Tag Archives: Trade Secrets Theft

How is confidential information compromised?

Posted on by

Paul Curwell

Introduction

In this previous post, I discussed what we mean by intellectual assets and confidential information, and who might want to compromise it. I again pick up the topic of confidential information which is the foundation of any trade secrets protection in Australia. This post provides an overview of what I consider the nine main attack vectors for confidential information, why it is important to understand the value of your critical information assets before spending money to protection them, and how managers can build a confidential information protection program for their business.

Research and development is one category of confidential information
Photo by Tom Swinnen on Pexels.com

Confidential information can be compromised through 9 main ‘attack vectors’

Sensitive, non-public information can be compromised through a range of avenues (attack vectors) by external parties or trusted insiders. The following list, whilst not exhaustive, illustrates the sheer number of avenues by which sensitive business information can be compromised:

  • Espionage techniques – whether perpetrated by competitors, ‘information brokers’ or nation states
  • Cyber attacks – by far one of the easiest, lowest risk and most successful vectors if recent events are any indicator
  • Insider threats – including theft, copying, unauthorised disclosure, ‘innocent disclosure’ (i.e. intentional disclosure made to look like an accident) and large scale data leaks
  • Technology transfer – through acquisitions and licensing
  • Research partnerships
  • Staff exchanges, secondments and laboratory visits
  • Direct investments – including venture capital and private equity
  • Listings on foreign stock exchanges – where foreign governments may seek to forcibly access premises or IT systems and copy information
  • Supply chain infiltration – including of Contract Research Organisations and Contract Manufacturing Organisations

Each of the above is an example of a vector used to obtain sensitive business information. Typically, threat actors start with the easiest and least expensive option. Professionals who engage in wholesale sensitive information theft, whether of PII or intellectual property, are typically very patient and may be willing to wait years for the right opportunity. Companies which create valuable information assets often have better security and greater staff security awareness (i.e. are a harder target), thus they are likely to be on the receiving end of more sophisticated methods by opponents. Fortunately, this does not mean protecting sensitive information is impossible. Rather, what it requires is a robust framework to mitigate the risk.

Renewable energy technology is highly competitive and a target of research theft.
Photo by Gustavo Fring on Pexels.com

Before protecting information, we need to understand its value

It is not practical or cost-effective to protect every asset in an organisation to the same standard, and this goes double for information. A foundation principle of security is only apply controls to assets of value. This is relatively simple to determine for tangible, physical assets, but in practice is somewhat difficult for intangible assets. In my consulting practice, I have worked with a number of knowledge-intensive organisations to identify and assess their sensitive information. This exercise is really all about balance, compounded by the fact that information at the start of a process (e.g. commencement of R&D) may not be valuable, whilst at some point along the way the confluence of events means information becomes highly sensitive.

Trade Secrets are another category of confidential information
Photo by Erik Mclean on Pexels.com

The challenge is to identify the point at which that happens, as too many controls will affect the productivity of knowledge-workers who instinctively want to share and learn. Locking information away in silos goes against the innate behaviour of knowledge workers and will also impact your organisations ability to innovate. In contrast, inadequate control coverage means valuable information is not adequately protected and could easily be lost. Coincidentally, I completed my Master’s level research project on this very topic as part of the Technology Management program at the University of Queensland Business School.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

When working with clients I typically follow a five step process to complete this exercise:

  1. Compile an inventory of all types of information within the organisation, the creator (originator) and recipients, and where it is stored
  2. From this inventory, group the information into categories such as public, Personally Identifiable Information, non-sensitive business information and Sensitive Business Information. This activity can quickly become unwieldy, so you will probably need to sub-categorise information as you go
  3. Rank or prioritise your information from most to least sensitive. This might be on the basis of value (i.e. potential future revenue generating capacity), regulatory compliance or reputation / commercial damage if disclosed (e.g. loss of market share)
  4. Identify your internal control environment in relation to your most sensitive information. Is this information adequately protected?
  5. Focus your information protection program on these areas and develop a plan to uplift internal controls were gaps exist, leaving information unprotected
Confidential information needs to be identified and protected
Photo by Pixabay on Pexels.com

How do you build a confidential information & trade secrets protection program?

In larger companies, sensitive information protection programs typically comprise a specialised element of the enterprises’ broader corporate security program, which provides the security foundation on which information protection builds. Smaller organisations, however, may not have a robust security program in place beyond a limited IT Security capability and a security manager responsible for security guard-force management. Corporate security programs today involve far more than security guards – they have evolved to a high level of sophistication to address the diverse range of complex threats faced by companies operating domestically and overseas. More on this in future posts.

There are seven key components of a confidential information protection program

The seven key elements of a confidential information protection program are as follows:

  1. A framework which brings together all relevant program elements, identifiers risk owners and stakeholders, and sets the tone from a policy implementation and guideline perspective. This framework should be subordinate to other organisational frameworks, such as Risk and Compliance
  2. An appropriate Information Registration, Classification, Marking, Tracking & Destruction scheme to ensure sensitive information is clearly identified and can be protected at each phase of the lifecycle
  3. Security awareness training for all staff, but particularly those working with (or creating) the sensitive information
  4. Tone from the top, with the importance of information protection being clearly recognised and with executives and the board following internal procedures
  5. A threat and risk assessment, to clearly identify the threats and risks to the sensitive information and the associated controls
  6. A risk-based protective security program comprising physical, cyber, information (non-cyber) and personnel security elements to address the risks, and
  7. Appropriate detection, incident management and investigation capabilities to enable timely detection and response to any incident, minimising further damage

To ensure adequate stakeholder engagement and ownership, sensitive business information programs should be led by the business risk owner who has the most to lose if the information is compromised. A working group or steering committee should be formed involving representatives from legal, finance, human resources, IT, marketing, R&D, sales and distribution, and corporate security. These programs need to be owned by the business – information protection programs owned by ‘security’ are doomed to fail through inadequate stakeholder engagement and support.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

In business, confidential information is a critical asset

Posted on by

Author: Paul Curwell

Intellectual assets are strategically important in business today

Intellectual Assets can exist in a variety of forms, though they are all based upon the generation, capture and protection of valuable knowledge (the ‘information lifecycle’). Their foundation is fragile as it is dependent upon the transition from tacit knowledge possessed by an individual into the organisation with which they are associated. Once transferred, organisations must convert that employee’s tacit knowledge into valuing-creating processes, products or practices. However, a diverse range of criminal and commercial activities threaten the viability of knowledge-intensive companies. 

According to statistics quoted from the US Trade Representative, some aspects of “American IP theft costs between US$225bn – US$600bn annually“. These statistics relate to only one segment of the problem, so the true value is probably higher, highlighting the somewhat ‘hidden’ nature of the problem. As recognised by global accounting standards, information today is an (intangible) asset: it needs to be protected like any other tangible asset or item of value.

Companies in knowledge-intensive industries typically have a heightened awareness of the value of their Intellectual Assets and place greater emphasis on information protection as part of an overall IP strategy. However, in my direct experience Australians still lag somewhat behind our North American, European and Asian peers when acknowledging the magnitude of the threat. Here in fortress Australia, where most people and companies play by the rules, we have a tendency to think the rest of the world is like home. In reality, the border-less nature of crime today means that no-where is safe when it comes to protecting sensitive business information.

Photo by ThisIsEngineering on Pexels.com

What do we mean by confidential information?

There are a range of categories of sensitive information, with sensitivity being determined by factors such as commercial value, regulatory obligations to protect the data, and competitive advantage. In my experience, Australian businesses often overlook the importance of commercially valuable information in lieu of a heightened focus on Personally Identifiable Information as a result of Notifiable Data Breach legislation and increased awareness of Privacy generally. For the purposes of this post, I have outlined three categories of ‘sensitive’ information:

  • Intellectual Property (IP) – predominately in the form of copyright and patents
  • Sensitive Business Information (SBI) – otherwise referred to as ‘proprietary information‘ (US terminology) or ‘confidential information‘, this category is anything with commercial value including strategic plans, customer lists, pricing and ‘trade secrets
  • Personally Identifiable Information (PII) – information must be protected under privacy legislation, comprising any information that can be used to identify an individual
Photo by Donald Tong on Pexels.com

This post focuses on Sensitive Business Information protection.

‘Sensitive information’ exists along a continuum, with information being ‘sensitive’ by virtue of the fact that it is not public or widely known. For example, research data being prepared for submission in a patent by a research institute is sensitive and must be protected from theft, loss or misuse until the point where the patent is published. Upon publication, the information becomes widely known and can be consumed by anyone – noting that profiting from the information in the patent or using it commercially requires a license and payment of royalties. This means it is important to consider the ‘information lifecycle’ when we create information protection programs as security frameworks and controls must reflect the risks and information usage activities which apply at each phase of the lifecycle.

According to the literature, information has its own five-phase lifecycle (Sharma, 2011), as follows:

  • Creation and Receipt – the point from which information is created (origination)
  • Distribution – of the information to end users or recipients
  • Use – where information is applied to a specific purpose
  • Maintenance – includes storage, categorisation, and processing of information
  • Disposition – includes the destruction, archiving or other retention decisions

To further highlight the importance of the lifecycle using the above patent example, research data might start out as ‘sensitive business information’ when it is created, only for it to become Intellectual Property when it is subsequently used (i.e. published as a letter patent). For this example, many security arrangements used to protect the published research data can be relaxed upon patenting, as the protection of data in this form is no longer valuable.

Photo by Valeria Boltneva on Pexels.com

Threat Actors seek to compromise your sensitive information

When we discuss security problems generally Australians like to talk about risks rather than the root cause of the risk. When talking about all types of security or fraud issues, that root cause is human. Whatever their motive, threat actors seek to do or cause harm. I’ve been helping companies and governments identify and mitigate threats from hostile actors of all forms for almost 20 years. My starting point for dealing with threats is to divide them into two categories – internal and external – based on their level of access and influence within the organisation:

  • Internal threats involve ‘trusted insiders‘ – employees and third parties with privileged access to the organisation by virtue of their employment or contractual arrangement
  • External threats – those outside of the organisation, including organised crime, nation states, terrorists, private intelligence collectors, and competitors

External threat actors often work with trusted insiders to compromise sensitive information. This can be complicit, involving some form of collusion (i.e. the insider voluntarily steals information for bribes or some other non-financial advantage), or coercion (e.g. the insider, or their family, is threatened [extorted], or blackmailed to compromise the information).

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.