshore suppliers. Why? Because relying on a single region for critical components (e.g. critical spare parts) leaves you vulnerable to coercive tactics.

Other ways Economic Coercion may materialise as risks in your business include:

  • Supply Chain Disruption: Losing access to essential components from key international markets.
  • IP Theft & Insider Threats: Your R&D data becomes a geopolitical bargaining chip.
  • Regulatory and Compliance Nightmares: Sanctions and opaque foreign investment laws are applied to your business or its products and services.
  • Market Access Loss: Being locked out of key export markets, either directly or indirectly.

What You Can Do About It

In this environment, waiting to react is a losing strategy. The key to survival is monitoring your strategic environment, identifying risks early, and making decisions while you still have the advantage — not when you’re already vulnerable.

So, what should your playbook include?

  • Diversify Your Supply Chains: Reduce dependency on single-source offshore suppliers. Consider nearshoring and local partnerships.
  • Lock Down Your IP and Trade Secrets: Strengthen insider threat programs, trade secrets and IP protection programs (including in your supply chain and with collaboration partners) and cybersecurity controls.
  • Enhance Regulatory Compliance: Stay ahead of foreign investment rules and export controls.
  • Build Strategic Intelligence Capabilities: Monitor geopolitical developments to identify risks before they hit your balance sheet.
  • Capture New Markets Before Competitors Do: When others are stuck in a vulnerable market, pivot to diversified regions.

The Competitive Advantage of Intelligence

In this new era of geoeconomic fragmentation, good intelligence is good business strategy.By tracking geopolitical shifts and understanding which markets are at risk, executives can make smarter investment decisions, secure critical supply lines, and gain market share while competitors are distracted or trapped by coercion tactics.

Those who act early will not only avoid becoming victims but position themselves as leaders in emerging markets and technologies. Want tips on where to start? Well, read start with this article:

Using strategic early warning for advanced notice of emerging threats and geopolitical risks

The Bottom Line

In 2025, geopolitical risk is now a business risk. If you’re leading in tech, agriculture, or critical infrastructure, you’re already on the frontline.

The question is: are you ready to protect your business from the next wave of Economic Coercion?

Would love to hear from others in the trenches — how is your business adapting?

Further Reading

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Hiring From Competitors? You Could Be One Lawsuit Away from a Legal Nightmare

Posted on by

Paul Curwell

6–9 minutes

Key Points: When hiring talent from competitors, IP contamination is a serious issue that businesses need to be aware of.

  • Hiring from competitors can expose your business to trade secret theft accusations, IP contamination, and legal battles.
  • Employees bringing proprietary knowledge may fast-track product development—but also invite lawsuits and reputational damage.
  • Companies must implement robust safeguards like due diligence, clear policies, and compliance monitoring to avoid costly mistakes.

Let’s be real. Hiring someone from your competitor can feel like finding a golden ticket: instant industry expertise, insider knowledge, and maybe even a shortcut to commercial success. But before you pop the champagne, you need to ask yourself one question—is it worth the risk?

Hiring from competitors opens the door to trade secret theft and IP contamination, and trust me, it can end in a full-blown legal disaster. I’ve seen it myself, when an ‘almost patent ready’ research team left for a competitor, only to lead to a years’ long legal dispute.

Still unconvinced? Many companies find themselves locked in a battle over trade secrets that could cost millions. We’re talking about lawsuits, reputational damage, and legal fees that most businesses can’t afford, especially if you’re just starting out.

Unfortunately, when it comes to IP theft, it doesn’t matter if you were trying to play fair—the courts will still come knocking. So before you make that tempting job offer to a new candidate, let’s dig into why hiring from competitors can backfire—and what you can do to protect your business from a lawsuit.

The Ugly Truth: Risks of Hiring From Competitors

It’s not just about bringing someone on board with great skills—it’s about what they bring with them. Spoiler alert: It could be someone else’s trade secrets. Here’s how that can go south:

1. Trade Secret Misappropriation Accusations

Okay, so maybe you’re not actively stealing trade secrets. But what if your new hire is? If they bring over confidential files, customer lists, or proprietary research, you could face accusations of misappropriation—and that’s a legal nightmare waiting to happen.

Take one case recently settled in the US courts: The MedTech plaintiff accused the defendent of allegedly using stolen trade secrets to fast-track their product development (see below for Court record). The U.S. District Court of Central California found in favour of the plaintiff in 2024, ordering the three defendents to make up for the losses. That’s millions of dollars in legal fees and endless bad press, not to mention stress and anxiety for all involved. All for what?

2. The Discovery Phase: Your Secrets Exposed

Now, let’s talk about discovery in lawsuits. When things hit the fan, courts can force you to turn over sensitive internal documents. Imagine your competitors getting access to your inner workings—for free. What a nightmare!

Not all legal risks come from intentional acts. Sometimes, a new hire might be struggling to keep up, and they bring proprietary knowledge from their previous employer to cover up their lack of skills, hoping not to get found out.

Even if it’s totally unintentional, your company could still be on the hook. The courts don’t care about your good intentions—they’ll care about the fact that you have stolen IP in your possession.

4. Corporate Espionage Anyone?

Here’s where things get really dirty. Some companies actually seek out employees from their competitors to extract trade secrets. If you’re actively hiring to gain a strategic edge, you’re playing with fire. And if you get caught, the penalties are severe: fines, injunctions, and irreparable reputational damage. It’s industrial espionage at its finest—and it’s a game you don’t want to play.

5. Innocent IP Contamination: Blurred Lines

Let’s say you hire an R&D expert or an engineer with years of experience. They come in with great credentials—but are they carrying proprietary knowledge with them? The line between public knowledge and trade secrets is thin. One little slip-up, and suddenly, you’re dealing with IP contamination that could cost you big time. Innocent mistakes can land you in hot water—unfortunately, aren’t forgiving.

6. The “Harmless” Spreadsheet That Could Get You Sued

Sometimes, it’s not the big stuff. It’s the small stuff that gets you caught. An employee transfers an Excel file from their previous employer’s server to yours. Seems harmless, right? Well, if that file contains proprietary data—you’re responsible.

7. Non-Compete Breaches: Oops, You Did It Again

Let’s not forget about the non-compete and confidentiality agreements employees sign. If your new hire is bound by these agreements, you could be violating them just by hiring them. Breaching these agreements opens up a whole can of legal worms. In the case referenced above, the defendants allegedly breached confidentiality clauses, and both the employee and the company were dragged through the legal mud.

image of an employee slipping an envelope marked 'trade secrets' into a bag
image of an employee slipping an envelope marked ‘trade secrets’ into a bag

So, now that you know the risks, here’s the big question: How can you hire talent without setting yourself up for a lawsuit?

1. Implement Bulletproof Security Protocols

Don’t wait until after the hire to protect your business. Get your security team involved in the hiring process. Make sure data management policies are airtight, and prevent any transfer of proprietary data—whether intentional or accidental. If your new hire brings over sensitive files, they shouldn’t even make it onto your servers.

Startup Sabotage: A Trade Secret Theft Case Study & How to Protect Your Company

2. Do Your Homework: Due Diligence is Key

Before you sign that offer letter, do a deep dive into the candidate’s previous employment agreements. Look for any potential red flags. Ask questions about their previous job, but don’t solicit confidential information. The goal is to understand their obligations—not to ask them to break their confidentiality.

3. Set Clear Expectations (And Have Them Sign It)

From day one, be crystal clear with your new hire: “You cannot bring any proprietary information from your old employer.” Get them to sign an agreement acknowledging this. This ensures there’s no ambiguity about the rules.

4. Secure Onboarding: Make It Foolproof

Make sure your onboarding process includes training on intellectual property and data security. Set access to sensitive data based on need-to-know principles—because just because someone can access it doesn’t mean they should. And check that they’ve returned all confidential data to their previous employer before starting with you.

5. Teach Employees the Difference Between Expertise and Trade Secrets

Help your employees understand the difference between public knowledge and trade secrets. Training them on this distinction could save you from costly mistakes. When in doubt—don’t share it.

6. Use Technology to Monitor and Protect

In 2025, there’s no excuse for not having Data Loss Prevention (DLP) tools in place. Regular audits, exit interviews, and compliance monitoring should be standard. If you’re not keeping track, you’re asking for trouble.

The Bottom Line: Hire Smart, Protect Your Business

Hiring from competitors can be an amazing strategic move—but only if you do it the right way. Don’t let the allure of quick talent cloud your judgment. If you’re not careful, a single wrong hire could lead to a lawsuit that costs millions.

So, let me ask you: Are you ready to hire the next big thing—or are you setting yourself up for a legal nightmare?

What steps are you taking to protect your business from IP contamination and trade secret theft? Drop your thoughts below. Let’s chat!

84-microventionDownload

Further Reading:

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Evil Twin Attacks: A Hidden Threat to Your IP and Data Security

Posted on by

Paul Curwell

5–8 minutes

Key Takeaways

  • Evil twin attacks use fake WiFi networks to steal sensitive business data, including Intellectual Property and Trade Secrets
  • Common targets include airports, R&D facilities, and office buildings
  • Proper security measures can protect your intellectual property
  • Recent cases show increasing sophistication of these attacks

Understanding Evil Twin WiFi Attacks: A Growing Cybersecurity Threat

In our increasingly connected business world, WiFi has become essential for daily operations. However, this convenience comes with risks – particularly the sophisticated cyber threat known as an “Evil Twin” attack. These attacks specifically target businesses to steal trade secrets and intellectual property through seemingly innocent WiFi connections.

What Is an Evil Twin Attack?

An evil twin attack occurs when cybercriminals create a fraudulent WiFi network that mimics a legitimate one. This malicious network looks identical to real networks, often using names like “CompanyGuest” or “FreeAirportWiFi.” Once users connect, attackers can:

  • Monitor all internet traffic
  • Steal login credentials
  • Capture sensitive business data
  • Access proprietary information
  • Intercept confidential communications
modern wireless router with antennas
Photo by Jakub Zerdzicki on Pexels.com

How Evil Twin Attacks Work: Technical Breakdown

Evil Twin attacks are pretty simple to establish, which makes them all the more problematic. Its easy to obtain the required equipment and knowledge to successfuly setup an Evil Twin and start harvesting your data. These attacks follow a systematic approach:

  1. The attacker creates a clone network with identical or similar names to legitimate networks
  2. They boost signal strength to override legitimate connections
  3. Users unknowingly connect to the malicious network
  4. Attackers capture unencrypted data and communications
  5. In advanced cases, they inject malware into connected devices

Primary Targets: Who’s at Risk?

In my experience, there are two main groups of perpetrators who execute evil twin attacks:

Opportunistic Criminals – these are criminals who take advantage of user’s poor security awareness for their own financial gain. They generally run an Evil Twin for a bigger purpose, such as:

  • Stealing personal and financial information, either to perpetrate fraud themselves or for resale to other criminals
  • Deploying malware for device compromise, moving them up the value chain into potentially more lucrative crimes
  • Often targeting the general public for high volume attacks

Professional Intelligence Collectors (PICs) – these are experts who specialise in collecting IP, either for auction on the darkweb or according to a customer’s order (such as your competitor). PICs:

  • Specifically target business intellectual property
  • Operate sophisticated operations
  • Sell stolen data on dark web markets
  • Are often undetectable without specialised security teams

High-Risk Locations for Evil Twin Attacks

Locations that are most likely to be targeted for Evil Twin attacks depend on the hacker’s motive and intended target. Three of the most at-risk locations for these attacks are R&D facilities, corporate offices, and airports.

R&D Facilities and Office Areas

By their nature, Research and Development facilities are inherently attractive targets for PICs, possibly more so than offices. They face particular risks due to:

  • A high concentration of valuable intellectual property
  • Regular network access needs by employees and equipment, such as IoT devices and other Operational Technology
  • The possibility of multiple entry points for attackers
  • Potential for long-term data compromise, which can severely impact a competitor’s strategic advantage and R&D pipeline if information is breached and published prior to filing a patent application.
Photo of a corporate R&D facility
Photo by Pixabay on Pexels.com

Airports and Travel Hubs

In contrast to business premises, its much harder to target specific individuals or groups using airports and travel hubs. This is why these locations are more likely to be associated with opportunistic criminals (except for airline business lounges). Business travelers face increased risk because:

  • Time pressure leads to hasty network connections
  • Multiple legitimate-looking network options exist, and users have no clear guidance on what networks can be trusted or are legitimate
  • High concentration of business professionals, who are often rushing to catch up between flights
  • The need for regular need for internet connectivity, especially when consuming voice or video data during a layover

Information is harvested in bulk at these locations, and then likely categorised based on how it may be used. From what we know about how illicit markets operate, it is likely that business information such as IP and Trade Secrets may be sold and re-sold numerous times until it reaches an interested party.

Real-World Example: Australian Airport Attacks

In 2024, Australian authorities arrested a 42-year-old man for conducting evil twin attacks across multiple airports. The perpetrator:

  • Targeted major airports in Perth, Melbourne, and Adelaide
  • Created fake networks mimicking legitimate airport WiFi
  • Operated attacks during flights
  • Was caught after airline staff detected suspicious activity

This real-life example demonstrates that Evil Twins are happening, and that they are relatively easy to setup and operate. This example was only identified by chance with an observant airline employee – just think of how many similar environments are setup around the world and have gone completely unnoticed.

brown haired man using laptop computer in an airport
Photo by Andrea Piacquadio on Pexels.com

Preventative Measures for your Business: A 3-Step Protection Strategy

In my experience, there are three core things that businesses need to do to mitigate the risks of Evil Twin attacks and to practice good information security hygiene. These are as follows:

1. Employee Security Awareness

I’ve written before that good security awareness and positive security culture is one of the core foundations of a good Trade Secrets Protection program to protect your research and development. Executives and lead researchers, as well as those travelling internationally pose a particular risk as they are both time poor and manage a disproportionately higher volume of confidential information. In practice, this requires the following:

  • Implement comprehensive security training, including regular training on network security
  • Recognition of suspicious networks
  • Proper use of security tools
  • Special focus on traveling employees

2. Active Network Monitoring

This is something your every security team should be doing continously in R&D intensive organisations, whether at head office or in laboratories or manufacturing facilities. Its also important that your suppliers and business partners do this as well. This task requires some basic tools and cybersecurity knowledge as a foundation, but it can also integrate with other cyber threat intelligence and cyber incident monitoring (via tools like a SIEM – a Security Incident Event Management system).

Four fundamental things you need to do are:

  • Regular security sweeps
  • WiFi analysis tools deployment
  • Real-time threat detection
  • Deploy robust monitoring systems
  • Collaboration with security agencies

3. Security Tools and Policies

Another key foundation for good information security is your tools and policies. Gone are the days of writing policies and hoping employees read them. Policies are now implemented via systems and user configurations, and these help ensure your information is optimally protected in a consistent way for every user:

  • Mandatory VPN usage
  • Endpoint security implementation
  • Clear network access policies
  • Network Access Control (NAC) systems
  • Provide secure WiFi alternatives
  • Establish clear security protocols
  • Perform regular securit audits

Protecting Your Business Assets

Evil twin attacks represent a significant threat to business security, particularly for companies with valuable intellectual property. By understanding these risks and implementing proper security measures, organisations can better protect their sensitive data and maintain their competitive advantage.

Remember: Prevention is always less costly than dealing with a security breach. Invest in proper security measures today to protect your business’s future.

Further Reading

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Security Awareness Training: The Key to Protecting Life Sciences from IP Threats

Posted on by

Paul Curwell

4–6 minutes

3 Key Takeaways:

  1. Cyber threats aren’t just a big corporation problem—life sciences Small-Medium Businesses (SMBs) are prime targets for trade secrets theft, fraud, and insider threats. This is why implementing security awareness training is crucial.
  2. A single incident can derail years of research, jeopardise IP protection, and destroy investor confidence in commercialisation efforts.
  3. Security training doesn’t have to be a compliance nightmare—bite-sized, real-world training is key to protecting your supply chain and technology assets.

Your Business Is Sitting on a Data Goldmine—And Criminals Know It

Most founders in life sciences and healthcare are obsessed with research, innovation, and securing funding. If you’re starting or running a business, here’s a reality check: your biggest asset—your intellectual property—is also your biggest liability. This means if you don’t take cybersecurity seriously, you’re rolling out the red carpet for cybercriminals, fraudsters, and insider threats who want a piece of your trade secrets.

Think I’m exaggerating?

  • Healthcare is now the 3rd-most targeted industry for ransomware attacks. The increase in attacks on healthcare organizations was 32% year-over-year from 2023 to 2024 (Black Kite)
  • 29% of life sciences leaders expect cyber risks to escalate in 2025 (Deloitte’s Life Sciences Outlook).
  • An Australian survey found most SMBs can’t even explain the threats they face, yet alone manage them. (ASD ACSC Small Business Cybersecurity Survey).

This isn’t just about data breaches and phishing scams. In 2025, its common to take an exclusively ‘cybersecurity’ view of risk, but if your proprietary research, technology, or supply chain plans leak, you risk losing your competitive edge, damaging investor confidence, and watching years of commercialisation efforts go down the drain. Just look at how your IP is being sold on the dark web.

life science worker at computer

Why Life Sciences Is a Prime Target

Cybercriminals love life sciences for one reason: high-value data. High-value data provides long-term value, unlike stolen credit card numbers (which lose value quickly), stolen research and IP can be exploited for years.

1. Trade Secrets Theft Is a Billion-Dollar Problem

If your groundbreaking research ends up in the wrong hands, don’t expect an apology—expect to see a competing product hit the market before yours. Take the case of GlaxoSmithKline scientist Yu Xue, who stole proprietary drug formulas and attempted to sell them to China. The case led to multiple arrests and billions in potential damages (DOJ, 2018).

2. Insider Threats Are an Expensive Oversight

Not all threats come from anonymous hackers. Sometimes, it’s your own employees, contractors, or research partners. Insider incidents cost companies an average of $16.2 million per breach in 2023 (Ponemon Institute). Without the right controls in place, your R&D data is only one disgruntled employee away from disaster.

You might have top-notch cybersecurity, but what about your third-party vendors? A single compromised partner can expose your entire operation. Just ask Merck, whose supply chain was infiltrated by the NotPetya malware, causing $1.4 billion in damages and disrupting vaccine production (Insurance Business, 2024).

These risks highlight the urgent need for strong security awareness training and a positive security culture. It’s not enough to rely on technology alone—your employees, partners, and suppliers must understand the threats and know how to respond. A well-trained workforce can act as a frontline defense against cyberattacks, reducing the risk of human error and insider threats.

The Fix: Smarter Security Training (Without the Snoozefest)

I get it. You didn’t start a biotech company to spend hours in cybersecurity workshops. But here’s the thing: your team is your first line of defence. And most breaches? They happen because of human error.

How to Make Security Training Work:

  • Keep it short & frequent – No one remembers an annual compliance webinar. Bite-sized, regular training (think 5-minute refreshers) sticks better.
  • Make it real – Forget vague “cyber hygiene” talks. Use real case studies (like the GlaxoSmithKline case) to make lessons hit home, and link it to your information protection program.
  • Make it personal – People care when they are at risk. Show how security mistakes can impact their pay, data, and job stability.
5 tips for enhancing security awarenesss training in your business - paul curwell

The Bottom Line: Cybersecurity Is an Investment, Not a Cost

If you’re serious about protecting your research, IP, and funding, security training needs to be as essential as your next investor pitch.

What to Do Next:

  • ✅ Review your security training program—does it actually work?
  • ✅ Audit your supply chain partners for security gaps.
  • ✅ Implement controls to detect insider threats before they happen.
  • ✅ Stop treating cybersecurity as an IT issue—it’s a business risk.

The choice is yours: invest in security now or pay the price later. Which will it be?

Further Reading

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

The Great Tea Heist and the History of Trade Secrets Theft in Business

Posted on by

Paul Curwell

4–6 minutes

Key Takeaways:

  1. Industrial espionage isn’t new—Britain’s theft of China’s tea industry in the 19th century reshaped global trade and created a multibillion-dollar industry.
  2. Trade secrets are still a battleground, with modern businesses losing billions to intellectual property (IP) theft, insider threats, and supply chain vulnerabilities.
  3. Today’s equivalent of the tea heist? Technology, critical minerals, and research data are the new targets—protecting them is crucial for business survival.

A Cup of Stolen Tea? How Britain Pulled Off the Ultimate Business Heist

Let me tell you a story. Imagine a business so dominant that it controls an entire industry. Now imagine a competitor that, rather than playing fair, decides to steal that dominance outright. That’s exactly what happened in the 19th century when Britain, desperate to break China’s monopoly on tea, pulled off one of the greatest acts of industrial espionage in history.

At the time, tea wasn’t just a luxury—it was a financial nightmare for Britain. The British Empire’s addiction to Chinese tea was draining silver reserves at an unsustainable rate. Their solution? Instead of buying, they decided to steal the industry for themselves.

Enter Robert Fortune, a Scottish botanist turned corporate spy. The British East India Company sent him on a covert mission into China’s restricted tea-growing regions. Disguised as a Chinese merchant, he infiltrated plantations, smuggled out 20,000 tea plants and seeds, and stole the trade secrets of tea cultivation and processing. He even recruited Chinese tea workers to train Indian growers. The result? Britain broke China’s monopoly, devastated its economy, and transformed India into a tea-producing powerhouse.

Sound familiar? Fast-forward to today, and the tactics haven’t changed—just the targets.

The Modern Tea Heist: Stealing Trade Secrets in the Digital Age

Businesses today face the same problem China did back then. Your company’s most valuable assets—technology, research, IP, and supply chain secrets—are prime targets for theft. And the numbers are staggering.

  • The FBI estimates that trade secret theft costs the U.S. economy up to $600 billion annually.
  • A 2023 report found that 1 in 5 companies experienced insider-led IP theft.
  • Supply chain attacks surged by 742% over the past three years, often targeting critical technologies.

The playbook hasn’t changed. Instead of a botanist sneaking into tea fields, today’s Fortune equivalents are cybercriminals, corporate spies, and even nation-states hacking into your servers or bribing insiders for access to trade secrets.

The British East India Company stole one of China's most valuable assets, tea, and the trade secrets of how to make and grow it.
Photo by koko rahmadie on Pexels.com

Business Lessons from the Great Tea Heist

What can today’s business leaders learn from China’s 19th-century failure to protect its most valuable industry? Plenty. Here are three crucial takeaways:

1. Your Trade Secrets Are Only Safe If You Treat Them Like They Matter

China assumed its tea knowledge was secure because no outsider had ever learned it. Sound familiar? Many companies think their proprietary research or technology is untouchable—until it’s not.

What to do: Conduct regular Intellectual Property audits. Identify what’s critical and who has access. Lock it down with proper IP protection measures, access controls, and NDAs.

2. Insiders Are Often the Biggest Threat

Robert Fortune didn’t just steal tea plants—he recruited Chinese tea workers to teach the trade. The lesson? Most major IP thefts involve an insider, whether malicious or careless.

What to do: Implement strong insider threat programs. Use behavioral monitoring and train employees on the risks of inadvertent leaks. Background checks and controlled access to critical information are non-negotiable.

3. Your Supply Chain Is rich pickings for Attackers

Just like Britain moved tea production to India, today’s business adversaries target weak links in your supply chain. Cyberattacks, supplier breaches, and third-party fraud are all major risks.

What to do: Vet your suppliers as if your business depends on it—because it does. Require cybersecurity and IP protection standards across your supply chain. Don’t assume your partners are as secure as you are.

How can Insider Threats manifest in the Supply Chain?

The New Battle for Trade Secrets: What’s Next?

In 2025, the stakes are even higher than tea. Instead of just breaking a monopoly, modern industrial espionage fuels global power struggles over artificial intelligence, critical minerals, pharmaceuticals, and next-gen military technology.

The lesson from the Great Tea Heist? If you don’t secure your trade secrets, someone else will.

Call to Action: How to Protect Your Business Today

You wouldn’t leave your company’s bank account details lying around, so why treat trade secrets any differently? Here’s what you should do today:

  • Identify your most valuable trade secrets and IP.
  • Implement strict access controls and insider threat monitoring.
  • Vet your supply chain partners and enforce security requirements.
  • Monitor for suspicious activity—whether online, internally, or through competitors.
  • Educate your team on the importance of protecting confidential information.

In the 19th century, China learned the hard way that trade secrets don’t protect themselves. Don’t let history repeat itself on your watch.

Final Thought

Britain’s tea heist wasn’t just about plants—it was about power. Today, the businesses that protect their IP, research, and supply chains will be the ones that thrive. The question isn’t whether someone will try to steal your most valuable assets. The question is: Are you ready for them?

Let’s talk—what are you doing to protect your business from the modern-day tea thieves?

Further Reading

Curwell, P. (2022). How can insider threats manifest in the supply chain.

Curwell, P. (2022). Australia’s critical technology and supply chain principles, Part 1.

Curwell, P. (2022). What is an IP audit anyway?

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Startup Sabotage: A Trade Secret Theft Case Study & How to Protect Your Company

Posted on by

Paul Curwell

4–6 minutes

Key Takeaways

  • Trade Secret Theft is a Real Threat: One case shows how a former employee’s actions can put sensitive company information at risk.
  • “Need to Know” is Paramount: Access to confidential information like Trade Secrets should be strictly controlled based on role necessity.
  • Access Controls are Essential: Implementing technical controls can prevent unauthorised access to your Trade Secrets.
  • Prevention is Cheaper Than Cure: Investing in cybersecurity and information security measures upfront can save companies from costly legal battles and financial loss.

The Case: A Cautionary Tale

Imagine your company’s most valuable secrets walking out the door—your proprietary technology, customer lists, financial projections—all in the hands of someone who no longer works for you. That’s what allegedly happened in one recent case, a cautionary tale of trade secret theft.

The plaintiff was a promising biotech startup focused on automating biotech R&D. Like many startups, they needed funding, so they allegedly hired a CFO who claimed to have connections with a Stanford professor who could help secure investment. As part of the onboarding process, the CFO signed a confidentiality agreement. Standard practice, right?

Fast forward: The CFO allegedly didn’t deliver, and the company let him go. That’s when things took a turn.

Immediately after his termination, the former CFO allegedly accessed sensitive company data. Using desktop programs, the Complaint (see below) alleges he copied proprietary documents and trade secrets to his personal cloud storage. He then allegedly started a competing company and pitched investors using Trilobio’s stolen IP.

The plantiff sued, and the court granted a Temporary Restraining Order (TRO), agreeing that there was a strong likelihood that the theft occurred. The case is ongoing, but the damage is done. So what can we learn from this?

The “Need to Know” Principle: Why It Matters

Let’s be real—many startups operate on trust. But trust doesn’t prevent insider threats. The “need to know” principle dictates that employees should only have access to the data required for their specific job functions.

Here’s why it’s essential:

  • Reduces insider threats: If employees don’t have access to sensitive data they don’t need, they can’t steal it.
  • Minimises external attack risk: Fewer access points make it harder for hackers to infiltrate your systems.
  • Enhances compliance: Many regulations require strict data access controls.

In the plaintiff’s case, did the CFO need access to detailed engineering schematics? Unlikely. Had the company applied “need to know” principles, could the damage could have been prevented?

Access Control: Putting “Need to Know” into Practice

To apply this principle, businesses must implement access controls. Here’s what that looks like:

1. Role-Based Access Control (RBAC)

Assign permissions based on job roles (e.g., Engineers don’t need access to financial data, and CFOs don’t need access to proprietary hardware designs). This is the best approach for SMBs.

2. Access Control Lists (ACL)

Specify which users or groups can access specific files or databases. Useful for more granular control but can become complex.

3. Information Protection Program

Classify data as Confidential, Internal, or Public (or similar) and apply technical controls accordingly – see below. You might also want to read my previous article on how confidential information is compromise.

How is confidential information compromised?

4. Technical Controls to Implement

  • Multi-Factor Authentication (MFA): Essential for protecting sensitive accounts.
  • Least Privilege Principle: Give employees the bare minimum access needed.
  • Regular Access Reviews: Audit permissions periodically and remove unnecessary access.
  • Data Loss Prevention (DLP) Tools: Prevent unauthorised data transfers.
  • Endpoint Detection and Response (EDR) Software: Monitor and prevent data exfiltration.
  • Data Encryption: Ensures that even if stolen, the data remains unreadable.

Had the plaintiff restricted access and implemented controls like these, it would have been much harder for the CFO to (allegedly) exfiltrate sensitive files so easily. Perhaps this reputational damage and legal fees could have been avoided, or at least minimised, and the founders could have got on with core business.

Practical Steps for Founders & Business Owners (Your Call to Action)

Here’s what you need to do today to avoid becoming the next victim:

  • Conduct a Data Audit: Identify and classify your most sensitive data.
  • Implement Role-Based Access Control: Define and enforce job-based permissions.
  • Require MFA and Strong Passwords: No exceptions.
  • Educate Employees: Train staff on cybersecurity risks, phishing, and data security.
  • Encrypt and Back Up Your Data: A must-have in case of breaches.
  • Develop an Incident Response Plan: Know how to respond if a breach occurs.
  • Review and Update Security Policies Regularly: Security isn’t a one-time fix.
  • Consider Cyber Insurance: Mitigate potential financial losses.

Startups and SMBs are prime targets for trade secret theft. If you think it can’t happen to you, think again. Implementing access controls and information security measures is not optional—it’s essential for survival and growth.

If you’re in knowledge-intensive industries like DeepTech, Life Sciences, MedTech, Biotech or Digital Health, don’t wait until a former employee walks off with your IP. Take action now and protect what you’ve built.

Further Reading

Trilobio-TRO-Order ComplaintDownload

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Protecting Innovation: The Spectre of Trade Secrets Theft in Biotech

Posted on by

Paul Curwell

5–7 minutes

Trade Secrets theft happens more than you realise

In the fast-paced world of biotechnology, where innovation fuels growth and shapes the future, protecting intellectual property (IP) is paramount. Trade secrets are proprietary processes, formulas, or methods. These give your business its competitive edge. They are among the most valuable assets a biotech company possesses. Yet, they are also among the most vulnerable.

Reflecting on my career, I’ve seen countless examples of trade secrets theft. These experiences highlight the risks faced by even the most sophisticated organisations. In one case, a competitor poached key researchers from an Australian biotech company. This enabled the rapid commercialisation of nearly patent-ready research.

In another instance, an Australian company partnered with an overseas firm to scale its business. They later discovered that their partner had a history of research fraud and IP theft. Perhaps most alarmingly, a principal researcher secretly established an offshore company. They aimed to commercialise their employer’s innovations. This action violated both employment and grant conditions.

These stories aren’t just cautionary tales; they’re a call to action. The risks to trade secrets in Australia’s life sciences sector are significant, but they are not insurmountable. With the right strategies and a proactive approach, companies can protect their innovations and ensure their long-term success.

The Challenges of Protecting Trade Secrets in Australia

The United States, United Kingdom, and European Union have dedicated trade secrets legislation. However, Australia’s legal framework relies heavily on common law. There are laws to criminalise the theft of trade secrets on behalf of foreign governments or their agents. However, these measures are insufficient in deterring determined actors. The complexity and persistence of threats demand more robust protections.

Historically, Australian biotech companies have relied on legal instruments like employment contracts. They also use IP assignments and confidentiality agreements to manage IP risks. While these are necessary, they’re no longer enough to counter sophisticated adversaries. Recognising this, organisations like the Australian Research Council, National Health and Medical Research Council, and the Australian Security Intelligence Organisation have launched initiatives to address these issues. One such initiative is the ‘Protect Your Research’ campaign, which aims to raise awareness and enhance research security.

Never heard of Research Security? Why safeguarding your research today is critically important

Despite these efforts, the biotech sector faces unique vulnerabilities. Cyberattacks, insider threats, and accidental disclosures are just some of the ways trade secrets can be compromised. Ill-considered presentations at conferences can also lead to compromise. The rise of remote work and international collaborations has only amplified these risks, creating new entry points for malicious actors.

The Importance of Trade Secrets

Trade secrets are more than just business assets; they are the lifeblood of innovation. They encompass anything from proprietary methods and formulas to draft patents and confidential data. Once a trade secret is compromised, it’s lost forever. Worse still, stolen trade secrets often end up on the dark web. There, they’re brokered between competitors, criminals, and even nation-states.

For biotech companies, the stakes couldn’t be higher. A single breach can derail years of research, jeopardise funding, and tarnish reputations. Protecting trade secrets isn’t just about risk management; it’s about ensuring the survival and growth of the business.

Five Steps to Safeguard Your IP

To combat the specter of trade secrets theft, organisations must take a proactive and comprehensive approach. Here are five key steps every biotech company should consider:

1. Identify Your Trade Secrets

The first step in safeguarding trade secrets is knowing what they are. Conduct a thorough review of your organisation to identify data and processes that meet the trade secret definition. These might include draft patents, proprietary research methods, or experimental data. Once identified, ensure these assets are appropriately labeled, tracked, and protected.

2. Assess the Risks

After identifying your trade secrets, evaluate the risks associated with their exposure. This includes both cybersecurity risks—such as vulnerabilities in IT networks—and physical risks, like the mishandling of prototypes or documents. Don’t forget to consider risks posed by third parties, including suppliers, contract manufacturers, and clinical trial service providers. Develop a risk register to catalog these vulnerabilities and prioritise actions to mitigate them.

3. Foster a Strong Security Culture

People are often the weakest link in any security strategy, but they can also be your greatest asset. Building a strong security culture is essential. This starts with leadership setting the tone and includes ongoing education for employees and suppliers. Ensure that everyone understands what trade secrets are, why they matter, and how to protect them. Regular training, clear communication, and an engaged workforce can significantly reduce insider threats.

6 steps to improving security and integrity culture in the workplace

4. Develop a Research & Technology Protection Plan (RTP-P)

A Research & Technology Protection Plan serves as a blueprint for safeguarding your intellectual “crown jewels.” It should outline roles and responsibilities, as well as specific controls for cyber, data, workforce, facilities, suppliers, and products. If you don’t have a RTP-P, start small by focusing on high-impact actions. Importantly, an RTP-P shouldn’t be a static document; it needs to be actively implemented and regularly updated.

5. Actively Manage Risks

Protecting trade secrets is not a one-time effort. It requires ongoing attention and adaptability. Assign a dedicated individual or team to oversee trade secret protection. This includes responding to incidents, managing evolving risks, and providing practical recommendations to minimise exposure. Regular reviews and updates are essential to ensure that your strategies remain effective as your business grows and changes.

A Call to Action

In 2024, Australia’s biotech sector is at a critical juncture. As the industry continues to grow and attract international attention, the importance of protecting trade secrets cannot be overstated. Implementing effective systems, processes, and cultural practices is essential for safeguarding IP. It’s also about fostering innovation. It plays a crucial role in attracting investment and securing a competitive edge.

Protecting innovation is everyone’s responsibility. Let’s work together to create a biotech ecosystem where great ideas thrive and remain secure.

202411 AusBiotech Journal_CurwellDownload

So, how prepared is your organisation? Take a moment to evaluate your trade secret protection strategies. Share this article with your team. Begin a discussion about the steps you can take to safeguard your most valuable assets. By prioritising trade secret protection today, you’re investing in the future success of your business and the broader biotech industry.

    Further Reading

    DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Safeguarding Your IP from Insider Threats: Insights from ADSTAR 2024

    Posted on by

    Paul Curwell

    4–7 minutes

    2024 Australian Defence Science, Technology, and Research Conference (ADSTAR)

    On 18 September 2024, I had the privilege of speaking at the Australian Defence Science, Technology, and Research (ADSTAR) Conference, where I discussed one of the most pressing issues facing research-intensive industries: the persistent and evolving threats to intellectual property (IP) and critical information assets from trusted insiders. Here, I expand on those talking points and provide actionable insights for anyone looking to safeguard their innovations in today’s high-stakes environment.

    Understanding the Threat: The Many Faces of IP Theft

    A recent U.S. congressional study outlined seven primary ways IP is stolen in the biotech sector. While each of these seven ways are concerning, two stood out to me as particularly pervasive: trusted insiders and cyberattacks.

    A colleague of mine works in a dark web intelligence firm and recently shared a sobering statistic: on a single day, over 2,000 unique IP assets were up for auction on dark web marketplaces. These assets ranged from trade secrets to proprietary research, stolen by trusted insiders, business partners, intelligence practitioners, and cybercriminals.

    The sheer volume of stolen IP underscores the importance of vigilance. No organisation is immune, and the risks are particularly acute in industries where innovation is both rapid and critical. These are not abstract threats; they are happening here in Australia. Consider the following real-world examples of how these can manifest in your business:

    • Talent Grabbing: Competitors lure away key personnel, taking proprietary knowledge with them.
    • Dodgy Business Partnerships: Collaborations with foreign partners reveal hidden histories of IP theft.
    • Conflict of Interest: A principal researcher secretly commercialises their employer’s research through an undeclared side business.
    • Family Ties Gone Wrong: A contract manufacturing organisation leaks proprietary data through a relative running a competing business.
    • Infiltration by Activists: Issue-motivated groups gain employment in industries like mining, targeting sensitive operations.

    A common misconception is that Australia’s geographic isolation somehow shields it from global IP theft. This couldn’t be further from the truth. Whether through cyberattacks, insider threats, or international collaborations gone awry, Australian organisations are just as exposed as their global counterparts.

    These scenarios highlight the multi-faceted nature of threats to IP. Whether the risk stems from negligence, malice, or opportunism, the result is the same: compromised assets and diminished Australian competitiveness.

    Managing the Risks: Five Steps to Safeguard Your Research and Technology

    Protecting your IP doesn’t have to be overwhelming. In my view, there are five foundational steps you need to do to get started:

    Identify Your Critical Assets

    • Begin by cataloguing what you want to protect. This includes digital and physical information such as personal identifiable information (PII), trade secrets, prototypes, and classified government data.

    Assess Risks to These Assets

    • Map out vulnerabilities across all domains: cyber, physical, personnel, and suppliers. Recognise that risks often overlap, creating complex attack vectors.

    Build a Strong Security Culture

    • Your workforce can either be your weakest link or your strongest defence. Invest in awareness programs and foster a culture where security is a shared responsibility. Leadership must set the example.

    Develop your Research & Technology Protection Plan (RTP-P)

    • A RTP-P is your roadmap to protecting IP. Include actionable measures for onboarding and offboarding employees, managing supplier relationships, and securing data, facilities, and products. Start small, prioritise, and evolve over time.

    Actively Manage Your Security Framework

    • Don’t treat your security plan as a “set-and-forget” exercise. Assign clear roles and responsibilities, conduct regular reviews, and adapt to new threats as they emerge.

    Why a Legal-Only Approach Falls Short

    Many organisations make the mistake of relying solely on legal measures like contracts and confidentiality agreements. While important, these tools only protect against honest people. The harsh reality is that not everyone plays by the rules—particularly when dealing with international partners who may operate under different ethical norms. To truly safeguard your IP, you need a proactive, multi-layered approach that goes beyond legal protections.

    Remember, a best practice is to treat all R&D as a trade secret until patents are granted and published. This approach minimises exposure and ensures your sensitive information remains protected during the development phase.

    How is the security field evolving to mitigate these risks?

    The landscape of IP protection is evolving rapidly, with new threats and technologies shaping how organisations respond. Here are three trends reshaping the field:

    Convergence of Data for Threat Detection
    Organisations are integrating cyber, physical, and personnel data into unified analytics platforms. By applying advanced threat models, they can generate actionable alerts and respond to risks in real time. Some critical infrastructure sectors are even incorporating drone defence systems into their frameworks.

    Holistic Insider Risk Management
    Insider risk programs now extend beyond traditional background checks. Tools like behavioural analytics and Australia’s own DTEX Systems monitor cyber activities and even social media behaviour to detect anomalies. Future developments could integrate internal fraud detection into these systems.

    Digital Footprinting
    Companies are increasingly examining their employees’ online presence to identify vulnerabilities. This proactive approach includes monitoring public posts, connections, and potential risks stemming from digital exposure. One great Australian solution for this is FiveCast.

    Your Call to Action: The Need for more proactive protection

    The stakes for protecting research and IP have never been higher. Whether you’re a startup founder, a researcher, or a corporate leader, safeguarding your innovations is not just a matter of compliance; it’s a business imperative.

    Take a moment to evaluate your organisation’s current practices. Are you identifying and cataloguing your critical assets? Are your risks mapped and mitigated? Is your workforce engaged in security, or are they an overlooked vulnerability?

    Start the conversation within your organisation. Share this article with your team, and begin building a robust framework to protect your IP. Remember, innovation drives progress, but protection secures its future.

    Further Reading:

    • Defence Science and Technology Group, 2024 Australian Defence Science, Technology and Research Conference, Canberra, www.adstarsummit.com.au

    DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.