Category Archives: Product Protection

AI for Deeptech Startups: Balancing Speed and Security

Posted on by

Paul Curwell

7–10 minutes

Key Takeaways

  1. AI is already deeply embedded in how R&D startups operate—handling analysis, reporting, quality monitoring, and workflows.
  2. But every tool and integration you use—especially if ungoverned—can expose your intellectual property (IP) or sensitive data.
  3. Protection doesn’t mean overengineering—startups can use lean frameworks and smart defaults to stay secure without losing momentum.

You’re already using AI—but are you protecting what matters?

If you’re leading a biotech, medtech, advanced manufacturing, or deeptech startup, AI is probably already hard at work in your business. Whether you’re using your LIMS to track experimental data, automating lab tasks with tools like Zapier or N8N, or generating regulatory reports with ChatGPT, you’re benefiting from AI’s ability to deliver speed, insight, and productivity.

And it’s working. You’re innovating faster, making better decisions, and doing more with fewer resources. That’s exactly what investors and partners want to see from early-stage companies. In 2025, you don’t need a 500-person team—you need smart systems.

But the same technologies accelerating your work can also quietly undermine it. If you’re not actively managing how AI interacts with your intellectual property (IP) and sensitive data, you’re leaving the door wide open for mistakes, leaks, or compliance failures that can stall your growth—or sink your business entirely.

Protecting Your R&D When Outsourcing Rapid Prototyping

How AI Is supercharging R&D-intensive startups in 4 use cases

AI isn’t just hype for small innovators—it’s a practical tool delivering real business outcomes. And unlike larger enterprises that spend millions and deploy large teams integrating AI into legacy systems, deeptech SMBs are cloud-native and agile. That gives you a major edge.

Here’s how I see most small, research-driven teams using AI right now:

1. Data Collection and Analysis

Your scientific and engineering teams are automating the aggregation of experimental results, integrating data from sensors, lab systems, and external research. AI helps clean, normalize, and interpret it all—so decisions can be made in days, not months.

You’re also leveraging AI for literature mining and competitive analysis, giving your team a clearer picture of where to focus and how to differentiate.

2. Continuous Control and Quality Monitoring

Whether you’re a medtech firm tracking calibration drift or a materials science startup checking for outliers, AI is helping detect inconsistencies early. This kind of real-time feedback loop improves reproducibility and protects your reputation with regulators and partners.

3. Reporting and Documentation

Grant milestones, regulatory submissions, investor updates—these all take time. AI-generated summaries, charts, and reports help your team stay compliant and communicative without pulling attention away from the actual science.

4. Workflow and Service Management

Your operations are already automated. Zapier, N8N, and Power Automate are running the back office: scheduling lab time, flagging inventory shortages, tracking project milestones. AI helps orchestrate and optimize these workflows so your team stays productive.

This all adds up to serious efficiency gains. But—and it’s a big but—each of these systems and integrations touches sensitive data or protected IP. And that’s where the real risk creeps in.

Protecting Innovation: The Spectre of Trade Secrets Theft in Biotech

Four AI risks most science and tech startups overlook

These are excellent use cases, but like everything, there are pros and cons. Deeptech’s need to understand how AI tools and use cases can generate downside risk for your business:

1. Trade Secrets Floating in the Open

AI models are great at summarising documents and drafting content. But paste your prototype results or lab logs into an unsecured LLM, and you might be training someone else’s model with your trade secrets.

This isn’t a fringe issue. In 2023, employees of one global tech company accidentally leaked sensitive source code through ChatGPT. They were trying to be efficient—but exposed high-value IP instead.

Case Study 1: Global tech’s ChatGPT Blunder: IP Exposure Through Misunderstanding

In 2023, engineers pasted sensitive source code and internal meeting notes into ChatGPT while trying to solve coding problems. They didn’t realise that public AI tools could store and retain this input.

The result? Confidential trade secrets exposed. The company responded by banning the use of generative AI internally. But the damage was done.

Lesson: If your staff don’t understand how AI tools process and retain information, they may accidentally train someone else’s model with your crown jewels.

Practical actions:

  • Identify what qualifies as a trade secret in your business. Write it down.
  • Turn off chat histories in AI tools or use private models.
  • Avoid pasting raw R&D data or code into consumer AI platforms.

2. Data Leaks Through Automation Tools

Automation platforms like Zapier, Make, and N8N are amazing for productivity—but they’re often invisible to risk and compliance teams. If data is moving between systems without encryption or logging, that’s a blind spot.

One startup had lab results automatically emailed to a shared inbox via Zapier. Harmless? Until one of those emails ends up forwarded to the wrong contact triggering a data breach incident.

Case Study 2: Global tech company’s AI Team Accidentally Exposes 38TB of Data

In another 2023 case, another big tech’s own AI research team uploaded a GitHub repo with an incorrectly configured Azure SAS token. This gave public access to 38TB of internal data—including private research, credentials, and backups.

This wasn’t a cyberattack. It was a configuration error—just one line of code—and it put an entire research group’s IP at risk.

Lesson: Even world-class AI teams can slip up if access controls and cloud permissions aren’t managed carefully.

Practical actions:

  • Audit your integrations quarterly. Know where data is flowing.
  • Limit the exposure of sensitive data in workflows.
  • Apply the same scrutiny to no-code tools as you do cloud providers.
The Rising Threat of Cyber-Enabled Economic Espionage: What Business Leaders Need to Know

3. Misconfigured Cloud Environments

Being cloud-native doesn’t mean being secure. Startups often move quickly, spinning up instances, sharing buckets, and adding users without much structure. The result? Sensitive IP and research data sitting in misconfigured storage with public access enabled.

Case Study 3: Biotech’s AI Feature Abused to Extract Genetic Data

Attackers didn’t hack the biotech’s core systems. They reused leaked credentials to log into user accounts and exploited the company’s DNA Relatives feature—powered by AI—to harvest massive amounts of genealogical and genetic data.

The breach wasn’t about a flaw in the AI—it was about poor monitoring and a lack of foresight into how AI-powered features could be abused at scale.

Lesson: AI features can scale risk just as fast as they scale value. You need visibility and governance to keep both in check.

Practical actions:

  • Use native controls like IAM, DLP, and logging in AWS, GCP, or Azure.
  • Review access privileges regularly—especially after staff or contractor changes.
  • Don’t assume your default setup is safe—check it.

4. Regulatory Risk and Data Sovereignty

If you’re collecting personal or regulated data—think clinical trial results, biospecimens, or identifiable research participant data—you’re accountable under privacy laws. And regulators won’t accept “we’re a startup” as an excuse.

Practical actions:

  • Store regulated data in compliance with local data laws.
  • Map where your data lives and who can access it.
  • Delete data you no longer need—less data, less risk.

You Don’t Need an Army—You Just Need a Plan

Information security and data protection doesn’t have to be expensive or complicated. You just need to know what matters most—and build guardrails that suit your size and stage.

That’s why frameworks like SMB1001 exist. Designed for small, R&D-heavy businesses, it gives you a clear path to understanding what’s critical, setting sensible access controls, and documenting how you manage risk—all in a way that supports growth, not bureaucracy.

You don’t need ISO 27001 on day one. But you do need to show investors and partners that your IP and data aren’t flying blind through a tangle of automations and unvetted tools.

The 3 SMB Risk Management frameworks you need to protect your business

Final Thoughts: AI Is Fuel for Growth—If You Protect the Engine

AI is your multiplier. It helps small teams outperform larger competitors, serve customers faster, and bring complex products to market on a startup budget.

But if your trade secrets leak or research data ends up in the wrong hands, that advantage disappears overnight. Worse, you might not even know it’s happened until it costs you a deal, a grant, or a key staff member.

So if you’re using AI—and I know you are—take these three steps now:

  1. Map where your IP and sensitive data live.
  2. Review how they flow through AI and automation tools.
  3. Use a framework like SMB1001 to set practical controls that grow with you.

The best part? Once you’ve got this in place, you’re not just secure—you’re investable, credible, and ready to scale.

Further Reading

  1. ENISA (2023). Threat Landscape Report 2023 – Supply Chain Threats on SMBs
  2. Forbes (2023). Samsung Engineers Leak Confidential Data to ChatGPT
  3. Curwell, P. (2024). Protecting Innovation: The Spectre of Trade Secrets Theft in Biotech
  4. Curwell, P. (2025). The 3 SMB Risk Management frameworks you need to protect your business
  5. Curwell, P. (2025). The Rising Threat of Cyber-Enabled Economic Espionage: What Business Leaders Need to Know
  6. Curwell, P. (2025). Protecting Your R&D When Outsourcing Rapid Prototyping

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Protecting Your R&D When Outsourcing Rapid Prototyping

Posted on by

Paul Curwell

5–7 minutes

3 Key Takeaways:

  • Outsourcing rapid prototyping is essential for speed and cost efficiency but poses serious trade secret and IP risks.
  • Real-world cases show that failing to protect your R&D can lead to trade secret theft, fraud, and competitive loss.
  • A proactive strategy—including legal safeguards, secure operations, and ongoing monitoring—can mitigate risks.

Rapid Protyping offers many benefits, but be sure to manage your risk

Outsourcing rapid prototyping is a game-changer for R&D-driven businesses. It accelerates innovation, slashes development costs, and opens doors to specialist skills and cutting-edge tech that would be costly to build in-house. With the global rapid prototyping market projected to soar from $3.33 billion in 2024 to over $21 billion by 2034, it’s clear that more businesses are embracing this approach to stay ahead of the curve. Fixing design flaws early during prototyping can be up to 100 times cheaper than post-release corrections—a compelling reason why prototyping is no longer a luxury, but a business imperative.

Types of Rapid Prototyping Techniques

Common prototyping methods include:

  • Stereolithography (SLA): High-detail resin printing.
  • Fused Deposition Modeling (FDM): Budget-friendly plastic extrusion.
  • Selective Laser Sintering (SLS): Durable powder-based prints.
  • Direct Metal Laser Sintering (DMLS): Precision metal parts.
  • CNC Machining: Subtractive manufacturing for high-strength components.

Each technique has its own supply chain risks, making security considerations essential from the outset.

But here’s the catch—outsourcing means sharing your most valuable assets: trade secrets, proprietary designs, and sensitive R&D data. Whether you’re working with a niche 3D printing firm or a global manufacturing partner, the risk of IP theft, insider threats, or accidental disclosure is real. In fast-moving industries like automotive, biotech, and consumer tech—where time-to-market is everything—balancing speed with security is critical. This article explores how founders can unlock the full potential of prototyping and outsourcing, while putting practical guardrails in place to protect their intellectual property and business viability.

The Need for Outsourcing Rapid Prototyping

Startups and SMEs often lack the in-house capabilities for advanced prototyping. Outsourcing helps by:

  • Cutting costs—no need for expensive machinery or full-time specialists.
  • Providing access to world-class expertise in emerging technologies.
  • Accelerating product development and market entry.

But with these benefits come significant risks. Handing over your prototype means exposing critical trade secrets to external partners—some of whom may not be as trustworthy as they claim.

Example of additive manufacturing used in rapid prototyping
Photo by FOX ^.ᆽ.^= ∫ on Pexels.com

Case Study: IP Theft in Outsourcing

A U.S. medical device startup learned this lesson the hard way. They outsourced prototyping to a foreign manufacturer, only to discover a near-identical product in the market months later. The culprit? Their own supplier, who exploited weak contractual protections to replicate and commercialise the design. The result: financial loss, legal battles, and an irreparably damaged competitive advantage.

Lesson learned? If you don’t protect your trade secrets, someone else will profit from them.

Startup Sabotage: A Trade Secret Theft Case Study & How to Protect Your Company

Understanding IP Protection for Prototypes

Trade Secrets vs. Patents

Patents are great—until they aren’t. They require public disclosure and take years to secure. Trade secrets, on the other hand, remain confidential as long as they are actively protected. Most prototypes fall under trade secrets because early-stage innovation needs secrecy, not immediate disclosure.

Copyright automatically applies to design files and software components. However, international enforcement can be tricky, making additional legal steps essential when working with overseas partners.

Risks Associated with Outsourcing R&D and Rapid Prototyping

The top risks include:

  • Trade secret theft—unauthorised copying or sharing of designs.
  • Copyright infringement—misuse of software and design blueprints.
  • Ownership disputes—who really owns the prototype files and production molds?
  • Loss of core expertise—outsourcing critical R&D can weaken in-house innovation.
  • Reputational damage—a security breach can erode investor and customer trust.

International Considerations for Australian Businesses

Australia’s trade secret and IP laws are predominately enforced via civil means, but overseas is another story, especially if you’re outsourcing to less developed countries. Many jurisdictions have weaker protections, making stolen IP difficult to recover or your IP rights difficult to enforce.

Don’t forget – you actually need to have funds available for any legal dispute. If you can’t afford it, then don’t rely on legal battles and contractual enforcement: A good security program is your friend!

Specific Risks for Australian Businesses

Countries with high rates of IP theft pose unique challenges. Contracts mean little if enforcement is lax. This is why due diligence on foreign partners is just as important as the contract itself.

pexels-photo-20326699.jpeg
Photo by Jakub Zerdzicki on Pexels.com

Steps to Protect Your R&D When Outsourcing

Before Outsourcing

  • Identify and classify critical trade secrets.
  • Research suppliers’ security track records.
  • Assess the legal landscape in the outsourcing country.
  • Perform a security risk assessment to ensure you understand the risks (including supply chain risks and country-specific laws), and what you need to do to manage them.
  • Develop your Research and Technology Protection Program to ensure you understand the risks and know what controls you need to implement in your contractual measures and operational safeguards
How can Insider Threats manifest in the Supply Chain?

Contractual Measures

  • Use watertight non-disclosure agreements (NDAs).
  • Clearly define IP ownership and usage rights in contracts.
  • Specify dispute resolution mechanisms.
  • Include post-collaboration IP return/destruction clauses.

Operational Safeguards

  • Limit access to sensitive data—adopt a need-to-know approach.
  • Use secure data transfer methods (encrypted channels, VPNs).
  • Implement strict version control on prototype files.

Monitoring and Control

  • Conduct regular audits of outsourcing partners.
  • On-site visits to assess security practices.
  • Track prototypes through serial numbering and logging systems.
  • Obtain signed attestations or legally-binding declarations to confirm that all products, materials and designs / data / information have been destroyed or returned on completion of the work.
  • Maintain detailed documentation of all proprietary designs.
  • Register copyrights where applicable.
  • Seek legal counsel in the outsourcing country for enforcement advice.

Conclusion

Innovation thrives on collaboration, but unprotected outsourcing can be a goldmine for IP theft. Trade secrets, fraud, and supply chain risks aren’t hypothetical—they’re real threats with billion-dollar consequences. Protecting your R&D requires a mix of legal safeguards, operational discipline, and continuous oversight.

Want to secure your innovation while staying ahead of the competition? Start by reviewing your outsourcing agreements today—before someone else commercialises your ideas.

Further Reading

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Returns Fraud – a risk for eCommerce companies

Posted on by

Paul Curwell

5–8 minutes

What is Returns Fraud?

Returns fraud is a deceptive practice where customers purchase a product from a retailer so as to either temporarily ‘borrow’ the item, or to obtain a refund or store credit. Returns Fraud involves deception on the part of customers, who seek to return a product under ‘false pretences’. Common returns fraud typologies include:

  • Online returns fraud – where customers make a false claim in order to obtain a refund or store credit. Typically, these customers claim that they did not make the purchase (when buying using a credit card), that the goods did not arrive, or that the goods which arrived were faulty, damaged or did not match the description when purchased. Many customers do not return these products whilst also claiming a refund, meaning they actually keep the goods and profit from the refund.
  • Product substitution with lower cost items – customers purchase a high-quality item from one store / brand, and a similar but low quality item from another store. They may remove product tags or labels, or place the substitute product in the high quality product’s packaging before returning. Often returned goods are not properly scrutinised, or may be returned to third party service providers, and by the time the fraud is detected it is too late.
  • Product substitution with counterfeit items – this typology is the same as with lower cost items above, except the substituted product is a counterfeit item. This creates issues for retailers if the counterfeit item is repackaged and released for resale without proper inspection, and can result in brand damage or create consumer safety issues.
  • Wardrobing – a common problem especially for online retailers, consumers purchase items of clothing for a specific event (such as a party), use the item of clothing, then return it for a refund or exchange without declaring this use to the retailer.
  • Use of fraudulent receipts – some consumers alter or forge sales receipts and use these along with often substituted or second hand goods to attempt a refund without having purchased the item. Physical retailers without robust returns processes, who do not verify information on receipts against their records, or who place returned items to one side to process in quiet periods, are particularly vulnerable.

Returns Fraud can be perpetrated by external parties (i.e. opportunistic individuals and actual customers), employees (i.e. trusted insiders), and external parties in collusion with trusted insiders.

elegant male outfits on dummies in modern boutique
Photo by Andrea Piacquadio on Pexels.com

How does Returns Fraud impact retailers?

If not properly managed, Returns Fraud can have significant implications for retailers and may even send struggling businesses to the wall. Returns Fraud will impact profits, operating costs and brand in the market. Examples of the impact of Returns Fraud on retailers include:

  • Increased Operating Costs – Retailers may need to employ additional staff to manage and process returns, as well as spending more on loss prevention or fraud protection programs. In some cases, specialist expertise may be required, particularly for high value or complex disputes which retailers are not equipped to handle.
  • Card Scheme penalties – Card Schemes such as Visa and Mastercard apply financial penalties to retailers (merchants) where a customer disputes a transaction, such as in the case of ‘online returns fraud’ (above).
  • Customer Experience and Trust – Retailers who implement stringent policies risk frustrating or offending legitimate customers, resulting in complaints, negative ratings online, or refusal to deal with the brand again. Balancing customer experience with retail security is a huge challenge.
  • Returned Inventory Management – The ‘reverse supply chain’ is challenging for any retailer, but it needs proper attention to mitigate risks of substituted, damaged, soiled, or counterfeit product being accepted, repackaged, and resold as legitimate by a retailer with potentially disastrous results.
  • Financial losses – As mentioned in my previous post ‘Product Security is fundamental to Product Management‘ (see “Security and integrity risks need to factor in pricing decisions“, link below), once a product has been stolen or diverted a retailer needs to sell significantly more product units to recover those losses. Over time, these losses erode revenue and impact profit margins, potentially making the business unviable.
Often overlooked, Product Security is fundamental to Product Management

The challenge with Returns Fraud, as with any other security program, is the need to balance the inherent risk of Returns Fraud with customer service and customer experience. Some retailers have accepted a high incidence of Returns Fraud, only to find it has eventually sent the business bankrupt as word gets around the retailer is an easy target and the incidence of fraud increases.

Three simple steps to mitigating Returns Fraud risk

Recent media reporting indicates the incidence of Returns Fraud is increasing worldwide, particularly wardrobing and online returns fraud; however, there are three steps businesses can take to mitigate the risk:

  • Return policies – Policies must be clear, legal, compliant with card scheme rules (for credit card payments), and transparent to allow consumers to understand retailer expectations and conditions of sale. Policies should be displayed prominently on the website and in-store, and customers should acknowledge conditions of sale in writing prior to payment. Evidence that a customer has read and acknowledged these policies should be retained by retailer systems and processes in the event of a legal dispute.
  • Using data analytics for fraud detection – data is essential for detecting unusual patterns or behaviours indicative of returns fraud. Provided the required data is collected, typologies can be developed and dashboards built to quickly facilitate detection. Examples of indicators retailers might look for in their typologies include customers who frequently return items (analysed data should include customer name, address, phone number, or email address to identify common purchases using fictitious names); returns of specific products or product categories within 48-72 hours after purchase; and returns of ‘prestigious’ items which consumers might not be able to afford. Early detection, proper investigation, and collection of evidence is crucial to minimising a loss.
  • Build high levels of employee awareness and a strong security culture – Employees are one of the most important elements of any security or fraud program. Poor awareness of fraud and security creates ignorance of the risk, preventing staff from being able to recognise problems and respond in a timely manner. Staff should be trained both on commencement and periodically (at least annually) throughout their employment, with targeted training being undertaken in response to new trends or criminal tactics. Further information on improving security culture can be found below.
6 steps to improving security and integrity culture in the workplace

As you can see, the risk of Returns Fraud is real and must be properly understood, assessed and managed by retailers to mitigate unplanned losses and vulnerabilities. Failure to properly consider and plan for Returns Fraud in any retail business is likely to result in substantial financial loss, legal disputes, and brand damage, and may even send the business into insolvency.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Often overlooked, Product Security is fundamental to Product Management

Posted on by

Paul Curwell

6–9 minutes

Products are core to modern business strategy

If you read Ellen Merryweather’s (of Product School.com) post of January this year (refer Further Reading), you may get the sense that product management is coming of age. A focus on products for businesses can provide stickier customers, unlock access to non-traditional markets, and generate annuity revenue rather than single transactions. These days, I find there are two main categories of products:

  • Products in their own right – such as medicines, or items of clothing and auto parts (e.g. tyres)
  • Products that are bundled with services – we see this with cloud-based software solutions, as well as products connected to the Internet of Things (IoT)

Increasingly, physical products are incorporating connections to the IoT to provide after-sales services such as device updates or performance monitoring. Unlike services which are transactional, products have a finite lifespan both in terms of their operations (how many times they can be used, or will last) and from a market perspective before they are imitated by competitors, superseeded, or in the case of patented products when the patent expires. This means there is a target window in which to generate Return on Investment.

vehicle headrest monitor
Photo by Mike Bird on Pexels.com

Product security and integrity risks are varied

There are a range of fraud, security and integrity risks which impact products, many of which are specific to products and indusries. If not properly managed, product risks can have material implications on profitability and reputation, including:

  • Revenue loss or margin shrinkage due to theft, fraud and abuse by customers, staff and suppliers
  • Consumer safety / law issues including product safety and product recall
  • IP risks including patent, trademark (counterfeiting) and copyright infringements, and the tort of ‘passing off’
  • Commercial risks arising from brand damage, competition etc
  • Geopolitical risks – such as trade embargoes, disruptions and material shortages
  • Information and cyber risks – data theft, privacy breaches, cyber attacks, malware
  • Supply chain and distribution risks – including end user fraud, distributor fraud, and product diversion
  • After market risks – such as parallel imports, grey market products, resold products etc.

Despite this risk landscape, I find it’s rare to see product management or product strategy frameworks that clearly articulate the importance of product risk management and the role of product managers in this. Contemporary product protection programs need to address cybersecurity, fraud, insider threats, supply chain security, and product integrity issues such has tampering to mitigate these and other fraud and security threats.

lake with mountain view
Photo by Ian Beckley on Pexels.com

Inherent risks mean security & integrity has a place in product development

When they materialise, fraud and security threats can have a range of direct and indirect impacts which affect product manufacturers, their suppliers and distributors, and customers (end users). Examples here include unplanned losses which erode product margin, sales or resales by unauthorised distributors which financially impact and poison relationships with authorised suppliers, and warranty and returns frauds by customers which compounds financial loss with additional expenses such as staff handling time.

Consideration of security related issues is fundamental to realising both the return on investment into designing and releasing a product, and to maintaining the confidence of regulators and consumers that a product does what it says it will.

To properly consider and mitigate these problems, I would argue that starting with a product risk assessment is an essential first step. Product managers need to assess and quantify fraud, security and integrity risks during the New Product Development (NPD) process. What is NPD? This is a 6-stage process that runs from concept to design, prototyping, and market, as illustrated below:

The C-I-A triad of information security provides three risk categories that can be used as a starting point for product risk identification irrespective of whether the product is tangible (e.g. a computer chip or bottle of wine) or intangible (e.g. software):

  • Confidentiality – has the ability to keep sensitive information secret
  • Integrity – making sure your product is trustworthy, has not been tampered with, and is authentic, conforming, and reliable
  • Availability – making sure the product servicable as and when expected

When we think about integrity and products I almost find it easier to think about it from two perspectives: seller and buyer. Supply Chain Integrity, which focuses on Provenance, Authenticity, and Traceability, is increasingly important for buyers where there are consumer safety or critical infrastructure protection considerations. In regulated industries, sellers (manufacturers) may need to consider how their products (and supply chains) may be compromised in order to make their products more attractive to buyers:

Supply chain integrity and security: what are the risks? (Part I)

Product Security and Integrity is more than cybersecurity

In my experience, it is common to see product security programs focus exclusively on cybersecurity; however, this one-dimensional approach fails to understand the true nature of security threats. Security theory relies upon the concept of ‘security in depth’ – the use of multiple, complementary controls of many types (e.g. system, people, financial, physical security) which are mutually reinforcing and provide layers of redundancy to protect the asset.

Focusing on one layer (e.g. cybersecurity) at the expense of all others just encourages criminals to achieve the same objective via other means. Examples of the varied security programs required at different stages of NPD include information protection programs and prototype security:

Prototype product protection: a step by step guide

Security and integrity risks need to factor in pricing decisions

Understanding how to factor security and integrity risks into product pricing requires an understanding of how products are priced. Typically, a product is priced using a method which calculates total cost of inputs to create (and sell) your product, plus a profit margin – the article from Shopify (referenced in Further Reading below) provides a great introduction to product pricing and strategy.

Importantly, calculating the cost to produce and sell a product differs from your pricing strategy – for example, you may have a product which is cheap to product but can be sold at a very high margin, either because of some unique factor, market demand, or limited supply. Conversely, you may wish to quickly gain a large market share for first mover advantage or to displace competitors, in which case you may be prepared to cut your margin.

So what sort of security and integrity programs might you need to cost?

  • Product security and integrity controls including anti-counterfeit packaging, tamper evident features and anti-theft measures
  • Cybersecurity features such as Identity and Access Management, data encryption, network security and cyber threat intelligence, particularly if connected to the Internet of Things
  • Fraud protection features to mitigate the way opportunistic and organised fraudsters can abuse your product, such as via warranty fraud
  • Supply chain integrity and security including distribution frauds, product diversion and returns fraud. Whilst not product security per se, this add to the costs of goods sold
  • Market Surveillance to consider security threats such as counterfeiting and gray market activity as well as consumer safety and quality issues
black dslr camera on white surface
Photo by Pixabay on Pexels.com

Some product managers include an additional ‘charge’ for fraud or security issues in the product cost. This effectively acts as an insurance mechanism, with the aggregated charges on sales not affected by fraud or security underwriting those that are. Obviously the ability to do this depends on many supply demand factors in the market.

If you didn’t appreciate the importance of managing security and integrity risks inherent in product development and product management, hopefully you will now. As you can see, product risk has brings material considerations that need to be a feature of any product management framework.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Prototype product protection: a step by step guide

Posted on by

Paul Curwell

What is prototyping?

A prototype is a draft version of a product that allows you to explore your ideas and show the intention behind a feature or the overall design concept to users before investing time and money into development” (usability.gov). Prototyping is an essential step in product development as it provides an opportunity to qualify feedback from potential customers, size the market, inform investment and financial decisions, and support go/no-go decisions.

Photo by Karol D on Pexels.com

Not every product idea will be a commercial success, meaning innovators can spend a lot of money on new product development without financial return. Prototyping helps minimise this risk by regular and repeated feedback. The generic product development process begins with the idea (ideation), which leads to development of a Product Definition prior to prototyping. Usability.gov identifies two categories of prototype:

  • Low-fidelity prototypes are often paper-based and without user interactions. They are prepared quickly and are cheaper than high-fidelity prototypes whilst helping potential users understand the product concept and how it might benefit them. Feedback collected from user interviews (customer interviews) should be incorporated into the iterative new product development process to inform the Minimal Viable Product (MVP).
  • High-fidelity prototypes are effectively early models of the future product. They are as realistic as possible with working components, meaning they are often expensive to produce and may require support from the product developer’s supply chain to design and build custom components. The need for custom components may require suppliers to develop their own prototypes and perform custom R&D as a prerequisite for being able to produce their customer’s new product, adding to development timelines and commercial complexity. There may be multiple iterations of high-fidelity prototypes, with latter models being closer to the model which will go into production and on to a product launch for sale.
Photo by Andrea Piacquadio on Pexels.com

How are prototypes vulnerable? What are the risks?

Part of the challenge with protecting prototypes is the need to balance secrecy with feedback. Failure to provide adquate secrecy or protection could mean innovators lose commercial advantage or are usurped by competitors who are faster, more agile and better resourced. However, the flip side of any product is that it needs to be tested and product developers need as much real life feedback as possible, both from customers on whether the product meets their needs and also real-life applications on whether the product solves the problem as intended under realistic conditions.

The inherent risks associated with a prototype are a reflection of how advanced the prototyping activity actually is. At the early stages, risks are primarily associated with information security and personnel security, where leaks or compromises can occur which tip-off the market to what is under development. As prototypes are produced and tested, these risks remain but new risks including physical theft or loss and third party or supplier risks also come into play. The spectrum of risks is illustrating in the following figure and overlaid on the reseach and development process:

(c) Paul Curwell (2022). Prototype Product Protection illustrated: Security risks aligned to the R&D process

Taking steps to ensure legal protections for your Intellectual Property, such as Patents, Copyright or Design Rights are addressed is an important step in prototype protection, but these legal protections are not the sole actions required. Litigation cases can turn into a ‘war of attrition’ with the winner having the deepest pockets, so reliance on a purely legal strategy may not be prudent. Selected security and fraud risks which also need consideration include:

  • Physical theft of the prototype – which can occur during storage, production, transport and field trials.
  • Theft of test data, plans or designs – arising through virtual (cyber) and physical (e.g. paper, human) vectors.
  • Theft or disclosure of pricing and commercial data – this is likely of particular interest to competitors and ‘fast followers’, but potentially also to industry media and investors.
  • Contract Manufacturer agreements – outsourcing may confer less control over your information and who has acess to it. Additionally, there are many examples of contract manufacturers with undeclared conflicts of interest or a lack of integrity who disclose this information to third parties or competitors irrespective of any legal agreements in place.
  • Theft or unauthorised use of tooling, molds etc for production – parts of your supply chain, including contract manufacturers, may use your custom tooling or manufacturing molds intended for developing the prototype for unauthorised manufacturing activities during periods of factory downtime. Tooling agreements which specify ownership of IP, and access control associated with tooling, are essential to manage product diversion risk.
  • Third Parties – many businesses will need to involve their suppliers in prototyping and new product development. This requires providing information, access to designs or prototypes, and go to market plans and timelines, all of which are commercially valuable and potentially market sensitive if the company is publicly listed. Use of external experts including product development specialists, product engineers, graphic or industrial designers, product quality consultants, computer-aided design (CAD) specialists can increase the chance of success. However, the more people ‘in the know’ the greater the opportunity for compromise.
  • Data Management and Information Protection – ideally, much of your product development information will be online rather than paper-based to provider greater control over access, versions, and dissemination. A data management plan incorporating risk-based data security and information protection is essential, and being able to evidence appropriate security and protections can give greater confidence to business angel, venture capital and private equity investors to fund product development.

In addition to these inherent risks, two contextual factors influence your risk exposure, being time and the number of people who are in the know. As with anything you want to keep under wraps, the longer the time you need to keep something secret the more effort required. The quicker you go from ideation to commercialisation, the less the chance of compromise or accidental disclosure. Related to time is the number of people ‘in the know’. Typically, longer product development timeframes mean more people in the know. There is presumably a relationship between the number of people who know and the likelihood of intentional or unintential compromise.

Photo by Senne Hoekman on Pexels.com

Most importantly with prototype protection is that it’s not just the prototype itself which needs protecting: it’s also information pertaining to it, as well as any externally-facing indicators of what you are doing that can tip off competitors which need to be carefully managed.

The prototype threat and risk assessment

Some industries are much more competitive and cut-throat than others, with competition arising not just from business competitors but also nation states. Innovators, research managers and commercialisation teams are often reluctant to talk about security, but according to ‘The report of the Commission on the theft of American Intellectual Property’ (2013), the cost of IP theft in the USA alone is likely to exceed US$300 billion.

The ongoing theft of IP is “the greatest transfer of wealth in history.”

GENERAL KEITH ALEXANDER, Commander of the United States Cyber Command and Director of the National Security Agency

Industries with commercially lucrative or national security applications at the cutting edge of science, technology, engineering and mathematics and some consumer sectors are most likely to be targeted, with targets ranging from applied research through to trade secrets, prototypes and commercial information. Understanding who might be interested in obtaining information about your prototype (‘threat actors’), such as competitors, competitive intelligence collectors, media, and foreign governments, is a crucial first step. A threat assessment can help identify these actors, understand their tactics and level of sophistication (their capability and intent), and provide insights on how they are most likely to target your R&D.

A Risk Assessment complements the Threat Assessment. Risk Assessments look inward and focus on what can go wrong (risks) and what is present to prevent this (internal controls), whilst threat assessments focus on the outside looking in. The bottom line is that every material risk should have adequate control coverage, with the most critical assets (including people, information and physical items) having multiple redundant layers of protection. Threat and Risk Assessments provide a strong foundation for a Prototype Protection Plan.

Photo by Pixabay on Pexels.com

Developing the Prototype Protection Plan

The Prototype Protection Plan (PPP) documents what steps a business will take to protect prototype versions associated with a given new product development project. This plan considers the threats and risks identified through the assessment process (above), and outlines the ‘who, what, when, where, why and how’ of each risk treatment option. The PPP should cover the full spectrum of risks – physical, cyber, information/ IP, personnel (insider threats) and supply chain.

Better practice involves assigning a dedicated security manager for the duration of the project (either full or part-time), whose role includes not only coordinating the overall PPP program but is also able to assess, investigate, evaluate and respond to incidents and potential compromises. Industries where products have rapid product life and profit cycles may also undertake a variety of counterintelligence practices given the level of ongoing scruitiny performed by competitors.

In summary, as outlined in this article protecting your prototype takes effort, however in many cases the benefits from doing so exceed the costs. Failure to properly identify, understand and manage these risks can lead to a loss of market share, future revenue, shareholder returns and brand damage, whilst being overzealous with security can mean your business never gets out of the starting blocks in its product development race. This balance must be carefully managed in prototype security.

Further Reading

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Product security risk assessments for tangible goods

Posted on by

Author: Paul Curwell

State of art – managing fraud and security risk in relation to products

It makes sense that out of the universe of products on the market globally some products are more attractive to thieves and criminals, including trusted insiders, than others. Whilst working through my holiday reading I came across some research undertaken in 1999 by Ronald Clarke, a leading criminologist.

Photo by Gabriel Freytez on Pexels.com

I’ve been interested in what makes a product vulnerable to security and fraud risks for at least ten years. Take a moment to think about what we do with products: whether a passport or airplane part, we manufacture them before ultimately selling them to consumers, most of whom are free to use them and resell them at will on the secondary market. This means they need some protection against fraud and security threats, especially if your reputation or commercial revenue model is linked to the product’s ongoing integrity.

Whilst working in banking my team would undertake product fraud and security threat and risk assessments, at that stage primarily on the bank’s new fleet of Automatic Teller Machines (ATMs). ATMs are targeted in a number of ways, both physically and virtually, through attack vectors such as ram raids, Plofkraak attacks, and cyber hacking to ultimately access the cash contained inside. More recently, I provided expert review of threat and risk assessments for a suite of financial services and identification products (including digital identities) for another client.

To my knowledge, there is no formal threat and risk assessment methodology for products per se, but Clarke’s methodology seems a good starting point.

What satisifies a criminals cravings?

In his research, Clarke found that products commonly targeted by shop lifters in a retail exhibited six attributes which spell the acronym CRAVED, as follows:

  • Concealable – this is relative to the situation. Shoplifters might target small items they can easily conceal in clothing (eg watches) over a large TV, but sometimes it’s easier to walk out with something large. I previously did some work with a client involved in international air freight, and one of their risks was that trusted insiders could smuggle large items concealed in something else out of the airport through a legitimate freight shipment.
  • Removable – to target a product, you need to be able to pick it up and move it. Unlike services, products are generally transportable.
  • Available – there are two elements to this – products that are widely available, and those that are readily accessible (i.e. not kept in a locked cabinet with inventory or stock in store). Audit logs and access control measures, amongst others, should protect more valuable items.
  • Valuable – whether trusted insiders or organised fraud rings, criminals generally don’t steal things which are not of value to them. Value is also contextual – whilst a high demand product such as consumer electronics is seen as valuable to a large potential market, some products might be valuable to an individual for a specific purpose. We can reasonably expect the former might be targeted multiple times by one or more actors, whilst the latter category might be targeted only once.
  • Enjoyable – Clarke’s work looked at products most commonly associated with shoplifting, so there is an element of consumer desire (i.e wants & needs) here. But if our COVID crisis has taught us anything about supply chains, its that Maslow’s hierarchy of needs also plays a role (the repeated hoarding of toilet paper by consumers comes to mind).
  • Disposable – attractive products are those easily sold, or resold, either for cash or another form of value transfer. There is more demand, hence more of a market, for some products than others. Think of how easy it is to dispose of a second hand (or stolen) fridge over a passport.

Readers will note that CRAVED really applies to security related threats, such as theft, much more than fraud. I’m not aware of any formal product fraud risk assessment methodology.

How can we apply the CRAVED construct to manage product risk?

Clarke’s research was performed in 1999, so it is somewhat dated but the principles likely remain valid. Also, the research focused on retail and is not representative of other industries. Nevertheless, we can use the principles outlined by Clarke to inform the design of any product specific risk assessment methodology: CRAVED provides a starting point.

Based on my experience assessing product risk for fraud and security threats, I offer three tips to consider when designing and / or executing a product risk assessment to address fraud and security threats:

Tip 1: Analyse your historical incidents

Collecting detailed incident data is a foundational element of any fraud, security or risk function. Ideally, you want to capture as much detail as you can at the time of the incident, even if it may not seem relevant now. It may be much harder, or even impossible, to capture some data in the future.

TIP: If you are not doing this already, you should start. Ideally, try to collect as much historical data for say the past 12-24 months as you can, even if it is not complete, and put in place processes and tools to collect rich incident data going forward.

As you start to analyse your historical incident data, ask yourself the following questions:

  • Which product(s) are most commonly targeted? Assuming the Pareto Principle (’80:20 rule’) applies, a small number of your product models will be targeted more commonly than others. You need to identify these and assign a higher likelihood score during your risk assessment.
  • Are there any geographical aspects to these incidents? E.g. do they commonly occur in specific locations? This might indicate that some products are more likely to be stolen or attacked in a specific geographical area. The logical follow up question here is why…
  • Are there specific dates or times when most incidents occurred? In some forms of fraud, it is common to see spikes in fraud incidents in summer and a significant decline in winter. Additionally, some forms of crime are more likely to happen at night. Perhaps you might identify an unusual pattern, such as high rates of theft on a weekend when your business is closed, suggesting a potential insider threat.
  • How do these incidents occur? You need to get a good understanding of the criminal’s business process, particularly if there is a specific pattern or series of steps that are commonly undertaken which you might be able to disrupt using internal controls (mitigations). You can use a variety of analytical methods here including business process mapping, red teaming and analysis of competing hypothesis to achieve this.
  • Who is the perpetrator? Even if you can’t identify the perpetrator by name (which is unlikely), try to categorise perpetrators into groups such as opportunistic individuals, organised criminals, organised crime (eg mafia), trusted insiders etc. Over time, as you develop richer data sources and a deeper understanding of your data, you might be able to distinguish groups or sub-categories based on the groups specific behaviours (i.e. their Modus Operandi [MO] or Tactics, Techniques and Procedures [TTPs], such as a specific organised fraud ring.
  • Why do you think specific products are being targeted? You may need to do some critical thinking here, or alternately comparative case analysis methods would be helpful. You need to understand whether the products that are mainly being targeted (e.g. the 20% – assuming the 80:20 rule applies to your data) are being targeted for a reason. Ask yourself, do they share common attributes (such as the CRAVED attributes identified by Clarke)?

Tip 2: Identify any design attributes which could be modified to reduce the product’s attractiveness to criminals

Sometimes there are design attributes to a product, or even a service (e.g. a business process) that makes one manufacturer’s product more likely to be targeted than a competitor. Additionally, sometimes the design of a product makes it more likely to be targeted – an example could be not having branding or a serial number readily visible, which might allow criminals to ‘rebadge’ it as it is being sold. Repackaging is another area of risk here. Understanding these factors means you can work with product managers and design engineers to modify your product and make it less attractive to criminals, which means it is less likely to be targeted.

Ultimately, your goals here are revenue and brand protection. If you can design your product to be a ‘harder target’ (i.e. less attractive), you might save on downstream fraud and security costs. Alternately, some products are readily counterfeited, with sometimes lethal consequences for unsuspecting consumers. Aside from potentially tragic impacts to consumer’s lives, your organisation’s brand and reputation might be adversely impacted simply because your product design was easy to counterfeit and commercially attractive to counterfeiters.

In this case, the cost of the reputatation or brand damage (such as by consumer boycotts, lost sales) may far exceed the costs of product redesign or implementing additional security measures. Product managers need to know if anything specific makes their product overly attractive to criminals, and if so, do something about it in the design phase.

Tip 3: Understand where the product is most likely to be attacked or compromised

For example, if a product is more at risk during shipment, can better cargo security measures be implemented? If a product is at risk of counterfeiting, product authentication measures such as security packaging and traceability programs could be the solution.

It is very uncommon to encounter situations where managers have unlimited resources – a well-designed product risk assessment methodology can be used to identify those products requiring increased protection based on likelihood and consequence, and those requiring less protection. These insights can be used to efficiently allocate your limited risk management resources, as well as helping product managers understand why their product is at risk.

Further reading:

  • Clark, Ronald V., and John E. Eck. 2016. Crime Analysis for Problem Solvers in 60 Small Steps. Washington, DC: Office of Community Oriented Policing Services. https://cops.usdoj.gov/RIC/Publications/cops-w0047-pub.pdf
  • Clarke, Ronald. 1999. Hot Products: Understanding, anticipating and reducing demand for stolen goods. No. 112 in Police Research Series. London: Home Office. www.popcenter.org

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.