How are you protecting your company's intellectual property? For many companies the answer is "Talk to legal."
Taking proper legal steps is, of course, vitally important. Trademarks, patents, and copyright all exist as mechanisms to ensure that your IP is protected. However, your IP remains vulnerable to theft. Particularly vulnerable is new IP that might not have gone through the patent or trademark process yet. Some IP can't be trademarked, such as ideas that you have not yet fully developed, and that too has to be protected.
It's hard to get statistics on just how much industrial espionage actually happens in any given year. Most companies don't want to admit they were a victim. However, the FBI estimates that foreign industrial espionage alone costs U.S. companies billions of dollars. In addition to theft, your IP is also vulnerable to deliberate or accidental deletion and the growing threat of ransomware. IP theft alone costs $600 billion a year. In 2020, the industry sectors most often targeted were finance, healthcare, and information. However, manufacturing is also frequently targeted by cyber espionage.
So, how do you protect your IP at this level? How do you make sure that it is not stolen by another company (or even another country?) Here are some tips for ensuring the safety of your intellectual property.
Give it a High Priority
You absolutely need to put protecting your trade secrets at the top of the list. In a few industries, such as healthcare, it might have to take second fiddle to consumer data and privacy.
But IP protection often falls by the wayside, with the most common excuse being that people need the free flow of information to work and innovate. Thus, unless it's prioritized at the C-suite level, it's not going to get done, plain and simple.
Audit Your Data Assets
Another thing that will keep your IP from being properly protected is if nobody knows what you have. Or where it is. Or who has access to it. This is the opposite problem to prioritization.
On the one hand you have people who believe that the free flow of information is necessary. On the other you have teams keeping stuff to themselves until it's done.
Start with the things most key to your industry, such as design files. Once they're identified, then you can start tracking down where they are and who is accessing them...and why.
Then label those assets. Make sure that they are marked as confidential any time anyone looks at them. This helps prevent them from being accidentally transferred, and reminds employees to be careful. The vast majority of hacks these days are social engineering attacks against your employees, who are always going to be the weakest link.
Dot Your Legal "I"s
Not a cybersecurity issue, but make sure that the ownership of all of your IP and assets are clear. Make sure that any manufacturing agreements you negotiate establish properly who owns the product design, and don't give away designs lightly.
You also need to make sure that employee contracts state that the work belongs to you. Although this is a default, a contract helps cover your butt. Typically, these agreements cover any intellectual property created on company time or using company equipment, but some companies may broaden the agreement to anything created during the term of employment. Be careful not to make these agreements unnecessarily broad, as this can potentially cost you talent (You don't need to own somebody's poetry, which some contracts do extend to).
Make sure that legal has agreements in place that absolutely ensure the clear ownership of everything, even before copyright is registered or trademarks worked on.
Do A Cybersecurity Audit
Back to cybersecurity. Most firms have a lot of assets, and they are being protected by legacy tools. Most companies have no idea how much of a risk they are at when it comes to a breach (or other issues, such as ransomware). Different departments may be using different cybersecurity platforms and techniques. Even a medium-sized manufacturer can have over a hundred million time-varying parameters determining breach risk.
Which means that you are probably going to need to use AI to do a proper audit, but it's vital. You need to know what parts of your company are carrying the highest breach risk, what needs to be remediated first and where your problems are.
Too many manufacturing companies have an idea of cybersecurity that boils down to "Don't open unknown attachments and change your password regularly." That isn't going to cut it in today's world.
Encryption is always your friend. Use software that allows you to encrypt stored data and files sent through email. While this won't stop a really determined hacker, encryption will generally give you the basic protection of not being a soft target.
Encryption is particularly important for smart factories. As there are no cybersecurity standards for the internet of things in general, manufacturers face the challenge of protecting data as it flows to and from the actual production line. Encryption is part of how you can keep production data secure.
Oh, and don't forget to encrypt all emails, not just the important ones. One common mistake is to encrypt only sensitive emails. This tells hackers exactly where to look.
The traditional way to give employees access to the computer system was "Here's your password, have fun." Cybersecurity experts have since learned that this does not, in fact, work.
Employees, as already mentioned, are your weakest link. People can, however, only reveal what they know or have access to. Proper identity management gives each employee and/or team access to only the files they need to do to do their job. At one extreme, there is no need to give the receptionist access to blueprints.
However, it can be more granular than that, with employees being given access to the projects they are assigned to. While it is possible to overly silo employees and data, any request for additional information should be considered with a balance of security and ease of work.
Identity management also means promptly rescinding access when an employee leaves or is terminated. This is not just about trust (although fired employees have been known to steal data on their way out), but also the fact that forgotten credentials are often the source of a breach. Such credentials can sometimes sit around for a while, not being properly monitored.
Use data loss prevention tools which keep track of sensitive documents and who is using them. This can allow you to establish the source of a leak quickly.
We can't reiterate often enough that people are the weak link in cybersecurity. You need to make sure that your employees are trained on your policies about the use of confidential data and aware of things they should not do. For example, it's vital to have a policy that requires the use of a VPN if an employee connects to the office remotely, regardless of where from.
Perform regular security awareness training and invite your contractors, vendors, and other partners. Independent contractors are sometimes neglected when security awareness training is performed, but can often present a particular risk as, in many cases, they are working from their own office and may thus be storing data "off premises."
Employee training should include, but not be limited to, good password practices, anti-phishing training, and physical protection. (For example, employees should be warned not to leave laptops or other devices containing company data or connected to company systems unattended anywhere except the office or their own home. Stolen laptops have resulted in a number of breaches).
Policies should make employees responsible for the data they are working with. Make sure that if you have a BYOD policy that it covers everything and consider limiting access to highly sensitive data to company-owned equipment. Most employees are not comfortable with IT having the ability to remote wipe their devices, so make sure that if employees bring devices, company data is on a completely separate partition from personal data. It's particularly important not to bury these policies in the middle of the employee handbook somewhere, but make sure that employees see them as a separate thing, explained in detail. Have them initial it so you can be sure they at least looked at it. This also includes employee non-disclosure agreements, which act as a deterrent and allow you to take action if somebody intentionally or carelessly reveals intellectual property to an outside party.
Anti-phishing and anti-social engineering drills are also useful, especially if there is something new circulating. For example, there has recently been an increase in phishing attempts conducted through social media messaging.
Finally, make sure that employees know not to connect insecure devices (including flash drives of uncertain provenance) to the network. Workstations should be turned off (or at least logged off) when not in use.
It's important enough to mention on its own, but IP thieves like to make phone calls. This is old school, but sadly, it often works. This is why you need to protect your phone list.
A thief will call, claim to be working on a project, and ask about specific things. Often they will try to get as much information as possible about the specific person before calling. They might get this information from newsletters or other similarly benign stuff. Spoofed emails can also be used. They often imply they work for a consulting group or similar. Employees need to be trained not to give out information to anyone they do not know, or to say they have to verify their source.
People working remotely are particularly vulnerable, especially if they don't think their number is well known.
Vet Your Vendors
Don't use vendors who don't have a solid cybersecurity system in place. You should ensure that your vendors and subcontractors sign on to your data policies.
IP can potentially be compromised by your external supply chain, so make sure that you know what vendors have access to (and be particularly careful with identity management. Make sure that vendor accounts are properly firewalled).
In general, it is better for highly sensitive data to be handled by employees rather than contractors as much as possible. In cases where you do need to use an IC, bear in mind that unlike employees there is not a strong presumption that you own IP they produce while working for you. Make sure to give them only the information they need to do their job and that you have systems set up to ensure that their access is locked down the moment the contract is over.
If you aren't sure of a vendor's security, then take steps to limit what they can see. Delayed differentiation, where genetic components are produced first and then specialist stuff at a different facility, can help you restrict less trusted vendors to making only things which tell them little about the end product. Car manufacturers are particularly fond of this technique.
Secure your DNS
Globally, one in eight companies have lost data to a DNS attack. Advanced network attacks such as zero-day malicious domains and DGA malware are things you need to worry about, even if you don't think you're a target. Tip: Everyone's potentially a target.
You need to make sure that your systems have built-in DNS security and that you use real-time analytics to detect and prevent attacks. Internet of things devices, including smart factories, are particularly vulnerable to them.
Another vulnerability is IoT devices in the homes of remote workers, as well as personal devices that have not been vetted. Shadow devices, which IT doesn't even know about, have become a particular issue during the pandemic. DNS tracking can alert to attempts to connect to the network with unapproved devices. While this is more of a concern for office workers, it is definitely something manufacturers need to be thinking about, especially as design professionals may, in some cases, continue to work remotely.
Educating remote workers on why they need to secure Wi-Fi routers and avoid doing non-work activities on company equipment and networks remains vital. Many people will behave in the office and then relax more at home.
There is a reason security firms sometimes like to hire former hackers. Thinking like a threat actor is one of the best ways to protect your intellectual property (and other sensitive data).
Think from an outsider's standpoint. What of your data would be particularly valuable to a competitor? Do you have facilities that might be vulnerable to siegeware? Remember that IP theft is the largest concern, but not the largest. Hiring a security professional to work through this process with you is generally the best way.
Security professionals may also perform penetration testing to find holes in your systems and show you exactly how a hacker can get to your stuff, sometimes without you even knowing. Threat modeling should be structured and systematic, walking through concrete steps. However, there's no specific best practices, and threat modeling is more art than science.
It is also not a one and done, but something which should be repeated as the situation changes. Have you added a new work site? Moved a team remote (or back into the office?) Added a new vendor?
All of these can change the threat profile and make your models outdated.
Additionally, consider threat models that go beyond cybersecurity. Are you shredding all documents? Protecting phone and contact lists? Are you taking steps that will help keep people from spoofing senior executives to get information? It's best to implement a policy of not sending sensitive documents in email without checking by another channel that the person is who they claim, and never to send anything sensitive unencrypted. Spoofing somebody to ask for information is known as a business email compromise, and it is a very common scam.
Watch For Poaching
A lot of corporate espionage is an inside job. A disgruntled employee takes it out on their boss by handing secrets to the competition, or somebody is hired away (sometimes with the express goal of obtaining information).
Preventing this kind of thing is beyond the scope of IT, but the only way to be sure that your employees won't spy on you or go work for your rivals is to treat them well and with respect. Building a good corporate culture helps you have loyal employees who are much less likely to sell your secrets to someone else
Spotting and dealing with disgruntled employees quickly is also a good idea; in some cases you may need to pull somebody's credentials out from under them, which requires behavioral analysis. This is one area in which IT can help.
Beware Shadow IT
Security needs to be tight. However, if your security starts interfering with the things employees need to do and lowering their productivity, this is a problem at several levels.
When people feel as if they can't do their job using the tools provided to them by IT, they will look for ways to do it without using those tools. The VPN is too slow, so they download the large file over the open internet. The approved app lags on their phone, so they download something else to do the job.
Shadow IT is when users do an end run around IT, installing unapproved apps, using unapproved devices, and using tools in unapproved ways. Tracking, and cracking down on, shadow IT is vital. However, once you have identified shadow IT, in the long run you need to establish why employees are using unapproved technology. In the long run, the only way to stop shadow IT is to make sure that employees have the official tools they need to do the job and that they are happy with the technology they are provided.
Protect Factory Networks
We've already mentioned the potential vulnerability of smart factories. IoT devices are often poorly secured, and skilled hackers can use them to get into the network.
Worksite networks can also be issues in other ways. It can be hard to resist connecting your phone to the wi-fi if you aren't getting data in the back of the warehouse, for example. Often, habits are got into that make the actual worksite network a weak point that attackers can make use of to get into your systems as a whole.
Make sure that all Wi-Fi routers on all worksites are encrypted and password protected. Either do not allow people to connect with their own devices, or have IT look at the devices first.
Encrypt communication across the network. Change default passwords on all connected devices and, when possible, also change the default username. The first thing most hackers will try is the username and password a device ships with, because so many people don't bother to change them. Don't be that person.
Firewall real time location service systems and similar away from the main corporate network as much as possible.
Have a Contingency Plan
Despite everything, it's very possible that you will still get hacked. Make sure that you have a proper contingency plan and that everyone knows what to do.
Corporate espionage needs to be part of your risk management plan alongside what to do if, say, one of your factories catches fire. This means that you need to be ready with damage control should your secrets be stolen.
Many companies are too embarrassed to report corporate espionage. This is unfortunate because it makes it harder to catch the thieves, who will only strike again.
If you do become a victim, don't be afraid to involve the police. Do a full investigation to establish how the thieves got in and make sure that you plug whatever security hole they might have used. You might want to have a series of actions that are taken when a breach is suspected, which could include forcing all users to reset their passwords, changing encryption keys, etc.
While only so much can be done if somebody gets away with your IP, you can always take measures to ensure that the breach is not repeated.
Protecting your intellectual property is vital. In some cases it may be your most valued possession, worth more than your physical plant. However, not all companies take the steps they need to to keep it safe. These tips can help keep you safe, but a full security audit can help more. We can help manufacturing companies protect their IP and other vital data. Talk to us to find out what we can do for you.