Tag Archives: Trade Secrets Theft

The 3 SMB Risk Management frameworks you need to protect your business

Posted on by

Paul Curwell

7 minutes

Key Takeaways:

  1. Small-medium businesses (SMBs) in innovative sectors face unique risk management challenges—IP theft, insider threats, and foreign interference aren’t just “big company problems.”
  2. Implementing three SMB risk management frameworks—SMB1001 (Gold/Platinum), AS 8001:2021, and ASIO’s Secure Innovation guidance—gives you a best-practice program without reinventing the wheel.
  3. For SMBs, this approach isn’t just smart risk management—it boosts investment appeal, protects your supply chain, and helps you scale with confidence.

If you’re a founder or executive at a knowledge-intensive SMB—think biotech, medtech, software, deeptech or advanced manufacturing—then I’ve got news for you: your biggest threat might not be a cyber breach. It might be someone inside your business walking out with your IP and handing it to a foreign competitor.

Yeah. Grim.

The worst part? Most SMBs don’t even realise they’re a target—until it’s too late.

In my last post, I argued for collapsing insider threat, fraud, and integrity risk programs into one integrated workforce risk model. Today, I’ll show you how to go even further—by adding cybersecurity and innovation security to the mix using three standards already built for SMBs.

Spoiler alert: you don’t need a bespoke program or a 100-page strategy deck. Just plug and play with SMB1001, AS 8001, and ASIO’s Secure Innovation guidance.

Why You Need a Whole-of-Business Risk Lens

Innovative SMBs are juicy targets.

You’ve got valuable research data, intellectual property, and commercialisation plans. You’re agile, fast-growing, and often working with overseas partners. That’s a goldmine for corporate spies, fraudsters, and even state-backed actors.

Don’t believe me? Ask the Australian startups quietly briefed by ASIO on foreign interference. Or look at the biotech company that lost its trade secrets in what started as a “friendly” joint venture.

Here’s the “triple threat” that innovation-driven SMBs face:

  • Cyber Security breaches that expose your R&D and IP.
  • Insider Threats from employees, researchers, or suppliers with too much access.
  • Fraud and Integrity failures that destroy trust, attract regulators, and scare off investors.

Three Standards. One Smart Strategy.

You can cover all these risks by combining three existing frameworks. Here’s how they work together:

1. SMB1001 (Gold or Platinum) – Your Cyber Backbone

Designed specifically for SMBs, SMB1001 provides cyber maturity models from Bronze to Diamond. For high-growth and innovation-focused businesses, Gold and Platinum are the sweet spot.

Gold gives you:

  • Cybersecurity policies for staff and contractors
  • Acceptable use rules (no, your intern shouldn’t be crypto mining on the R&D server)
  • Background checks, access reviews, incident response plans, cyber awareness training

Platinum adds:

  • External audits
  • Continuous monitoring and automated alerts
  • Integration with HR and procurement
  • Real-world testing like penetration and social engineering simulations

These controls are critical—but they don’t explicitly cover fraud, integrity, or culture.

An image of SMB1001:2025 cover.
SMB1001 produced by Dynamic Standards International

Which brings us to…

2. AS 8001:2021 – The Fraud, Corruption & Insider Threat Muscle

This standard fills the governance and integrity gap.

It requires:

  • A fraud and corruption control policy, code of conduct, and clear accountability
  • Whistleblower protections and reporting channels
  • Regular controls testing and board-level reporting
  • A leadership culture that promotes ethical behaviour

But protecting IP, innovation, and research requires one more layer…

3. ASIO’s Secure Innovation Guidance – Your National Security Overlay

This free advisory framework from ASIO (yes, the spy agency) focuses on protecting Australian innovation.

It recommends:

  • Security risk assessments tailored to IP, R&D, and commercialisation
  • Vetting foreign collaborators, investors, and suppliers
  • Government engagement for threat intelligence and support
  • Building a “secure innovation” culture, driven by leadership

Most businesses never think to ask: Could this partnership be a risk? But in today’s landscape, that’s not paranoia—it’s smart due diligence.

What This Means for You

To fully protect your people, assets, and innovation pipeline, you need all three:

  • SMB1001 covers your cyber baseline
  • AS 8001 strengthens your workforce and governance controls
  • ASIO’s Secure Innovation addresses foreign interference, IP protection, and national security threats

Table: Comparison of Coverage by SMB Risk Management Framework

Risk Area / ObligationSMB1001 (Gold/Platinum)AS 8001:2021ASIO Secure Innovation
Cybersecurity policies & access controls✅ Fully covered❌ Not covered✅ Covered
Fraud, corruption, and integrity policies⚠️ Partial (cyber only)✅ Fully covered✅ Covered in context
Supplier / third-party risk✅ Covered✅ Covered✅ Covered
Insider threat / workforce risk monitoring⚠️ Basic logging only✅ Covered✅ Covered + vetting
Whistleblower / confidential reporting❌ Not required✅ Required✅ Strongly encouraged
Board / leadership risk reporting❌ Not specified✅ Required✅ Expected
Controls assurance / testing⚠️ Basic requirements✅ Required✅ Strongly encouraged
Innovation / IP risk assessment❌ Not covered❌ Not covered✅ Core focus
Foreign collaboration / Counter Foreign Interference❌ Not included❌ Not included✅ Core focus
Security culture / tone from the top⚠️ Cyber awareness only✅ Required✅ Essential
Engagement with government for threat intel❌ Not included❌ Not included✅ Strongly recommended
Mapping of the three standards against my core integrated workforce program requirements

✅ = Fully covered ⚠️ = Partially covered ❌ = Not covered

Think of it this way:

  • SMB1001 is your body armour
  • AS 8001 is your immune system
  • ASIO Secure Innovation is your early warning radar

How to Build It Without Melting Down

You don’t need a 10-person security team. Start small. Be practical.

Here’s 9 Steps to Get You Started:

  1. Map your current controls to each framework. Gaps will show themselves quickly.
  2. Update your policies: Include anti-fraud, IP protection, acceptable use, and supplier conduct.
  3. Close quick wins: Add a code of conduct, whistleblower channel, and leadership reporting.
  4. Create a cross-functional risk committee: HR, IT, Finance, Legal, Commercial—all in one room.
  5. Run an integrated risk assessment: Cover cyber, insider threat, fraud, integrity, innovation/IP, and foreign partnerships.
  6. Train your people: Cyber training is great—but also teach secure innovation and fraud red flags.
  7. Engage with government early: ASIO Outreach and ACSC are there to help, not to audit.
  8. Review and test regularly: Dashboards and audit trails go a long way with investors and boards.
  9. Vetting is non-negotiable: Screen staff, partners, and suppliers—especially around your R&D and IP.

But Where’s the Value? What You Get in Return

  • Investor confidence: Series B investors and enterprise customers want to know your IP is protected.
  • Culture clarity: One integrated program = clear expectations, fewer grey zones.
  • Operational edge: You de-risk your go-to-market, protect innovation, and improve scalability.

Oh—and you avoid being front-page news.

Crafting Security Business Cases for Executive Buy-in

Final Word

You’re building the future. Don’t let it get stolen, leaked, or sabotaged by someone you missed on a risk register.

You don’t need to reinvent the wheel. You need structure, culture, and clarity.

When you combine SMB1001, AS 8001, and ASIO’s Secure Innovation guidance, you’re building more than a compliance program. You’re building resilience. You’re protecting growth.

And you’re doing it with a framework that scales as you do.

So don’t wait for the “oh crap” moment. Start building your secure workforce risk program now.

Your investors, your board, and your future self will thank you.

Further Reading:

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

We often overlook criminology when combating insider threats, fraud and sabotage

Posted on by

Paul Curwell

6 minutes

Key Takeaways:

  1. You can’t fix insider fraud or sabotage with firewalls alone—these are people problems, not just process problems, so you need to consider perpetrator motive in your control design.
  2. Behavioural science and criminological theory offer practical ways to design smarter, cheaper, and more effective controls.
  3. Mapping threat types to motivations is the secret sauce to stopping expensive mistakes—before they hit your bottom line.

Why this matters to your business

If you think trade secrets theft, sabotage, or internal fraud is something that happens to “other companies,” let me burst that bubble. These threats are not random—they’re often deeply personal. And they’re expensive. The Association of Certified Fraud Examiners (ACFE) estimates that internal fraud alone costs businesses 5% of annual revenue. For a $100M business, that’s a $5M hole—every year.

And that’s just the financial side. The reputational cost? The loss of trust with investors or research partners? The delay to your product launch because someone leaked your IP to a competitor? That stuff doesn’t show up on a balance sheet… until it does.

So how do we stop it?

Let’s talk motive (yes, like in crime dramas)

We often forget security and fraud actors have different motivations. Some actors are in it for profit. Others want revenge, power, or validation. If you treat all threats the same—say, by rolling out the same boring training module to every department—you’re wasting money and creating a false sense of security.

This first table helps you step back and align your controls to the actual psychology of your adversary.

Table 1: Motivation-Based Threat Profiling

Threat TypeKey MotivationsRelevant TheoryConsiderations for Control Design
Organised CrimeProfit, group objectivesRoutine Activity TheoryTarget hardening, threat intel, supply chain vetting
Insider ThreatsRevenge, stress, entitlementControl TheoryStrengthen social bonds, build fair culture, early intervention
Nation-State ActorsMoney, Ideology, Coercion, Ego (MICE)MICE TheoryAccess controls, vetting, protective security
man sitting on snowy park bench in winter
Photo by Amirhossein Bolourian on Pexels.com

How to use this:
When assessing security risks, we often fail to ask “What is the likely motive”. If your AI is being stolen by an employee, that’s an insider threat, not a problem with cyber criminals. The control response (culture, access rights, change monitoring) needs to reflect that nuance.

Behavioural theory helps at every risk stage

Here’s the bit I wish someone had told me 10 years ago: criminological theories don’t just help you after something goes wrong—they help you design better systems from the start. I use these theories for risk indentification, design risk treatments, and frame executive dialogue.

Table 2: How Behavioural Theory Supercharges Risk Management

Risk StageHow Theories Help
Risk IdentificationReveal root causes and hidden risk signals
Control DesignTailor controls to motivations (not just compliance)
Risk AssessmentImprove likelihood and impact estimates
Monitoring & ReviewSpot early warning signs and behavioural red flags
Training & AwarenessShift from checkbox compliance to ethical behaviour reinforcement
Applying the critical-path approach to insider risk management

How to use this:
When you’re building your next fraud control or insider risk program, don’t start with a control library—start with questions. What kinds of pressures might lead someone to rationalise stealing research data? Where are the opportunities? Who might feel disengaged or unfairly treated? These insights help you focus resources where they’ll have the most impact—without overengineering.

Choosing the right theory for the job

Criminological theory might sound academic, but it’s just a lens—a way to make better sense of why risks materialise. I often get asked, “Which theory should I use?”. The answer is: it depends, which is helpful-unhelpful. Here’s a guide I use in consulting to help organisations focus their resources.

Table 3: Best-Fit Theories for Common Security Risks

Risk AreaRelevant TheoriesWhy It Matters
EspionageMICE (Money, Ideology, Compromise or Coercion, Ego), Routine Activity, Swiss CheeseExplains varied motives, layered failures, and access points
Trade Secrets / IP TheftRoutine Activity, Crime Opportunity, MICEFocuses on access, motivation, and weak controls
Internal Fraud / CorruptionFraud Triangle, Routine Activity, Control TheoryAddresses personal pressure, weak oversight, and cultural cues
SabotageOpportunity Theory, Strain TheoryTied to frustration, injustice, and lack of guardianship
Workplace ViolenceStrain, Social Learning, Routine ActivityDriven by grievance, modeled behaviour, and opportunity
Supply Chain DiversionCrime Pattern Theory, Opportunity TheoryHelps pinpoint vulnerable choke points and recurring loss patterns
HUMINT cycle and the recruitment of insiders

How to use this:
Say your business is about to enter a new research partnership with a university or foreign lab. You’re worried about losing your IP or trade secrets. Start by applying MICE Theory to understand potential risks on the other side: Are their staff well-paid? Are there ideological risks? How vulnerable is your business partner or their employees to coercion or bribery? Then combine that with Crime Opportunity Theory to assess access and controls.

You don’t need to become a criminologist—but bringing these concepts into boardroom discussions will make your risk strategies more intelligent and effective.

What you should do next

  1. Reassess your threat profiles – If your risk registers don’t account for behavioural motivations, rewrite them.
  2. Train your teams on motive-driven threats – Stop relying on bland compliance modules. Teach managers how to spot early red flags.
  3. Map controls to theories, not hunches – Don’t throw money at controls that don’t match the motive. Use behavioural theory to guide investment.
  4. Get smarter about culture – Your culture is your first control. Build fairness, transparency, and connection before a bad day turns into a $10M incident.

One final (uncomfortable) truth

You can’t patch human vulnerability like you patch software. Your best firewall is a culture that understands why people do the wrong thing—and a strategy that uses that insight to get ahead of the next crisis.

So, if you’re ready to move beyond checkbox security and build a behavioural-led risk strategy, let’s talk. I’ve got frameworks, models, and a whole lot of lessons learned the hard way.

Further Reading:

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Protecting Your R&D When Outsourcing Rapid Prototyping

Posted on by

Paul Curwell

6 minutes

3 Key Takeaways:

  • Outsourcing rapid prototyping is essential for speed and cost efficiency but poses serious trade secret and IP risks.
  • Real-world cases show that failing to protect your R&D can lead to trade secret theft, fraud, and competitive loss.
  • A proactive strategy—including legal safeguards, secure operations, and ongoing monitoring—can mitigate risks.

Rapid Protyping offers many benefits, but be sure to manage your risk

Outsourcing rapid prototyping is a game-changer for R&D-driven businesses. It accelerates innovation, slashes development costs, and opens doors to specialist skills and cutting-edge tech that would be costly to build in-house. With the global rapid prototyping market projected to soar from $3.33 billion in 2024 to over $21 billion by 2034, it’s clear that more businesses are embracing this approach to stay ahead of the curve. Fixing design flaws early during prototyping can be up to 100 times cheaper than post-release corrections—a compelling reason why prototyping is no longer a luxury, but a business imperative.

Types of Rapid Prototyping Techniques

Common prototyping methods include:

  • Stereolithography (SLA): High-detail resin printing.
  • Fused Deposition Modeling (FDM): Budget-friendly plastic extrusion.
  • Selective Laser Sintering (SLS): Durable powder-based prints.
  • Direct Metal Laser Sintering (DMLS): Precision metal parts.
  • CNC Machining: Subtractive manufacturing for high-strength components.

Each technique has its own supply chain risks, making security considerations essential from the outset.

But here’s the catch—outsourcing means sharing your most valuable assets: trade secrets, proprietary designs, and sensitive R&D data. Whether you’re working with a niche 3D printing firm or a global manufacturing partner, the risk of IP theft, insider threats, or accidental disclosure is real. In fast-moving industries like automotive, biotech, and consumer tech—where time-to-market is everything—balancing speed with security is critical. This article explores how founders can unlock the full potential of prototyping and outsourcing, while putting practical guardrails in place to protect their intellectual property and business viability.

The Need for Outsourcing Rapid Prototyping

Startups and SMEs often lack the in-house capabilities for advanced prototyping. Outsourcing helps by:

  • Cutting costs—no need for expensive machinery or full-time specialists.
  • Providing access to world-class expertise in emerging technologies.
  • Accelerating product development and market entry.

But with these benefits come significant risks. Handing over your prototype means exposing critical trade secrets to external partners—some of whom may not be as trustworthy as they claim.

Example of additive manufacturing used in rapid prototyping
Photo by FOX ^.ᆽ.^= ∫ on Pexels.com

Case Study: IP Theft in Outsourcing

A U.S. medical device startup learned this lesson the hard way. They outsourced prototyping to a foreign manufacturer, only to discover a near-identical product in the market months later. The culprit? Their own supplier, who exploited weak contractual protections to replicate and commercialise the design. The result: financial loss, legal battles, and an irreparably damaged competitive advantage.

Lesson learned? If you don’t protect your trade secrets, someone else will profit from them.

Startup Sabotage: A Trade Secret Theft Case Study & How to Protect Your Company

Understanding IP Protection for Prototypes

Trade Secrets vs. Patents

Patents are great—until they aren’t. They require public disclosure and take years to secure. Trade secrets, on the other hand, remain confidential as long as they are actively protected. Most prototypes fall under trade secrets because early-stage innovation needs secrecy, not immediate disclosure.

Copyright automatically applies to design files and software components. However, international enforcement can be tricky, making additional legal steps essential when working with overseas partners.

Risks Associated with Outsourcing R&D and Rapid Prototyping

The top risks include:

  • Trade secret theft—unauthorised copying or sharing of designs.
  • Copyright infringement—misuse of software and design blueprints.
  • Ownership disputes—who really owns the prototype files and production molds?
  • Loss of core expertise—outsourcing critical R&D can weaken in-house innovation.
  • Reputational damage—a security breach can erode investor and customer trust.

International Considerations for Australian Businesses

Australia’s trade secret and IP laws are predominately enforced via civil means, but overseas is another story, especially if you’re outsourcing to less developed countries. Many jurisdictions have weaker protections, making stolen IP difficult to recover or your IP rights difficult to enforce.

Don’t forget – you actually need to have funds available for any legal dispute. If you can’t afford it, then don’t rely on legal battles and contractual enforcement: A good security program is your friend!

Specific Risks for Australian Businesses

Countries with high rates of IP theft pose unique challenges. Contracts mean little if enforcement is lax. This is why due diligence on foreign partners is just as important as the contract itself.

pexels-photo-20326699.jpeg
Photo by Jakub Zerdzicki on Pexels.com

Steps to Protect Your R&D When Outsourcing

Before Outsourcing

  • Identify and classify critical trade secrets.
  • Research suppliers’ security track records.
  • Assess the legal landscape in the outsourcing country.
  • Perform a security risk assessment to ensure you understand the risks (including supply chain risks and country-specific laws), and what you need to do to manage them.
  • Develop your Research and Technology Protection Program to ensure you understand the risks and know what controls you need to implement in your contractual measures and operational safeguards
How can Insider Threats manifest in the Supply Chain?

Contractual Measures

  • Use watertight non-disclosure agreements (NDAs).
  • Clearly define IP ownership and usage rights in contracts.
  • Specify dispute resolution mechanisms.
  • Include post-collaboration IP return/destruction clauses.

Operational Safeguards

  • Limit access to sensitive data—adopt a need-to-know approach.
  • Use secure data transfer methods (encrypted channels, VPNs).
  • Implement strict version control on prototype files.

Monitoring and Control

  • Conduct regular audits of outsourcing partners.
  • On-site visits to assess security practices.
  • Track prototypes through serial numbering and logging systems.
  • Obtain signed attestations or legally-binding declarations to confirm that all products, materials and designs / data / information have been destroyed or returned on completion of the work.
  • Maintain detailed documentation of all proprietary designs.
  • Register copyrights where applicable.
  • Seek legal counsel in the outsourcing country for enforcement advice.

Conclusion

Innovation thrives on collaboration, but unprotected outsourcing can be a goldmine for IP theft. Trade secrets, fraud, and supply chain risks aren’t hypothetical—they’re real threats with billion-dollar consequences. Protecting your R&D requires a mix of legal safeguards, operational discipline, and continuous oversight.

Want to secure your innovation while staying ahead of the competition? Start by reviewing your outsourcing agreements today—before someone else commercialises your ideas.

Further Reading

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

The Great Tea Heist and the History of Trade Secrets Theft in Business

Posted on by

Paul Curwell

5 minutes

Key Takeaways:

  1. Industrial espionage isn’t new—Britain’s theft of China’s tea industry in the 19th century reshaped global trade and created a multibillion-dollar industry.
  2. Trade secrets are still a battleground, with modern businesses losing billions to intellectual property (IP) theft, insider threats, and supply chain vulnerabilities.
  3. Today’s equivalent of the tea heist? Technology, critical minerals, and research data are the new targets—protecting them is crucial for business survival.

A Cup of Stolen Tea? How Britain Pulled Off the Ultimate Business Heist

Let me tell you a story. Imagine a business so dominant that it controls an entire industry. Now imagine a competitor that, rather than playing fair, decides to steal that dominance outright. That’s exactly what happened in the 19th century when Britain, desperate to break China’s monopoly on tea, pulled off one of the greatest acts of industrial espionage in history.

At the time, tea wasn’t just a luxury—it was a financial nightmare for Britain. The British Empire’s addiction to Chinese tea was draining silver reserves at an unsustainable rate. Their solution? Instead of buying, they decided to steal the industry for themselves.

Enter Robert Fortune, a Scottish botanist turned corporate spy. The British East India Company sent him on a covert mission into China’s restricted tea-growing regions. Disguised as a Chinese merchant, he infiltrated plantations, smuggled out 20,000 tea plants and seeds, and stole the trade secrets of tea cultivation and processing. He even recruited Chinese tea workers to train Indian growers. The result? Britain broke China’s monopoly, devastated its economy, and transformed India into a tea-producing powerhouse.

Sound familiar? Fast-forward to today, and the tactics haven’t changed—just the targets.

The Modern Tea Heist: Stealing Trade Secrets in the Digital Age

Businesses today face the same problem China did back then. Your company’s most valuable assets—technology, research, IP, and supply chain secrets—are prime targets for theft. And the numbers are staggering.

  • The FBI estimates that trade secret theft costs the U.S. economy up to $600 billion annually.
  • A 2023 report found that 1 in 5 companies experienced insider-led IP theft.
  • Supply chain attacks surged by 742% over the past three years, often targeting critical technologies.

The playbook hasn’t changed. Instead of a botanist sneaking into tea fields, today’s Fortune equivalents are cybercriminals, corporate spies, and even nation-states hacking into your servers or bribing insiders for access to trade secrets.

The British East India Company stole one of China's most valuable assets, tea, and the trade secrets of how to make and grow it.
Photo by koko rahmadie on Pexels.com

Business Lessons from the Great Tea Heist

What can today’s business leaders learn from China’s 19th-century failure to protect its most valuable industry? Plenty. Here are three crucial takeaways:

1. Your Trade Secrets Are Only Safe If You Treat Them Like They Matter

China assumed its tea knowledge was secure because no outsider had ever learned it. Sound familiar? Many companies think their proprietary research or technology is untouchable—until it’s not.

What to do: Conduct regular Intellectual Property audits. Identify what’s critical and who has access. Lock it down with proper IP protection measures, access controls, and NDAs.

2. Insiders Are Often the Biggest Threat

Robert Fortune didn’t just steal tea plants—he recruited Chinese tea workers to teach the trade. The lesson? Most major IP thefts involve an insider, whether malicious or careless.

What to do: Implement strong insider threat programs. Use behavioral monitoring and train employees on the risks of inadvertent leaks. Background checks and controlled access to critical information are non-negotiable.

3. Your Supply Chain Is rich pickings for Attackers

Just like Britain moved tea production to India, today’s business adversaries target weak links in your supply chain. Cyberattacks, supplier breaches, and third-party fraud are all major risks.

What to do: Vet your suppliers as if your business depends on it—because it does. Require cybersecurity and IP protection standards across your supply chain. Don’t assume your partners are as secure as you are.

How can Insider Threats manifest in the Supply Chain?

The New Battle for Trade Secrets: What’s Next?

In 2025, the stakes are even higher than tea. Instead of just breaking a monopoly, modern industrial espionage fuels global power struggles over artificial intelligence, critical minerals, pharmaceuticals, and next-gen military technology.

The lesson from the Great Tea Heist? If you don’t secure your trade secrets, someone else will.

Call to Action: How to Protect Your Business Today

You wouldn’t leave your company’s bank account details lying around, so why treat trade secrets any differently? Here’s what you should do today:

  • Identify your most valuable trade secrets and IP.
  • Implement strict access controls and insider threat monitoring.
  • Vet your supply chain partners and enforce security requirements.
  • Monitor for suspicious activity—whether online, internally, or through competitors.
  • Educate your team on the importance of protecting confidential information.

In the 19th century, China learned the hard way that trade secrets don’t protect themselves. Don’t let history repeat itself on your watch.

Final Thought

Britain’s tea heist wasn’t just about plants—it was about power. Today, the businesses that protect their IP, research, and supply chains will be the ones that thrive. The question isn’t whether someone will try to steal your most valuable assets. The question is: Are you ready for them?

Let’s talk—what are you doing to protect your business from the modern-day tea thieves?

Further Reading

Curwell, P. (2022). How can insider threats manifest in the supply chain.

Curwell, P. (2022). Australia’s critical technology and supply chain principles, Part 1.

Curwell, P. (2022). What is an IP audit anyway?

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Startup Sabotage: A Trade Secret Theft Case Study & How to Protect Your Company

Posted on by

Paul Curwell

5 minutes

Key Takeaways

  • Trade Secret Theft is a Real Threat: One case shows how a former employee’s actions can put sensitive company information at risk.
  • “Need to Know” is Paramount: Access to confidential information like Trade Secrets should be strictly controlled based on role necessity.
  • Access Controls are Essential: Implementing technical controls can prevent unauthorised access to your Trade Secrets.
  • Prevention is Cheaper Than Cure: Investing in cybersecurity and information security measures upfront can save companies from costly legal battles and financial loss.

The Case: A Cautionary Tale

Imagine your company’s most valuable secrets walking out the door—your proprietary technology, customer lists, financial projections—all in the hands of someone who no longer works for you. That’s what allegedly happened in one recent case, a cautionary tale of trade secret theft.

The plaintiff was a promising biotech startup focused on automating biotech R&D. Like many startups, they needed funding, so they allegedly hired a CFO who claimed to have connections with a Stanford professor who could help secure investment. As part of the onboarding process, the CFO signed a confidentiality agreement. Standard practice, right?

Fast forward: The CFO allegedly didn’t deliver, and the company let him go. That’s when things took a turn.

Immediately after his termination, the former CFO allegedly accessed sensitive company data. Using desktop programs, the Complaint (see below) alleges he copied proprietary documents and trade secrets to his personal cloud storage. He then allegedly started a competing company and pitched investors using Trilobio’s stolen IP.

The plantiff sued, and the court granted a Temporary Restraining Order (TRO), agreeing that there was a strong likelihood that the theft occurred. The case is ongoing, but the damage is done. So what can we learn from this?

The “Need to Know” Principle: Why It Matters

Let’s be real—many startups operate on trust. But trust doesn’t prevent insider threats. The “need to know” principle dictates that employees should only have access to the data required for their specific job functions.

Here’s why it’s essential:

  • Reduces insider threats: If employees don’t have access to sensitive data they don’t need, they can’t steal it.
  • Minimises external attack risk: Fewer access points make it harder for hackers to infiltrate your systems.
  • Enhances compliance: Many regulations require strict data access controls.

In the plaintiff’s case, did the CFO need access to detailed engineering schematics? Unlikely. Had the company applied “need to know” principles, could the damage could have been prevented?

Access Control: Putting “Need to Know” into Practice

To apply this principle, businesses must implement access controls. Here’s what that looks like:

1. Role-Based Access Control (RBAC)

Assign permissions based on job roles (e.g., Engineers don’t need access to financial data, and CFOs don’t need access to proprietary hardware designs). This is the best approach for SMBs.

2. Access Control Lists (ACL)

Specify which users or groups can access specific files or databases. Useful for more granular control but can become complex.

3. Information Protection Program

Classify data as Confidential, Internal, or Public (or similar) and apply technical controls accordingly – see below. You might also want to read my previous article on how confidential information is compromise.

How is confidential information compromised?

4. Technical Controls to Implement

  • Multi-Factor Authentication (MFA): Essential for protecting sensitive accounts.
  • Least Privilege Principle: Give employees the bare minimum access needed.
  • Regular Access Reviews: Audit permissions periodically and remove unnecessary access.
  • Data Loss Prevention (DLP) Tools: Prevent unauthorised data transfers.
  • Endpoint Detection and Response (EDR) Software: Monitor and prevent data exfiltration.
  • Data Encryption: Ensures that even if stolen, the data remains unreadable.

Had the plaintiff restricted access and implemented controls like these, it would have been much harder for the CFO to (allegedly) exfiltrate sensitive files so easily. Perhaps this reputational damage and legal fees could have been avoided, or at least minimised, and the founders could have got on with core business.

Practical Steps for Founders & Business Owners (Your Call to Action)

Here’s what you need to do today to avoid becoming the next victim:

  • Conduct a Data Audit: Identify and classify your most sensitive data.
  • Implement Role-Based Access Control: Define and enforce job-based permissions.
  • Require MFA and Strong Passwords: No exceptions.
  • Educate Employees: Train staff on cybersecurity risks, phishing, and data security.
  • Encrypt and Back Up Your Data: A must-have in case of breaches.
  • Develop an Incident Response Plan: Know how to respond if a breach occurs.
  • Review and Update Security Policies Regularly: Security isn’t a one-time fix.
  • Consider Cyber Insurance: Mitigate potential financial losses.

Startups and SMBs are prime targets for trade secret theft. If you think it can’t happen to you, think again. Implementing access controls and information security measures is not optional—it’s essential for survival and growth.

If you’re in knowledge-intensive industries like DeepTech, Life Sciences, MedTech, Biotech or Digital Health, don’t wait until a former employee walks off with your IP. Take action now and protect what you’ve built.

Further Reading

Trilobio-TRO-Order ComplaintDownload

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Protecting Innovation: The Spectre of Trade Secrets Theft in Biotech

Posted on by

Paul Curwell

6 minutes

Trade Secrets theft happens more than you realise

In the fast-paced world of biotechnology, where innovation fuels growth and shapes the future, protecting intellectual property (IP) is paramount. Trade secrets are proprietary processes, formulas, or methods. These give your business its competitive edge. They are among the most valuable assets a biotech company possesses. Yet, they are also among the most vulnerable.

Reflecting on my career, I’ve seen countless examples of trade secrets theft. These experiences highlight the risks faced by even the most sophisticated organisations. In one case, a competitor poached key researchers from an Australian biotech company. This enabled the rapid commercialisation of nearly patent-ready research.

In another instance, an Australian company partnered with an overseas firm to scale its business. They later discovered that their partner had a history of research fraud and IP theft. Perhaps most alarmingly, a principal researcher secretly established an offshore company. They aimed to commercialise their employer’s innovations. This action violated both employment and grant conditions.

These stories aren’t just cautionary tales; they’re a call to action. The risks to trade secrets in Australia’s life sciences sector are significant, but they are not insurmountable. With the right strategies and a proactive approach, companies can protect their innovations and ensure their long-term success.

The Challenges of Protecting Trade Secrets in Australia

The United States, United Kingdom, and European Union have dedicated trade secrets legislation. However, Australia’s legal framework relies heavily on common law. There are laws to criminalise the theft of trade secrets on behalf of foreign governments or their agents. However, these measures are insufficient in deterring determined actors. The complexity and persistence of threats demand more robust protections.

Historically, Australian biotech companies have relied on legal instruments like employment contracts. They also use IP assignments and confidentiality agreements to manage IP risks. While these are necessary, they’re no longer enough to counter sophisticated adversaries. Recognising this, organisations like the Australian Research Council, National Health and Medical Research Council, and the Australian Security Intelligence Organisation have launched initiatives to address these issues. One such initiative is the ‘Protect Your Research’ campaign, which aims to raise awareness and enhance research security.

Never heard of Research Security? Why safeguarding your research today is critically important

Despite these efforts, the biotech sector faces unique vulnerabilities. Cyberattacks, insider threats, and accidental disclosures are just some of the ways trade secrets can be compromised. Ill-considered presentations at conferences can also lead to compromise. The rise of remote work and international collaborations has only amplified these risks, creating new entry points for malicious actors.

The Importance of Trade Secrets

Trade secrets are more than just business assets; they are the lifeblood of innovation. They encompass anything from proprietary methods and formulas to draft patents and confidential data. Once a trade secret is compromised, it’s lost forever. Worse still, stolen trade secrets often end up on the dark web. There, they’re brokered between competitors, criminals, and even nation-states.

For biotech companies, the stakes couldn’t be higher. A single breach can derail years of research, jeopardise funding, and tarnish reputations. Protecting trade secrets isn’t just about risk management; it’s about ensuring the survival and growth of the business.

Five Steps to Safeguard Your IP

To combat the specter of trade secrets theft, organisations must take a proactive and comprehensive approach. Here are five key steps every biotech company should consider:

1. Identify Your Trade Secrets

The first step in safeguarding trade secrets is knowing what they are. Conduct a thorough review of your organisation to identify data and processes that meet the trade secret definition. These might include draft patents, proprietary research methods, or experimental data. Once identified, ensure these assets are appropriately labeled, tracked, and protected.

2. Assess the Risks

After identifying your trade secrets, evaluate the risks associated with their exposure. This includes both cybersecurity risks—such as vulnerabilities in IT networks—and physical risks, like the mishandling of prototypes or documents. Don’t forget to consider risks posed by third parties, including suppliers, contract manufacturers, and clinical trial service providers. Develop a risk register to catalog these vulnerabilities and prioritise actions to mitigate them.

3. Foster a Strong Security Culture

People are often the weakest link in any security strategy, but they can also be your greatest asset. Building a strong security culture is essential. This starts with leadership setting the tone and includes ongoing education for employees and suppliers. Ensure that everyone understands what trade secrets are, why they matter, and how to protect them. Regular training, clear communication, and an engaged workforce can significantly reduce insider threats.

6 steps to improving security and integrity culture in the workplace

4. Develop a Research & Technology Protection Plan (RTP-P)

A Research & Technology Protection Plan serves as a blueprint for safeguarding your intellectual “crown jewels.” It should outline roles and responsibilities, as well as specific controls for cyber, data, workforce, facilities, suppliers, and products. If you don’t have a RTP-P, start small by focusing on high-impact actions. Importantly, an RTP-P shouldn’t be a static document; it needs to be actively implemented and regularly updated.

5. Actively Manage Risks

Protecting trade secrets is not a one-time effort. It requires ongoing attention and adaptability. Assign a dedicated individual or team to oversee trade secret protection. This includes responding to incidents, managing evolving risks, and providing practical recommendations to minimise exposure. Regular reviews and updates are essential to ensure that your strategies remain effective as your business grows and changes.

A Call to Action

In 2024, Australia’s biotech sector is at a critical juncture. As the industry continues to grow and attract international attention, the importance of protecting trade secrets cannot be overstated. Implementing effective systems, processes, and cultural practices is essential for safeguarding IP. It’s also about fostering innovation. It plays a crucial role in attracting investment and securing a competitive edge.

Protecting innovation is everyone’s responsibility. Let’s work together to create a biotech ecosystem where great ideas thrive and remain secure.

202411 AusBiotech Journal_CurwellDownload

So, how prepared is your organisation? Take a moment to evaluate your trade secret protection strategies. Share this article with your team. Begin a discussion about the steps you can take to safeguard your most valuable assets. By prioritising trade secret protection today, you’re investing in the future success of your business and the broader biotech industry.

    Further Reading

    DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Never heard of Research Security? Why safeguarding your research today is critically important

    Posted on by

    Paul Curwell

    How did we get here?

    Research Security refers to the ability to identify possible risks to your work through unwanted access, interference, or theft and the measures that minimise these risks and protect the inputs, processes, and products that are part of scientific research and discovery.

    Source: Why safeguard your research? Government of Canada (2021).

    Photo by Chokniti Khongchum on Pexels.com

    Followers of my blog will know that I regularly write about the scourge of Intellectual Property (IP) theft. One of my observations from working with Australian organisations of all shapes and sizes (including research and development, or R&D intensive ones which depend on commercialisation for success) is that we all too often ignore the importance of protecting our IP and early stage research.

    Indeed, according to The Commission on the Theft of American Intellectual Property (2013), theft of United States IP alone is estimated in the vicinity of US$300 billion per annum impacting jobs, GDP and innovation. According to testimony given by the former US National Security Agency Director General Keith Alexander:

    “The stealing of U.S. private company information and technology has resulted in the greatest transfer of wealth in history”

    HEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION, 9 July 2013.

    Is all research and development the target of theft?

    Most commonly it is applied research which is stolen (i.e. outcomes that can be directly applied to a tangible application or outcome which can be commercialised), as opposed to basic or discovery research. The coordinated theft of IP focuses on Science, Technology, Engineering an Mathematics (STEM) domains, as opposed to social science or humanities research.

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    One challenge with the R&D process is that you never know what you’re going to find – funding of R&D effectively involves placing strategic ‘bets’ to fund those programs assessed as having the greatest chance of success. So why don’t we put more time into protecting our research?

    Part of the protection challenge stems from the nature of research itself, and of the knowledge creation process. Knowledge creators need to be able to operate in a creative environment that allows them to share ideas and concepts with others, and ultimately generate a positive R&D outcome over time. By their nature, many researchers are inclined to share and collaborate with others, and many (falsely) perceive the risk if IP theft as very low.

    The knowledge creation process is very easily stimied through excessive security, which can inhibit creativity and innovation. But on the other hand, too little security can mean your research walks out the door either with an unscrupulous competitor or a departing employee. This is where the concept of research security comes in.

    Photo by Tamu00e1s Mu00e9szu00e1ros on Pexels.com

    What is research security?

    Successful research and innovation requires collaboration and formal partnerships between multiple parties, including governments, businesses, and academics. These collaborations and partnerships can occur in one country or internationally, almost like a ‘patchwork quilt’ of skills, competencies and capital.

    Unfortunately, some bad actors and unscrupulous organisations have taken advantage of this process for their own game. This includes nation states, some of which have been involved in state-sponsored industrial espionage (‘economic espionage’) for decades.

    What is the impact of research theft?

    1. Diminished trust and confidence in your research data and results
    2. Loss of research data
    3. Loss of exclusive control over intellectual property, patent opportunities, and potential revenue
    4. Legal or administrative consequences
    5. Loss of potential future partnerships
    6. Tarnished reputation

    Source: Why safeguard your research? Government of Canada (2021).

    In response, countries such as the US, UK, Canada, New Zealand and more recently Australia have introduced ‘research security’ programs to help the research and innovation sector understand and manage this risk, as outlined below.

    Source: US Director of National Intelligence, dni.gov

    Canada’s Safeguarding Your Research program

    The Government of Canada started raising research theft and research security as an issue in 2016, subsequently forming a joint Government of Canada-Universities Working Group to “advance open and collaborative research in a way that also safeguards research and maximizes benefits to Canadians”. The government has created the Safeguarding your Research portal which contains useful resources including:

    • Tools for building Security Awareness in the Academic Community
    • A checklist to help determine whether you are at risk
    • Information on mitigating economic and/or geopolitical risks in sensitive research projects
    • National Security Guidelines for Research Partnerships

    United Kingdom

    In contrast to Canada, the UK Government started its research security journey in 2019, with security programs being coordinated by the Center for the Protection of National Infrastructure (CPNI). With almost 20% of UK research funding coming from international sources, CPNI suggests three key actions to safeguard your research:

    • Due diligence – who are your research partners, actually? Who are their research partners or investors? Remember that affiliations and company ownership can change over time: who you partnered with on day 1 may not be who you are partnered with on day 365. Bad actors frequently materialise after you have signed the partnership agreement, so due diligence should be undertaken on an ongoing basis.
    • Conflicts of interest – identify any actual or potential conflicts and ensure they are managed. This could include your research partner’s collaborations with your competitors.
    • Segregation – use security programs to segregate your valuable research programs, both physically and logically (i.e. cyber, physical and personnel security).

    United States

    Since mid-2018, the US Government has introduced a range of rules, policies and regulations to address concerns about foreign interference in research and the theft of intellectual capital. Various departments and agencies have introduced new measures to address risks to the integrity of the research enterprise, such as the establishment of the Joint Committee on Research Environment by the Office of Science and Technology Policy at the White House.

    In 2018, the National Institutes of Health (NIH), one of the largest R&D funding bodies in the world, took the unprecedented step of writing to NIH grant receipients to inform them of the threat of foreign interference and IP theft in relation to biomedical research. This step has set the tone in terms of the seriousness of this issue, and should highlight to the research community globally the nature of the threat – which is manageable with the right mitigations.

    Australia – time for a change of attitude?

    In Australia, how we protect our research and innovation is largely dependent on who the threat actor is. From a commerical perspective, we typically adopt a legalistic approach to protecting our valuable research, historically relying predominately on formal IP protections such as patents and copyright. This remains very important, but it is also largely ineffective against the threat of IP theft. By the time the matter gets to court, assuming you can find the thief, it’s too late and the only people who benefit are lawyers.

    Once you have lost your valuable research, you face an expensive and time consuming battle to restrain the offending party from using the IP or gaining commercial advantage. Assuming you have the legal defence fund to pursue this course of action – noting your pockets may need to be deeper than your opponent in order to continue funding any litigation – you may not even recover 100% of what you lost. Further, if you didn’t take ‘appropriate’ actions to try and protect the information, a court may deem you also at fault.

    Australia does not have formal trade secrets protection under IP law, unlike other countries. This means business is reliant on various Confidential Information provisions to protect its research and innovation, something which can be hard to defend. There is a litany of Australian case law showing companies which learned the hard way here when trying to protect their valuable information from competitors, third parties and former employees.

    Where the threat actor is ultimately a nation state, Australians now have provisions in the Criminal Code 1995 (Cth) in relation to economic espionage – which also contains the first mention of the term ‘trade secret’ that I am aware of in Australian law – as well as the University Foreign Interference Guidelines. The Guidelines, which I will write about in a subsequent post, were refreshed in 2021 and provide an excellent introduction to developing what I would call a ‘research security framework’, but which can be applied to address all security threats to research and innovation, not just foriegn interference.

    Photo by Pixabay on Pexels.com

    I’m a research or commercialisation manager – what can I do about it?

    Effectively managing this risk involves understanding what your critical information assets are, who has access to them, and how. This will allow you to identify those areas of greatest risk and focus your limited resources and effort accordingly. Doing this effectively involves a combination of cybersecurity, physical security, non-cyber information security and personnel security (insider threats) measures deployed as part of a holistic program.

    The second critical aspect here is managing your research partnerships via a supply chain (third party) security program. This is broader than security – you need to perform proper due diligence (before commencing, throughout the life of the relationship, and for a period afterwards), as well as implementing the right security and legal controls to manage these risks, all whilst creating an environment where the actual researchers can collaborate and work their magic.

    This is not easy and requires a good understanding of both security and research / innnovation to be successful, but it is possible. As highlighted in this post, there are plenty of resources available to support you on this journey but remember, the one thing that is clear is the risk of inaction.

    Further reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Business espionage – the sale of intellectual property on the dark web

    Posted on by

    Paul Curwell

    What is the dark web?

    For those who are new to this, concept, the dark web is the third part of the internet which is not indexed by ordinary search engines and requires a specific web browser (a ‘TOR’ browser) to access. The other two parts of the internet are the surface web (what we all think of when we hear the term ‘internet’), and the deep web, which comprises often proprietary databases and data holdings which sit behind a firewall and generally require a subscription or password to access. A database of media articles is one example.

    Photo by Pixabay on Pexels.com

    There are a number of illicit markets on the dark web selling everything and anything which is illegal in an anonymised way. These illicit markets also include illicit payment mechanisms for financial transactions which bypass the global financial system. Whilst it makes sense that IP would be sold here, until now this is not something I had heard much about aside from the sale of counterfeit products – shoes, medicine, passports etc. My working hypothesis is that much of the stolen IP on the dark web which is not counterfeit product is likely derived from ‘business espionage’.

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    What is business espionage?

    We all know that information is power, but these days it is also a global currency. According to Forbes Magazine, innovation and intangible assets today comprised around 80% of a business’ value in 2014 (Juetten). In recognition of their value, the International Accounting Standards Board (IASB) adopted IAS 38 Intangible Assets in 2001 to prescribe the accounting treatment for intangible assets.

    For simplicity here, I refer to all types of valuable business information, intangible assets or intellectual assets as ‘IP’. Business espionage is a term that I have borrowed from Bruce Wimmer (2015) to refer to the theft of commercial information from businesses including ‘industrial espionage’ (companies spying on their competitors) as well as ‘economic espionage’ (theft of IP by nation states for national security purposes).

    Photo by cottonbro on Pexels.com

    The types of IP that is stolen includes:

    Research dataPricing data
    Confidential informationCustomer lists
    Trade SecretsProduct development data
    Engineering schematicsSales figures
    Proprietary software codeStrategies and Marketing plans
    Chemical formulasCost analyses
    ‘Know how’Personnel data
    Examples of IP targeted by business spies – Nasheri (2005)

    If I think about it simplistically, my hypothesis is there are two main ways someone could obtain this IP for sale: licit and illicit. The licit route would arise where a party has access to the IP and is authorised to copy or use that IP for a permitted purpose (such as under license or terms of confidentiality), but then chooses to use that information for a non-permitted purpose. Examples here could include:

    • Where IP is provided to an outsourced service provider or business partner, such as a Contract Research Organisation, Contract Manufacturing Organisation, or IT managed services provider. When a contractual arrangement ceases the IP may not be properly destroyed, and could be used for unauthorised purposes later (such as to win a new contract with a previous customer’s competitor).

    In contrast, the illicit route refers to cases where IP is stolen and then onsold. There are a number of potential vectors here including:

    • Theft and / or exfiltration by trusted insiders (such as employees, contractors or suppliers)
    • Targeting of business travellers in hotels, bars, etc
    • Cyber criminals and hackers breach secured networks
    • Opportunistic individuals who find valuable information on an unsecured corporate network
    • Plus other similar examples

    So, to recap, we have the scenario where commercially valuable information (IP) has been stolen – sometimes employees steal IP from an employer as they see it as ‘theirs’ and feel they are the legitimate creater or owner of this information, despite typically having assigned their moral rights to their employer via their employment contract. In this scenario, my experience is that employees rarely sell this information to a third party – but they will often use this information for personal advantage in future roles or positions. However, this is not the focus of this post. In this post, we are referring to the theft and sale of commercially valuable information on a large scale.

    Photo by Kindel Media on Pexels.com

    Is there a criminal value chain behind the illicit market for stolen IP?

    It makes sense that someone who has access to sensitive IP which is valuable in the market and who has ulterior motives would want to sell it, but how does this work? Do they sell it exclusively to the highest bidder at auction? Do they sell it multiple times to multiple parties? If you are the highest bidder at auction, how do you guarantee you are the only buyer? Also, how do you guarantee the authenticity or quality of the information?

    “It does little good to steal intellectual property if you do not have the expertise to use it”

    James Lewis, SVP and director of the Center for Strategic and International Studies’ (CSIS) Technology Policy Program in Gates (2020)

    I have so many unanswered questions here, but the presenter I referred to earlier mentioned the prices some buyers pay for stolen IP on these illicit marketplaces is in the millions of US dollars, and that about 90% of the IP on these illicit markets is authentic. These illicit market dynamics mean this is clearly something worth examining further. As a security consultant, part of my job involves ‘thinking like a criminal’ to identify how such a scheme would work – I have developed my hypothesis below based on my experience and knowledge of how other illicit markets work:

    © Paul Curwell, 2022

    In my hypothesis shown above, I have assumed there is a degree of criminal specialisation in the stolen IP market, as there is in other aspects of cyber crime and cyber fraud. Just with legitimate online marketplaces, if I were a buyer I wouldn’t trust sellers I don’t know or who other people I trust haven’t verified, and I’m not going to pay anything more than a trivial amount or take the risk to buy IP which hasn’t been verified either as authentic (i.e. stolen from the company alleged to have produced it) or not fictional (i.e. garbage content). For a good overview of how online review systems work, look at this Harvard Business Review article from Donaker et al (2019).

    In my mind, there must be information brokers who play a ‘trusted intermediary’ role and offer an independent validation and verification services – for a fee. However, this would also require access to pool of experts who would be paid to perform this work (e.g. scientists, doctors or engineers who are specialists in their field and open to a side hustle). Presumably some are complicit and know what they are doing, but are some also told this is legitimate and have no cause to question further? And what about the companies that are happy to take the risk both that the info might be fake and that they might get caught? As it stands I have more questions than answers, but the one thing I know is this is something I will be looking into further.

    Further reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    What is an ‘IP Audit’ anyway?

    Posted on by

    Paul Curwell

    Intangible Assets – easily overlooked

    I still remember performing my first ever Intellectual Property (IP) audit on my consulting journey. I had just graduated from business school which had opened my eyes to the world of commercialisation and IP assets, and how they could be exploited or misplaced. My client was a large player in global airport infrastructure services, and as part of their work the Executive Officer to the CEO thought it was important to identify and map their IP asset holdings. As I worked my way through the organisation, interviewing staff and cataloguing their IP, I still remember stumbling across the engineering laboratory hidden in one corner of a floor, out of sight.

    Photo by Pixabay on Pexels.com

    As I spoke to the team members there, I discovered not only did they maintain specialised electronic components for equipment used in delivery of their services, but in their spare time and with discretionary budget the team of engineers worked to invent their own solutions to airport infrastructure problems. This activity flew completely under the radar of the organisation’s executive, meaning not only did their work potentially miss out on dedicated funding which might generate a revenue stream or licensing opportunity for the organisation, but the IP was not properly protected – including from theft should those employees decide to resign and move to a competitor or start their own business.

    Photo by RODNAE Productions on Pexels.com

    This type of situation is encountered time and time again in Australian businesses. Our level of awareness and maturity in relation to IP is relatively low in most sectors, and my experience has been that in sectors which are aware of the fundamental concepts, IP assets are either managed very selectively or in many cases not at all. As an advanced economy with a strong STEM-based population and research capability, we need to get better at protecting our IP if we are to compete and thrive as a nation in a knowledge-driven world. Completing an IP Audit is one of the first steps to doing this.

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    What are intellectual assets?

    Intellectual Assets are intangibles that have value to an enterprise including but not limited to “information, intellectual property, credibility and reputation, and brand identity”. Whilst the term ‘intellectual property’ is often used to commonly refer to sensitive information, six types of IP are recognised by the World Intellectual Property Organisation (WIPO):

    • Patents
    • Trade Marks
    • Copyright
    • Industrial designs
    • Geographical Indicators (e.g. ‘champagne’)
    • Trade Secrets

    In Australia, we have another category of IP called ‘Plant Breeders Rights‘, and Geographical Indicators are registered under our ‘Certification Trade Mark system‘. Unlike other jurisdictions such as the U.S., Australian law does not explicitly recognise ‘trade secrets’ as a category of IP – instead, ‘trade secrets’ are considered a category of ‘Confidential Information’ (Dighe & Lewis, 2020, Twobirds.com). More on this in a future post.

    According to IP Australia, “a trade secret can be any confidential information of value. Unlike other IP rights, trade secrets are protected by keeping them a secret, and are not registered with IP offices. The protection of a trade secret will cease if the information is made public, and trade secrets do not prevent other people from independently inventing and commercialising the same product or process”.

    What is an IP audit?

    According to the Queensland Government, “an IP audit is a review of the IP owned, used or acquired by an organisation. It aims to find out what IP is within an organisation, who owns it, the value of that IP, its legal status, and what to do with it“. Once identified, in addition to focusing on the legal status of your IP, you also need to understand whether it is adequately protected. For example:

    • Which threat actors might seek to steal or sabotage your intellectual assets? Employees, competitors, nation states (‘economic espionage’) or someone else?
    • What are the actual risks posed by these threat actors? Examples include theft, sabotage and IP infringement.
    • What internal controls do you have in place in terms of your holistic security programs to address the identified threats and risks? These may need to address insider threats, supply chain threats, and external threats (e.g. competitors).
    Photo by Mark Stebnicki on Pexels.com

    How are IP audits performed?

    Once you have decided to undertake an IP audit, you need to develop your scope and methodology. This starts with developing your audit plan and audit team. I find its easier to divide the audit into two or three parts, as follows:

    • Step1 – data collection: systematically catalogue confirmed or potential IP and confidential information in a register. I use the organisation chart as a starting point for this.
      • Tip: its easy to get bogged down and start to catalogue every document. Instead, focus on categories of information (e.g. financials) and then narrow down in key areas.
    • Step 2 – initial assessment: once you’ve compiled your initial register, assess it to remove all unnecessary content by ensuring each entry meets the criteria for an asset. If not relevant, delete it. Hopefully you’re left with a relatively small number of manageable entries, the output of which is your register of ‘critical information assets’.
    • Step 3 – commercial evaluation: use your register of ‘critical information assets’ to review potential commerical opportunities (e.g. licensing), develop monitoring programs for infringement, or even sell the IP Rights to another party if no longer used or relevant to your strategy.
    • Step 4 – risk management: review your register of critical assets to ensure the information is adequately protected. This includes legal provisions (e.g. patents), employment contracts (e.g. non-disclosure and IP assignment clauses), information security programs, and supply chain or third party risk programs. Make sure your critical information assets are appropriately marked, secured (e.g. encrypted), access is controlled, and unauthorised dissemination is limited.
    Photo by picjumbo.com on Pexels.com

    Using the findings of your IP audit to better protect these assets

    All to often, businesses take a purely legalistic approach to protecting their IP and Confidential Information assets. It is important to remember that just because your research is patented or because you have a non-disclosure agreement in place with your suppliers or employees it is not completely protected. Particularly in the case of confidential information, courts expect businesses to have implemented appropriate security programs to safeguard their information – it is not sufficient to rely purely on legal protections in the courts if something happens. Further, this sort of reactive response is not productive, is very expensive, and consumes substantial amounts of time from your board, executives and senior staff – time that could be more productively spent elsewhere.

    Prevention and early detection is the key, but to do this you need to understand what your IP assets are (such as via the IP audit process), work out where their associated vulnerabilities or exposures lie (are they limited to your employees or do you divulge this information to your third parties too? if so, who has access…). Then you can wrap a combination of cybersecurity (e.g. networks, systems, encryption) and what I refer to as ‘non-cyber information security’ programs around this to build your protective bubble. These relationships are illustrated below:

    Curwell (2002) – the relationship between IP and Confidential Information assets and Security

    As you can see, there is more to protecting your IP and Confidential Information than patents, copyright and design rights. If you’re unfamiliar with how to build a program to protect your confidential information, take a look at my previous post here.

    Further reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Australia’s economic espionage laws: what this means for ‘trade secrets’ protection after 2018

    Posted on by

    Author: Paul Curwell

    Are Australian’s culturally reluctant to take steps to protect our Intellectual Property?

    Throughout my career, I have worked with businesses, R&D intensive organisations and universities which make a living commercialising their Intellectual Property (IP). As an undergraduate biotechnology student, I completed a number of internships with research laboratories in Australia and the United States, before working out that wasn’t the right career for me. Later, as a Master of Technology Management student at business school in Brisbane, I wrote my thesis on the protection of IP. I then moved on to a mix of consulting and industry roles, mostly in financial services. Unfortunately, wherever I go in Australia I regularly encounter situations involving IP and trade secrets theft. For example:

    • A departing employee who blatantly stole IP from their employer, only to find in-house counsel couldn’t be bothered to take action either against the employee or their new employer (where they were using the stolen assets) as they didn’t consider IP theft a real issue
    • Another company not only failed to terminate the IT accounts for multiple employees who had left at the same time for a direct competitor, but also stole their former employer’s laptop and used it and their login credentials to login to their former employer’s IT network from their new employer’s offices to steal the IP they hadn’t already taken, as well as commercial material such as pricing which had been updated since they left
    • An employee who had a lucrative contract with a foreign third party to supply the research paid for by their primary employer to the third party, without the knowledge of the primary employer and in breach of their employment contract and fiduciary duty
    Photo by Polina Tankilevitch on Pexels.com

    Based on my experience, I am comfortable saying the culture of IP protection, and the maturity of associated IP protection programs in Australia is low. Australian businesses are overly reliant on legal measures to protect our IP, at the expense of adequate security and insider threat programs. Unfortunately, once your IP is gone, it is very expensive and time consuming to get it back. Having spent almost 20 years working in the fraud and security field I am still amazed at the way in which we protect our confidential information and IP in Australia and the almost complete disregard we show for both protecting these intangible assets and responding when something goes wrong: This is in complete contrast to that of the US and other R&D intensive nations. Slowly, finally, things are starting to change.

    ‘Trade secrets’ defined for the first time in Australian legislation

    In August 2018, the National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018 recieved royal asset, and now forms part of Australia’s Criminal Code Act 1995 (Cth). Theft of trade secrets and IP is big business globally, and involves both nation states, criminal groups and individuals. The US Trade Representative estimates the cost of trade secrets and IP theft at US$200bn to $600bn annually. When the perpetrator is a nation state, or acting on behalf of a nation state, this is termed ‘economic espionage’ (as opposed to traditional espionage which focuses on theft of national security related information). When the perpetrator is a competitor or private intelligence company, this is termed ‘industrial espionage’. In Australia, economic espionage is considered a form of Foreign Interference.

    Foreign interference is activity that is:

    • carried out by, or on behalf of a foreign actor
    • coercive, corrupting, deceptive, clandestine
    • contrary to Australia’s sovereignty, values and national interests

    Foreign interference activities go beyond routine diplomatic influence and may take place alongside espionage activities. A range of sectors are targeted:

    • democratic institutions
    • education and research
    • media and communications
    • culturally and linguistically diverse communities
    • critical infrastructure

    Most Australian’s don’t believe industrial or economic espionage happens here in fortress Australia, but unfortunately these practices are alive and well, its just they rarely make it to the courts or hit the headlines, and victim companies rarely if ever disclose this fact. So what does this new legislation do? Effectively, it “introduces a new offence targeting theft of trade secrets on behalf of a foreign government. This amounts to economic espionage and can severely damage Australia’s national security and economic interests. The new offence will apply to dishonest dealings with trade secrets on behalf of a foreign actor“.

    92A.1 Division 92A – Theft of Trade Secrets involving a Foreign Government Principal

    The penalty for commiting this offence is 15 years imprisonment.

    Division 92A does not cover theft of confidential information or trade secrets where there is no involvement of a foreign government – these cases are addressed under other legislation as well as under common law and will be subject to a separate post.

    What is a ‘Foreign Government Principal’?

    Under section 90.3 of the legisiation, an offence of trade secrets theft requires the perpetrator (e.g. the employee) to be acting on behalf of a ‘foreign government principal’. Note that the legislation also defines a ‘foreign principal’, which is different. A ‘foreign government principal’ is defined as follows:

    • the government of a foreign country or of part of a foreign country;
    • an authority of the government of a foreign country;
    • an authority of the government of part of a foreign country;
    • a foreign local government body or foreign regional government body;
    • a company defined under the Act as a foreign public enterprise;
    • a body or association defined under the Act as a foreign public enterprise;
    • an entity or organisation owned, directed or controlled:
      • by a foreign government principal within the meaning of any other paragraph of this definition; or
      • by 2 or more such foreign government principals that are foreign government principals in relation to the same foreign country.

    Importantly, the legislation is written quite broadly so as to encompass many of the typologies typically found with economic espionage, namely the involvement of national as well as state / province and local level government agencies, associations and similar legal entity types.

    Section 70.1 of the Criminal Code 1995 provides a comprehensive definition of a ‘foreign public enterprise’ which encompasses both formal control (i.e. in the form of shareholdings) as well as influence (i.e. indirect or coercive control which might be exerted against a company’s key persons by a foreign government to ensure support).

    Photo by cottonbro on Pexels.com

    Three elements of the offence define expectations of employers – IP Protection programs

    In addition to the involvement of a ‘foreign government principal’, a person (e.g. employee, contractor) commits an offence under Division 92A if  the person dishonestly receives, obtains, takes, copies or duplicates, sells, buys or discloses information; and the following three circumstances exist:

    • The information is not generally be known in trade or business, or in that particular trade or business concerned
    • The information has a commercial value that would be, or could reasonably be expected to be, destroyed or diminished if the information were communicated
    • The owner of the information had made reasonable efforts in the circumstances to prevent that information from becoming generally known

    The first circumstance is relatively straight forward: if the information is public or in any way considered ‘common knowledge’, it is not a trade secret. Secondly, like all forms of IP, trade secrets must have some form of commercial value, for example, being used to build or do something which creates a saleable asset or generate revenue. Lastly, the owner of the trade secret(s) must have taken reasonable steps to protect that information from unauthorised disclosure – i.e., the implementation of an IP Protection program.

    These elements are common to the definitions of a trade secret in other jurisdictions, such as the United States and Canada. Additionally, the legislation does not provide any guidance on what might be considered ‘reasonable efforts’ by a court to protect such information. However, there is a body of industry better practice around what IP Protection programs should look like which can be used by employers and IP Rights holders to inform these decisions. For more information, have a read of my earlier post on this subject.

    Further reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.