Tag Archives: Information Security

Ransomware Attacks on R&D Companies Explained

Posted on by

Paul Curwell

5–8 minutes

3 Key Takeaways:

  1. Ransomware has professionalised: today’s gangs follow an 8-step targeting cycle that looks more like a military operation than a cybercrime.
  2. R&D-intensive companies are prime targets because weak data governance creates exploitable security gaps — and attackers know your research is the fastest route to a big payday.
  3. The financial impact goes far beyond ransom payments — share prices fall, investors back away, and patents can be undermined.

The impact on your business

Ransomware is the digital version of kidnapping. Attackers break into your systems, lock up your data, and demand payment for its release. But unlike old-school kidnappers, they don’t just keep the hostage — they copy it too. For R&D-heavy companies, that hostage is your research pipeline: your trade secrets, trial data, and commercialisation plans.

And here’s the part too many boards miss: the ransom is only the start of the damage.

  • Share price impact: Public disclosures of ransomware routinely knock 3–5% off market cap. One company’s 2023 breach wiped millions in value overnight.
  • Investor attraction: If you can’t prove your research data is safe, investors won’t touch you. Due diligence now treats ransomware resilience like another line in your balance sheet.
  • Time-to-market delays: Every month of R&D delay costs millions in burn and kills first-mover advantage. In pharma, a six-month delay can add $3–6M to costs.
  • Commercialisation risk: Stolen formulas and trial data can create “prior art” that undermines your patents. Translation: your billion-dollar IP is now legally copyable.

Ransomware isn’t just an IT outage — it’s a strategic risk to valuation, market entry, and investor confidence.

49% of Private Equity deals fail because of undisclosed data breaches

Why R&D-intensive companies are vulnerable

Think of your R&D program as a fragile supply chain. Every stage — discovery, trials, data integrity, and commercialisation — depends on governance and control. When ransomware strikes, the weak links show.

Here’s an uncomfortable truth: in R&D intensive businesses, many ransomware vulnerabilities come not from exotic zero-day cyber exploits but from poor data governance, which flows through to your information security posture. Data governance is not a “tech” term — it’s a board-level responsibility. When governance fails, attackers thrive:

  • Unclear ownership and access: If no one owns the data, no one protects it. Attackers love overexposed research folders and outdated VPN access.
  • Failed backups: Governance blind spots mean backups aren’t tested — so the first time you discover they don’t work is during an attack.
  • Misapplied controls: Without proper data classification, security teams guard low-value data while leaving crown jewels exposed.
  • Regulatory exposure: Weak governance makes GDPR, HIPAA, or ISO non-compliance almost inevitable — and regulators don’t accept “we were hacked” as an excuse.
  • Slow detection: Without adequate security monitoring, attackers can sit inside your network for weeks undetected, rehearsing their attack.

Poor governance contributes to a perfect operating environment for ransomware groups. And in R&D-heavy sectors, that means your valuation is basically gift-wrapped for attackers.

governance is key to protecting your data, data integrity, and implementing fit for purpose security protocols to guard against ransomware.

The professionalisation of ransomware in 2025: the 8-step targeting cycle

Forget the old “spray and pray” model where attackers blasted out phishing emails and hoped someone clicked. That was cybercrime’s stone age, and focused on everyone and everything rather than being highly sophisticated, targeted, and selective.

Today’s ransomware gangs are professionals. They behave like organised crime syndicates, following a structured 8-step targeting cycle designed to maximise pressure and payouts:

  1. Target Selection – Industries where data equals enterprise value, such as pharma, biotech, semiconductors, medtech, and advanced manufacturing.
  2. Initial Surveillance – Public sources, leaked credentials, and open servers help attackers map your weak spots.
  3. Final Target Selection – They zoom in on firms with high-value IP, fragile governance, and patchy defences.
  4. Pre-attack Surveillance – Once inside, they quietly watch. Mapping networks, spotting backup systems, and studying user behaviours.
  5. Planning – With insider-level intel, attackers script their playbook for maximum damage and leverage.
  6. Rehearsal – Yes, they practice. In test environments, they run through encryption and data theft to ensure nothing goes wrong on game day.
  7. Execution – Systems are locked, IP is exfiltrated, ransom notes drop. Victims are blindsided; attackers are already two steps ahead.
  8. Escape & Evasion – Logs are wiped, trails covered, backdoors left behind for future profit.
Paul Curwell's 8-step targeting cycle for organised crime

This is not opportunistic crime conducted by pimply teenagers. It’s deliberate, researched, and ruthlessly commercial — closer to an IPO roadshow than a smash-and-grab.

Case studies: when ransomware hit the labs

Perhaps your one of the many people I talk to at industry events who’s sick of hearing about security. Well, if you need further convincing on the importance of this topic here are 5 real-world examples that show how professionalised ransomware plays out:

CompanyAttacker GroupSuccess FactorsBusiness ImpactIP/Patent Risk
Company A (India, 2023)ALPHV / BlackCatCompromised VPNs & stolen credentials, extensive pre-attack surveillance.17TB of data stolen, 3–5% share price drop, $50–62M revenue hit, $3M+ recovery costs.Risk of patent invalidation if leaked as prior art.
Company B (Japan, 2023)Unnamed (likely RaaS affiliate)Supply chain intrusion, privileged access exploitation.Multi-week disruption of R&D and manufacturing, investor concern.Possible exposure of neuroscience research.
Company C (India, 2020)Unnamed criminal ransomware groupPhishing & credential theft during COVID-19 trials.4% share price drop, 2-week trial delays, $150k–$250k added burn per project.Trial data exposure undermines exclusivity.
Company D (Germany, 2023)Unnamed RaaS affiliates with APT linksExploited enterprise / cloud vulnerabilities, targeted R&D repositories.Attack contained quickly, limiting share price impact.Potential R&D data exposure, though managed.
Company E (UK, 2024/25)QilinVPN / firewall exploits (CVE-2024-21762), targeted NHS-critical systems.£32.7M loss (~$41M), weeks of disruption, ransom ~$50M.Diagnostic IP exposed, R&D collaborations disrupted.
The costs of an IP breach

Conclusion: the strategic picture

The uncomfortable truth: ransomware groups have professionalised faster than most boardrooms have adapted. They’re running playbooks that look like government intelligence operations, and they’re aiming squarely at industries where research is the business to make sure you’re highly incentivised to pay up.

If you’re in an R&D-intensive sector, you’re not just another target — you’re the main course. Weak governance, patchy security, and misplaced confidence in cyber insurance won’t save you.

So, next time someone in the boardroom calls ransomware an “IT problem,” remind them it’s actually a governance problem. Because in 2025, the attackers aren’t amateurs anymore — and if your business wants to survive your response can’t be either.

Further Reading

  1. Curwell, P. (2023). The Costs of an IP Breach
  2. Curwell, P. (2024). 49% of Private Equity deals fail because of undisclosed data breaches
  3. Curwell, P. (2024). Cybercriminals Steal $5 Trillion Every Year from businesses like yours – and how you can stop them! LinkedIn
  4. Europol (2024). Internet Organised Crime Threat Assessment IOCTA 2024.pdf
  5. Resultant – How Ransomware and Data Governance Are Connected (2024)
  6. WJARR – Data Governance and Cybersecurity Resilience (2024)
  7. OneTrust – 3 Steps for Mitigating the Impact of Ransomware Attacks Through Data Discovery (2023)
  8. Atlan – Data Governance vs. Data Security: Why Both Matter (2023)
  9. LinkedIn (Mark Shell) – Data Governance: The Final Frontier for Ransomware Protection (2024)
  10. BlueZoo – Safeguarding Sensitive Information Through Governance and Security (2024)
  11. Bitsight – Security Ratings and Ransomware Correlation (2023)
  12. Varonis – Ransomware Statistics You Need to Know (2025)
  13. ACIG Journal – Ransomware: Why It’s Growing and How to Curb It (2024)

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Why Your Brightest Minds Are Clicking on Deepfakes: The Hidden Business Cost of Phishing in Science & Tech SMBs

Posted on by

Paul Curwell

7–10 minutes

Key Points

  1. Phishing is smarter now—AI-generated, multi-channel, phishing and social engineering schemes are targeting your most trusted staff.
  2. If you don’t own your cloud security, someone else will—probably a criminal.
  3. Breach costs in biotech, medtech, and high-tech are among the fastest-growing, averaging $4.9M.

“We Thought We Were Too Small to Be Targeted”

If I had a dollar for every science or tech founder who told me their company was “too small to be on anyone’s radar,” I’d have my own R&D fund.

Let me be clear: attackers don’t care about your size—they care about your value. IYou’re holding proprietary data, research, or trade secrets, so you’re a target. Most science and technology businesses rely on cloud services and don’t have a full-time security team, making you vulnerable.

The methods used to breach billion-dollar multinationals are now faster, cheaper, and powered by AI. This article outlines the threat and provide tips on how to stop your business from being compromised with one fake Slack message, QR code, or deepfake video call.

The Phishing Shift: Multi-Channel, Deepfake, and Voice Fraud Are the New Norm

Phishing has evolved. It’s no longer about shady emails from fake banks. Today’s attacks are:

  • AI-enhanced: Customised lures generated instantly using your public data.
  • Multi-channel: 41% of phishing attacks now include SMS, WhatsApp, Teams, Slack, or LinkedIn, not just email. [[Verizon DBIR 2025]]
  • Visual and audio deepfakes: CEO voice clones. Fake investor video calls. Deepfake “compliance officers” asking for document uploads.
  • QR code phishing (quishing): Seen a QR code on a conference booth or flyer? It could trigger malware or credential theft. These attacks have jumped 2,000% since 2023. [Proofpoint]

This means your smartest, most senior, and most trusted employees—research leads, engineers, finance managers—are now your most likely targets.

And when they click? The attackers don’t just steal credentials—they steal access to your intellectual property, your commercialisation roadmap, your partner data.

Business Email Compromise – persistent threat or consistently mismanaged?

What’s Really at Risk? IP, Trust, and your Entire Business Model

According to the IBM Cost of a Data Breach Report (2024), the average breach in the biotech and medical devices sectors now costs $4.9M, driven by:

  • Lost IP and R&D delays
  • Regulatory investigation
  • Supply chain fallout
  • Loss of investor confidence

And let’s be blunt: in your world, IP is the value. If that gets leaked, copied, or ransomed, your growth narrative evaporates. Here’s how the damage cascades across your business:

FunctionImpact
StrategyStolen trade secrets = lost first-mover advantage
InvestmentInvestors now screen for cloud security and IP protection readiness
FinanceCosts spike with downtime, legal, incident response, and insurance gaps
OperationsPhishing often leads to ransomware disrupting production or trials
MarketingA leak of your roadmap = blown launch, brand damage, loss of trust
AI for Deeptech Startups: Balancing Speed and Security

Real Example: The Deepfake COO That Killed a Fundraise

A medtech startup was gearing up for their Series B. One of their engineers received a message on Slack from “their COO” requesting trial data to be uploaded to a new shared folder for investor review. It was convincing—same profile picture, same tone, same urgency.

Except it wasn’t their COO.

The link was spoofed. The data was stolen. Within weeks, unpublished clinical research appeared online. The raise was postponed. A competitor filed a patent within six months.

This was not a technical failure—it was a business failure rooted in poor security awareness and access control.

The Cloud Trap: “We Use Microsoft/AWS, So We’re Covered” (No, You’re Not)

There’s a dangerous myth in science and tech startups:

“We’re on Azure or AWS, so we’re secure.”

Wrong.

Cloud providers like Microsoft and Amazon only protect the infrastructure. Everything else—your apps, identities, access controls, data classification, and monitoring—is your responsibility.

Who Secures What in the Cloud?

You SecureProvider Secures
IP, data, applicationsPhysical data centres
User identities, MFAInfrastructure uptime
SaaS app permissionsNetwork hardware
Monitoring & alertsHypervisor patching
Segmentation, backupsBase platform security

Cloud platforms call this the Shared Responsibility Model, and it’s not optional. If you’re not configuring and monitoring your cloud assets regularly, you’re driving blind.

Security Awareness Training: The Key to Protecting Life Sciences from IP Threats

So What Do You Actually Do? Here’s a Business-Ready Plan

You don’t need a CISO or a 10-person security team. But you do need a plan that works for a cloud-first, IP-heavy business. Here’s mine.

1. Use the Cloud Security Tools You Already Own

You’re probably already paying for enterprise-grade security features. Turn them on.

On Microsoft Azure:

  • Defender for Cloud: Detect misconfigurations, malware, and risky settings.
  • Sentinel: Security analytics and threat detection.
  • DLP & Microsoft Purview: Prevent IP and research leaks across Teams, SharePoint, and email.
  • Defender for Cloud Apps: Track SaaS sprawl and OAuth risks.

On AWS:

  • GuardDuty: Real-time threat detection and alerts.
  • Security Hub: Centralised risk view across AWS services.
  • IAM + KMS: Fine-grained access control and encryption key management.
  • Connected App Reviews: Audit OAuth and API app integrations.

Set alerts. Monitor changes. Review configurations monthly.

2. Lock Down Identity, Access, and Data

  • MFA Everywhere: No exceptions, no delays.
  • Least Privilege: Don’t give admin rights unless absolutely necessary.
  • Credential Hygiene: Rotate secrets; store them in Key Vault (Azure) or Secrets Manager (AWS).
  • Segment R&D Environments: Separate IP-heavy workloads from finance, HR, and business ops.
  • Encrypt Everything: In transit and at rest. Use customer-managed keys for sensitive data.

3. Train for the Threats of 2025

Phishing isn’t just email anymore. Your staff need to be trained for:

  • Quishing: Fake QR codes that install malware or lead to credential harvesters.
  • Vishing: Calls from deepfaked executives or suppliers.
  • Fake video calls: Deepfakes of board members or partners requesting documents.
  • Business email compromise: Fake invoices, altered payment instructions.

Simulate these scenarios monthly. Keep it realistic. And build a no-blame reporting culture—you want incidents surfaced fast.

4. Prepare for the Breach—Because It Will Happen

  • Automate Cross-Region Backups: Especially for research data and regulatory submissions.
  • Test Disaster Recovery Quarterly: Restoring is not plug-and-play. Practice like it’s game day.
  • Keep R&D Snapshots Offline: Isolated storage can prevent ransomware spread and data loss.

Your IP is irreplaceable. Treat it like crown jewels, not just another folder.

5. Audit Your SaaS and Supply Chain Access

Third-party apps and vendors are often your weakest link.

  • Review OAuth and app permissions quarterly
  • On Azure, use Defender for Cloud Apps to flag unused or risky apps.
  • On AWS, use the Connected App list to track what’s talking to your data.
  • Add security clauses into vendor contracts: include breach notifications, minimum controls, and audit rights.

And always ask: Do they need access to that data? If not, revoke it.

6. Give the C-Suite Metrics That Matter

Executives focus on risk, cost, and reputation. Produce a monthly cloud security dashboard to track business-relevant metrics and identify where you need to improve:

  • % of staff with MFA enabled
  • DLP events involving research/IP
  • Number of connected third-party apps
  • Training completion rates
  • Number of critical misconfigurations or policy violations

Tie these to business outcomes: funding readiness, compliance status, and operational continuity.

Biotech and MedTech Investors Are Demanding Security and Resilience: Are You Ready?

Final Thoughts: Security Is Commercialisation

If you’re in science and tech, your ability to protect your research and data is part of your business model.

This isn’t paranoia, it’s about staying competitive. You are competitive when you secure your IP, prove control over your cloud environment, and train your team to spot social engineering, you don’t just reduce risk—you build credibility with investors, partners, and customers.

So let’s recap. Here are 6 actions you can take now to avoid becoming a victim of the next phishing or social engineering scheme:

  • Enable MFA on every account—human and machine.
  • Audit your Azure or AWS environment with Security Hub or Defender.
  • Run a phishing simulation that includes voice, SMS, and video threats.
  • Review all third-party apps and OAuth permissions.
  • Test your disaster recovery plan.
  • Start tracking metrics for the boardroom.

If you need help setting this up—or just want a quick review—I’ve worked with enough S&T startups and growth-stage firms to know what’s worth your time.

You don’t need to be unbreakable. You just need to be prepared.

And in a world of AI-enhanced fraud, that’s your real competitive edge.

Further Reading

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Continuous Control Monitoring: Your SMB Security Game Changer

Posted on by

Paul Curwell

6–9 minutes

3 Key Takeaways

  • Trade secret theft costs SMBs an average of $2.6 million per incident—but 90% of these losses could be prevented using continuous control monitoring tools you already own in Microsoft 365, Google Cloud, or AWS.
  • Investors and enterprise customers now demand real-time security evidence—continuous control monitoring gives you the proof they need, while manual audits leave you vulnerable and unconvincing.
  • Your existing cloud platform includes powerful insider threat detection—you just need to activate features that most SMBs never touch, transforming your security from reactive hope to proactive protection.

In 2019, a US biotech company lost proprietary drug formulas when a disgruntled employee downloaded files and tried to sell them to competitors. The theft delayed FDA submissions, spooked investors, and triggered costly litigation.

The tragedy? This breach could have been prevented with built-in monitoring capabilities that were sitting unused in their IT stack.

Here’s the problem I see everywhere: SMBs implement security controls but never prove they’re working. You have policies, procedures, and technology—but zero real-time visibility into whether they’re actually protecting your business.

From Frameworks to Reality: The Assurance Gap

Last week, I wrote about the three SMB risk management frameworks that knowledge-intensive businesses need: SMB1001, AS 8001, and ASIO’s Secure Innovation guidance. The response was overwhelmingly positive, but it also highlighted a critical gap.

The 3 SMB Risk Management frameworks you need to protect your business

You understand what controls you need. The challenge is proving those controls actually work—without breaking the budget on audits and compliance teams.

Here’s where the numbers get scary: trade secret theft costs the US economy over $300 billion annually, with SMBs losing an average of $2.6 million per incident. Meanwhile, 95% of successful breaches involve insider threats or human error—risks that continuous monitoring can catch before they destroy your business.

This is where continuous control monitoring (CCM) becomes your secret weapon. Instead of periodic manual audits, CCM gives you real-time evidence that your security controls are operating as intended.

What Continuous Control Monitoring Actually Does

CCM automates three critical functions that manual processes struggle with:

  • Real-time validation: Confirms your controls are working right now, not just when an auditor visits
  • Early detection: Flags control failures before they become incidents or breaches
  • Evidence generation: Produces the documentation investors, customers, and regulators actually want to see

The best part? Your existing cloud platform already includes powerful CCM capabilities that most SMBs never activate.

Your CCM Implementation Guide

Here’s how to implement continuous monitoring for the most critical SMB security controls using tools you likely already own:

Risk AreaMicrosoft 365 ToolsGCP ToolsAWS Tools
Access Controls & Identity– Microsoft Defender for Identity,
– Azure AD PIM		– Google Cloud IAM,
– Security Command Center		– AWS IAM,
– GuardDuty
Insider Threat Detection– Microsoft Insider Risk Management– Security Command Center,
– Event Threat Detection		– Amazon Detective, – GuardDuty
Data Protection & IP– Microsoft Purview,
– Custom DLP policies		– Custom DLP,
– Data Loss Prevention		– Macie,
– Custom GuardDuty rules
Third-Party & Supply Chain Risk– Vendor Risk Management in Compliance Manager– BeyondCorp,
– Access Context Manager		AWS Config,
Security Hub
Fraud & Corruption– Microsoft Purview, Insider Risk Management– Chronicle,
– Access Transparency		– AWS CloudTrail,
– Macie
Compliance Reporting– Microsoft Compliance Manager
– Audit logs		– Security Health
– Analytics		– AWS Config,
– Inspector
Executive Dashboards– Power BI
– Compliance reporting		– Looker,
– Security Dashboards		– AWS QuickSight
– Security reports

How to Use This Framework

  1. Choose your column based on your existing cloud provider
  2. Start with high-impact areas like insider threat detection and IP protection
  3. Configure automated alerts for control failures or suspicious activities
  4. Create executive dashboards that show control effectiveness in real-time
  5. Document your monitoring for investor presentations and customer audits

Advanced CCM Strategies That Actually Work

Once you have basic monitoring in place, you can implement more sophisticated approaches:

  • Behavioral Analytics: Use machine learning in tools like Microsoft Insider Risk Management or AWS GuardDuty to detect unusual patterns that might indicate insider threats or compromised accounts.
  • Cross-Platform Integration: Connect monitoring across different systems to get a complete picture. For example, correlate login anomalies with unusual file access patterns.
  • Custom Alerting Rules: Create specific alerts for your business context. A research company might monitor for unusual access to databases outside business hours, while a technology firm might focus on code repository access patterns.
  • Automated Response: Configure automatic responses to certain events—like temporarily disabling accounts that show suspicious behavior or requiring additional authentication for sensitive data access.
What security policies do small and medium sized businesses need?

Implementation Roadmap: From Zero to Hero

Ready to start implementing? Here’s a simple roadmap to start improving your risk management:

Week 1-2: Assessment and Quick Wins

  • Audit your current cloud platform subscriptions to identify unused monitoring capabilities
  • Enable basic logging and alerting for high-risk activities (admin access, data downloads, unusual login patterns)
  • Set up executive dashboards in Power BI, Looker, or QuickSight

Week 3-4: Core Control Monitoring

  • Configure monitoring for the controls required by your chosen frameworks
  • Test alert thresholds to reduce false positives while catching real issues
  • Create incident response procedures for different alert types

Month 2: Integration and Refinement

  • Connect monitoring systems across platforms for comprehensive visibility
  • Implement behavioral analytics for insider threat detection
  • Train your team on interpreting alerts and responding appropriately
Unlocking New Uses for your SIEM: Beyond Cybersecurity

Month 3+: Continuous Improvement

  • Regular review of monitoring effectiveness and alert accuracy
  • Quarterly reports for investors and board members showing control performance
  • Updates to monitoring rules based on business changes and threat evolution

The Business Case: Why CCM Matters Beyond Compliance

Implementing CCM isn’t just about ticking compliance boxes—it’s about building a competitive advantage that directly impacts your bottom line:

For Investors: When you can show real-time dashboards of your security posture and historical data proving your controls work, you differentiate yourself from competitors who only have policies and procedures. This translates to higher valuations and faster funding rounds.

49% of Private Equity deals fail because of undisclosed data breaches

For Enterprise Customers: Large buyers increasingly require evidence of active security monitoring before they’ll trust you with contracts. CCM gives you the documentation and assurance they need, opening doors to bigger deals and longer-term partnerships.

For Research and Commercialisation: Patent offices and licensing partners want proof you’ve taken reasonable steps to protect your IP. Your monitoring logs provide that evidence, strengthening your position in disputes and negotiations.

For Operational Efficiency: Instead of wondering whether security measures are working, your team gets immediate feedback and can focus on real issues rather than false alarms. This means faster response times and better resource allocation.

Your Next Move: Stop Playing Risk Roulette

The difference between SMBs that attract serious investment and those that struggle isn’t just their innovation—it’s their ability to demonstrate they’re trustworthy stewards of that innovation.

You don’t need a security team. You don’t need expensive new tools. But you do need to prove your controls work.

Whether you’re seeking patents, winning government contracts, or raising capital from investors who understand modern risks, you must demonstrate active, continuous protection of your IP and operations.

Start this week:

  • Audit your current cloud subscriptions to identify unused monitoring capabilities
  • Enable basic logging and alerting for your most sensitive research and technology data
  • Create a simple dashboard that shows your security posture in real-time
  • Document your monitoring approach for investor presentations and customer audits

The frameworks give you the roadmap. Continuous control monitoring gives you the evidence. Your existing cloud platform gives you the tools.

The only question left is: will you activate them before the next insider threat walks out with your trade secrets?

Ready to implement continuous monitoring but need guidance on where to start? I’ve helped dozens of SMBs activate these capabilities without breaking their budgets—drop me a line to discuss your specific situation.

Further Reading:

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Protecting Your R&D When Outsourcing Rapid Prototyping

Posted on by

Paul Curwell

5–7 minutes

3 Key Takeaways:

  • Outsourcing rapid prototyping is essential for speed and cost efficiency but poses serious trade secret and IP risks.
  • Real-world cases show that failing to protect your R&D can lead to trade secret theft, fraud, and competitive loss.
  • A proactive strategy—including legal safeguards, secure operations, and ongoing monitoring—can mitigate risks.

Rapid Protyping offers many benefits, but be sure to manage your risk

Outsourcing rapid prototyping is a game-changer for R&D-driven businesses. It accelerates innovation, slashes development costs, and opens doors to specialist skills and cutting-edge tech that would be costly to build in-house. With the global rapid prototyping market projected to soar from $3.33 billion in 2024 to over $21 billion by 2034, it’s clear that more businesses are embracing this approach to stay ahead of the curve. Fixing design flaws early during prototyping can be up to 100 times cheaper than post-release corrections—a compelling reason why prototyping is no longer a luxury, but a business imperative.

Types of Rapid Prototyping Techniques

Common prototyping methods include:

  • Stereolithography (SLA): High-detail resin printing.
  • Fused Deposition Modeling (FDM): Budget-friendly plastic extrusion.
  • Selective Laser Sintering (SLS): Durable powder-based prints.
  • Direct Metal Laser Sintering (DMLS): Precision metal parts.
  • CNC Machining: Subtractive manufacturing for high-strength components.

Each technique has its own supply chain risks, making security considerations essential from the outset.

But here’s the catch—outsourcing means sharing your most valuable assets: trade secrets, proprietary designs, and sensitive R&D data. Whether you’re working with a niche 3D printing firm or a global manufacturing partner, the risk of IP theft, insider threats, or accidental disclosure is real. In fast-moving industries like automotive, biotech, and consumer tech—where time-to-market is everything—balancing speed with security is critical. This article explores how founders can unlock the full potential of prototyping and outsourcing, while putting practical guardrails in place to protect their intellectual property and business viability.

The Need for Outsourcing Rapid Prototyping

Startups and SMEs often lack the in-house capabilities for advanced prototyping. Outsourcing helps by:

  • Cutting costs—no need for expensive machinery or full-time specialists.
  • Providing access to world-class expertise in emerging technologies.
  • Accelerating product development and market entry.

But with these benefits come significant risks. Handing over your prototype means exposing critical trade secrets to external partners—some of whom may not be as trustworthy as they claim.

Example of additive manufacturing used in rapid prototyping
Photo by FOX ^.ᆽ.^= ∫ on Pexels.com

Case Study: IP Theft in Outsourcing

A U.S. medical device startup learned this lesson the hard way. They outsourced prototyping to a foreign manufacturer, only to discover a near-identical product in the market months later. The culprit? Their own supplier, who exploited weak contractual protections to replicate and commercialise the design. The result: financial loss, legal battles, and an irreparably damaged competitive advantage.

Lesson learned? If you don’t protect your trade secrets, someone else will profit from them.

Startup Sabotage: A Trade Secret Theft Case Study & How to Protect Your Company

Understanding IP Protection for Prototypes

Trade Secrets vs. Patents

Patents are great—until they aren’t. They require public disclosure and take years to secure. Trade secrets, on the other hand, remain confidential as long as they are actively protected. Most prototypes fall under trade secrets because early-stage innovation needs secrecy, not immediate disclosure.

Copyright automatically applies to design files and software components. However, international enforcement can be tricky, making additional legal steps essential when working with overseas partners.

Risks Associated with Outsourcing R&D and Rapid Prototyping

The top risks include:

  • Trade secret theft—unauthorised copying or sharing of designs.
  • Copyright infringement—misuse of software and design blueprints.
  • Ownership disputes—who really owns the prototype files and production molds?
  • Loss of core expertise—outsourcing critical R&D can weaken in-house innovation.
  • Reputational damage—a security breach can erode investor and customer trust.

International Considerations for Australian Businesses

Australia’s trade secret and IP laws are predominately enforced via civil means, but overseas is another story, especially if you’re outsourcing to less developed countries. Many jurisdictions have weaker protections, making stolen IP difficult to recover or your IP rights difficult to enforce.

Don’t forget – you actually need to have funds available for any legal dispute. If you can’t afford it, then don’t rely on legal battles and contractual enforcement: A good security program is your friend!

Specific Risks for Australian Businesses

Countries with high rates of IP theft pose unique challenges. Contracts mean little if enforcement is lax. This is why due diligence on foreign partners is just as important as the contract itself.

pexels-photo-20326699.jpeg
Photo by Jakub Zerdzicki on Pexels.com

Steps to Protect Your R&D When Outsourcing

Before Outsourcing

  • Identify and classify critical trade secrets.
  • Research suppliers’ security track records.
  • Assess the legal landscape in the outsourcing country.
  • Perform a security risk assessment to ensure you understand the risks (including supply chain risks and country-specific laws), and what you need to do to manage them.
  • Develop your Research and Technology Protection Program to ensure you understand the risks and know what controls you need to implement in your contractual measures and operational safeguards
How can Insider Threats manifest in the Supply Chain?

Contractual Measures

  • Use watertight non-disclosure agreements (NDAs).
  • Clearly define IP ownership and usage rights in contracts.
  • Specify dispute resolution mechanisms.
  • Include post-collaboration IP return/destruction clauses.

Operational Safeguards

  • Limit access to sensitive data—adopt a need-to-know approach.
  • Use secure data transfer methods (encrypted channels, VPNs).
  • Implement strict version control on prototype files.

Monitoring and Control

  • Conduct regular audits of outsourcing partners.
  • On-site visits to assess security practices.
  • Track prototypes through serial numbering and logging systems.
  • Obtain signed attestations or legally-binding declarations to confirm that all products, materials and designs / data / information have been destroyed or returned on completion of the work.
  • Maintain detailed documentation of all proprietary designs.
  • Register copyrights where applicable.
  • Seek legal counsel in the outsourcing country for enforcement advice.

Conclusion

Innovation thrives on collaboration, but unprotected outsourcing can be a goldmine for IP theft. Trade secrets, fraud, and supply chain risks aren’t hypothetical—they’re real threats with billion-dollar consequences. Protecting your R&D requires a mix of legal safeguards, operational discipline, and continuous oversight.

Want to secure your innovation while staying ahead of the competition? Start by reviewing your outsourcing agreements today—before someone else commercialises your ideas.

Further Reading

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Evil Twin Attacks: A Hidden Threat to Your IP and Data Security

Posted on by

Paul Curwell

5–8 minutes

Key Takeaways

  • Evil twin attacks use fake WiFi networks to steal sensitive business data, including Intellectual Property and Trade Secrets
  • Common targets include airports, R&D facilities, and office buildings
  • Proper security measures can protect your intellectual property
  • Recent cases show increasing sophistication of these attacks

Understanding Evil Twin WiFi Attacks: A Growing Cybersecurity Threat

In our increasingly connected business world, WiFi has become essential for daily operations. However, this convenience comes with risks – particularly the sophisticated cyber threat known as an “Evil Twin” attack. These attacks specifically target businesses to steal trade secrets and intellectual property through seemingly innocent WiFi connections.

What Is an Evil Twin Attack?

An evil twin attack occurs when cybercriminals create a fraudulent WiFi network that mimics a legitimate one. This malicious network looks identical to real networks, often using names like “CompanyGuest” or “FreeAirportWiFi.” Once users connect, attackers can:

  • Monitor all internet traffic
  • Steal login credentials
  • Capture sensitive business data
  • Access proprietary information
  • Intercept confidential communications
modern wireless router with antennas
Photo by Jakub Zerdzicki on Pexels.com

How Evil Twin Attacks Work: Technical Breakdown

Evil Twin attacks are pretty simple to establish, which makes them all the more problematic. Its easy to obtain the required equipment and knowledge to successfuly setup an Evil Twin and start harvesting your data. These attacks follow a systematic approach:

  1. The attacker creates a clone network with identical or similar names to legitimate networks
  2. They boost signal strength to override legitimate connections
  3. Users unknowingly connect to the malicious network
  4. Attackers capture unencrypted data and communications
  5. In advanced cases, they inject malware into connected devices

Primary Targets: Who’s at Risk?

In my experience, there are two main groups of perpetrators who execute evil twin attacks:

Opportunistic Criminals – these are criminals who take advantage of user’s poor security awareness for their own financial gain. They generally run an Evil Twin for a bigger purpose, such as:

  • Stealing personal and financial information, either to perpetrate fraud themselves or for resale to other criminals
  • Deploying malware for device compromise, moving them up the value chain into potentially more lucrative crimes
  • Often targeting the general public for high volume attacks

Professional Intelligence Collectors (PICs) – these are experts who specialise in collecting IP, either for auction on the darkweb or according to a customer’s order (such as your competitor). PICs:

  • Specifically target business intellectual property
  • Operate sophisticated operations
  • Sell stolen data on dark web markets
  • Are often undetectable without specialised security teams

High-Risk Locations for Evil Twin Attacks

Locations that are most likely to be targeted for Evil Twin attacks depend on the hacker’s motive and intended target. Three of the most at-risk locations for these attacks are R&D facilities, corporate offices, and airports.

R&D Facilities and Office Areas

By their nature, Research and Development facilities are inherently attractive targets for PICs, possibly more so than offices. They face particular risks due to:

  • A high concentration of valuable intellectual property
  • Regular network access needs by employees and equipment, such as IoT devices and other Operational Technology
  • The possibility of multiple entry points for attackers
  • Potential for long-term data compromise, which can severely impact a competitor’s strategic advantage and R&D pipeline if information is breached and published prior to filing a patent application.
Photo of a corporate R&D facility
Photo by Pixabay on Pexels.com

Airports and Travel Hubs

In contrast to business premises, its much harder to target specific individuals or groups using airports and travel hubs. This is why these locations are more likely to be associated with opportunistic criminals (except for airline business lounges). Business travelers face increased risk because:

  • Time pressure leads to hasty network connections
  • Multiple legitimate-looking network options exist, and users have no clear guidance on what networks can be trusted or are legitimate
  • High concentration of business professionals, who are often rushing to catch up between flights
  • The need for regular need for internet connectivity, especially when consuming voice or video data during a layover

Information is harvested in bulk at these locations, and then likely categorised based on how it may be used. From what we know about how illicit markets operate, it is likely that business information such as IP and Trade Secrets may be sold and re-sold numerous times until it reaches an interested party.

Real-World Example: Australian Airport Attacks

In 2024, Australian authorities arrested a 42-year-old man for conducting evil twin attacks across multiple airports. The perpetrator:

  • Targeted major airports in Perth, Melbourne, and Adelaide
  • Created fake networks mimicking legitimate airport WiFi
  • Operated attacks during flights
  • Was caught after airline staff detected suspicious activity

This real-life example demonstrates that Evil Twins are happening, and that they are relatively easy to setup and operate. This example was only identified by chance with an observant airline employee – just think of how many similar environments are setup around the world and have gone completely unnoticed.

brown haired man using laptop computer in an airport
Photo by Andrea Piacquadio on Pexels.com

Preventative Measures for your Business: A 3-Step Protection Strategy

In my experience, there are three core things that businesses need to do to mitigate the risks of Evil Twin attacks and to practice good information security hygiene. These are as follows:

1. Employee Security Awareness

I’ve written before that good security awareness and positive security culture is one of the core foundations of a good Trade Secrets Protection program to protect your research and development. Executives and lead researchers, as well as those travelling internationally pose a particular risk as they are both time poor and manage a disproportionately higher volume of confidential information. In practice, this requires the following:

  • Implement comprehensive security training, including regular training on network security
  • Recognition of suspicious networks
  • Proper use of security tools
  • Special focus on traveling employees

2. Active Network Monitoring

This is something your every security team should be doing continously in R&D intensive organisations, whether at head office or in laboratories or manufacturing facilities. Its also important that your suppliers and business partners do this as well. This task requires some basic tools and cybersecurity knowledge as a foundation, but it can also integrate with other cyber threat intelligence and cyber incident monitoring (via tools like a SIEM – a Security Incident Event Management system).

Four fundamental things you need to do are:

  • Regular security sweeps
  • WiFi analysis tools deployment
  • Real-time threat detection
  • Deploy robust monitoring systems
  • Collaboration with security agencies

3. Security Tools and Policies

Another key foundation for good information security is your tools and policies. Gone are the days of writing policies and hoping employees read them. Policies are now implemented via systems and user configurations, and these help ensure your information is optimally protected in a consistent way for every user:

  • Mandatory VPN usage
  • Endpoint security implementation
  • Clear network access policies
  • Network Access Control (NAC) systems
  • Provide secure WiFi alternatives
  • Establish clear security protocols
  • Perform regular securit audits

Protecting Your Business Assets

Evil twin attacks represent a significant threat to business security, particularly for companies with valuable intellectual property. By understanding these risks and implementing proper security measures, organisations can better protect their sensitive data and maintain their competitive advantage.

Remember: Prevention is always less costly than dealing with a security breach. Invest in proper security measures today to protect your business’s future.

Further Reading

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

The costs of an IP breach

Posted on by

Paul Curwell

6–9 minutes

Think IP theft will never happen to you?

After finishing business school, I worked for a biotechnology company based at The University of Queensland. As part of my work on campus, I interacted with many companies and came across a case which would become commonplace throughout my career – theft of IP by departing employees.

The company concerned had employed a number of scientists to perform research, with the intent of commercialising that research to generate a Return on Investment (ROI) when it was ready to take to market. Unfortunately, once the research was effectively complete a number of researchers resigned and went to a competitor, where they were offered higher pay and more senior positions.

people sitting inside well lit room
Photo by Pixabay on Pexels.com

A short time after the former employees left that business, their new employer started pursuing patents and other IP Rights for the same research. Ultimately, the former employees were taken to court and their new employer found to have acted inappropriately. Whilst this insider threat case ultimately had a positive outcome, it was at the expense of considerable time, effort and legal fees.

Could this situation have been avoidable?

An IP breach will cost your business big time

Entrepreneurs and business leaders of startups get really invested in their business, and can sometimes develop ‘tunnel vision’ where a small number of issues consume their focus and energy.

Unfortunately, in my experience leaders who are not familiar with legal issues often fail to fully grasp what is involved in remediating any data breach and are often overwhelmed when faced with managing incident response.

To illustrate the true costs of a security incident, the 2016 Deloitte report entitled ‘The hidden costs of an IP breach’ places remediation costs in two categories:

CategoryCosts
Above the surface
(better known cyber incident costs)		a) Customer Breach Notification
b) Post-breach customer protection
c) Regulatory compliance remediation
d) Media and public relations campaign
e) Legal and litigation fees
f) Technical investigation
g) Cybersecurity program uplift
Below the surface
(hidden or less visible costs)		a) Insurance premium increases
b) Increased costs to raise debt
c) Impact of operational disruption or destruction
d) Lost value of customer relationships
e) Value of lost contracts
f) Devaluation of trade name
g) Loss of Intellectual Property
Mossburg et al (2016). The hidden costs of an IP breach

Like everything in life, timing is important. If your IP leaks before you are ready to commercialise or have formalised your IP rights, it can have disastrous effects, often resulting in a small or medium-sized businesses (SMB) being shut down. Surely more can be done?

Protecting your IP through legal mechanisms – such as patents, copyright, trademarks, plant breeders rights, circuit layout rights and ‘trade secrets’ – are very important, as is use of Non-Disclosure Agreements. But you also need to consider Information Security as part of your toolbox to protect IP.

court room bench
Photo by Zachary Caraway on Pexels.com

Just because you have legal protections in place doesn’t mean your IP can’t be compromised. A worst case scenario for many organisations is that their research is leaked before they have successfully obtained a patent, or that their trade secret is published. In these situations, competitors and other actors can exploit your hard work to:

  • Quickly replicate your work and bring it to market before you have obtained full IP Rights (i.e. they beat you to the patent)
  • Bring a competing product to market, perhaps in jurisdications where you have not applied for IP Rights (most organisations cannot afford to lodge patents in every country worldwide, and do so selectively) which competes for market share – these products are often cheaper as R&D costs do not need to be recovered, but over time may cannibalise your market share and revenue
  • Engage in successive rounds of litigation and legal red tape, aiming to exhaust your legal defence funds and bankrupt your business so as to obtain the rights for free or cheaply under licence.

Thinking “it will never happen to me” and placing your investment and hard work in the hands of blind faith is an avenue walked by many entrepreneurs and researchers, many of whom learn the hard way.

Starting early to properly protect your IP through BOTH legal and information security approaches is essential. Doing only one or the other is not suifficient.

How do VCs and Angel Investors view IP?

Whilst you may be comfortable with your current IP protection arrangements, as your business starts to grow and you need capital to scale leaders need to turn their minds to what investors will think. Investors have a scarce commodity – money – and there are a lot of companies vying to help them spend it.

Investment attraction in innovative industries requires protecting your IP. In 2015, Forbes wrote an article entitled ‘Do Venture Capitalists Care About Intellectual Property?’. The answer, as you might imagine, was a resounding yes.

The article identifies two types of Business Angels – those who invest on blind faith (perhaps a friend or family member), and those who do solid due diligence. The article quotes Brian Cohen, author of ‘What Every Angel Investor Wants You To Know‘, as saying “for many startups, the IP is the sole basis for the valuation of the company, so investors need to be confident that it is real”.

Venture Capitalists and Private Equity investors get even more serious about their IP assets:

“ Many founders make mistakes in the first 12 months of business that cost them dearly as they build their companies. These mistakes revolve around intellectual property, founding team members, initial product that is built and market validation.”

Quoting Entrepreneur-turned-VC Mark Suster in Jutten (2015)

To be positioned as an attractive investment, you need to do everything reasonable to ensure the business is as attractive as possible.

white paper with print on a typewriter
Photo by Markus Winkler on Pexels.com

You need to protect your IP from Day One

One of the mistakes I see is that founders or company management often fail to pay sufficient attention to security. Information Security – which is broader than the more technical cyber security – is focused on your organisation’s most important information assets (that is, your research or technology), understanding who has access to them, and how they could be compromised.

Many innovative or technology companies pay attention to legal protections for their IP early, but information security and insider risk management is left until later. Some start-ups are founded by groups of friends who never consider they may fall out or have a falling out or rogue employee in the future.

The most critical elements of protecting your IP and trade secrets from an information security perspective include:

  • Identifying your critical information assets
  • Identify who has access to them
  • Performing a risk assessment to understand how these assets could be compromised and identifying controls and control gaps in your current processes
  • Implementing auditing and logging tools to facilitate detection, investigation and response to potential incidents
  • Implementing a fit-for-purpose information security program to properly manage your cybersecurity, workforce (people), supply chain and business partner risks in relation to your IP
  • Building an organisational culture which appreciates the importance of a positive security culture and high levels of security awareness
6 steps to improving security and integrity culture in the workplace

What can Small Medium Businesses do to mitigate these risks?

ISO27001:2022 Information Security Management System and ISO27002:2022 Information security, cybersecurity and privacy protection — Information security controls provide an excellent foundation for any business seeking to implement IP and proprietary information protection, in addition to legal avenues.

As a small organisation, it may be overkill for you to develop the complete ISMS required under 27001, but applying 27001 selectively in a measured way will help you mitigate security risks whilst at the same time providing a strong foundation to seek external investment.

This approach means your ISMS can be progressively uplifted or enhanced as your business grows and risk profiles change – in time, you will have an ISO27001 ready ISMS to seek ISO/IEC Certification should you chose or it becomes a condition of your investment.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.