Protecting Intellectual Property from IP Theft
IP theft — the pilfering of intangible assets that provide competitive advantage — is one of the costliest kinds of cyberattacks. Learn how to protect against it.
- Digitization has made intellectual property (IP) theft easier and less detectable.
- The loss of corporate IP can be much costlier than the loss of personal or financial data.
- Many organizations do not focus enough effort on protecting IP from insider threats and external attack.
- Organizations can take specific steps to identify, classify, and protect their IP, including monitoring email for signs of IP theft.
Stealing intellectual property (IP) for profit or power is hardly a new phenomenon. This criminal practice is as old as the concept of IP itself. In the 1700s, British law first established the idea that creations of the mind (say, inventions or writing) are valuable assets worthy of legal protection. Since then, though governments have introduced and continually updated legislation protecting various classes of IP (such as patents or copyrights), digital technology has also made it easier to appropriate IP.
In the digital era, IP is a major target for cybercriminals — typically more lucrative than the relatively petty theft of individual credit card numbers or personal information. Enterprising cyber thieves and criminal gangs can sell corporate IP such as patented innovations or trade secrets to company rivals. In many cases, investigators have traced IP crime to state-sponsored groups linked to nations seeking to give their own industries a leg up or looking for information to aid in cyberwarfare.
Organizations can take steps to block these cyber thieves. Among the means at their disposal are email security and data loss prevention tools such as Mimecast’s, which automatically detect and stop the illicit movement of your organization’s intellectual property.
IP Theft Costs Hundreds of Billions a Year
The Commission on the Theft of American Intellectual Property (IP Commission) estimated that intellectual property theft costs the United States economy approximately $600 billion annually. One multiyear cyber operation run by a Chinese state actor was estimated to have stolen trillions in IP (including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related data) from 30 multinational companies operating in the energy, manufacturing, and pharmaceutical sectors, according to a 2022 report. In a recent global survey, C-level leaders ranked the impact of intellectual property theft as second only to the operational disruption caused by cyberattacks.
But while organizations are ever more aware of the risks and costs of customer or personal data theft, they often overlook the potential havoc that IP theft can wreak. There are fewer cyber regulations and less compulsory reporting around IP theft and, as a result, many organizations may fail to put the same effort into protecting what are some of their most valuable assets, leaving IP more vulnerable than, say, personal and financial information.
Types of Intellectual Property
IP refers to a broad range of assets that create value for an organization, from logos and client lists to product blueprints and go-to-market strategies. These so-called intangible assets (as opposed to tangible assets like goods, equipment, or cash) increasingly make up the majority of many organizations’ overall value. Intangible assets account for 90% of the S&P Index’s total assets.
There are four basic categories of IP:
- Copyrighted materials: Books, art, and software can be protected by copyright by individuals or organizations. Copyrights protect their use by others without explicit permission.
- Patented material: Inventors secure patents to protect their innovations, typically preventing others from profiting from their unique ideas for 20 years.
- Trademarks: Organizations can get trademark protections for words, phrases, symbols, designs, or any combination thereof that identify and distinguish their brands of products and services.
- Trade secrets: This broad category refers to confidential information that gives organizations some competitive advantage. This could be a production system, a strategy, or even a client list.
Methods of Intellectual Property Theft
Once upon a time, would-be IP thieves would have to pinch a physical artifact (say, a blueprint or a customer list) to achieve their nefarious aims. Digitization has turned IP piracy into a largely virtual enterprise, accomplished much more cheaply and quickly. Any digital IP is at risk. And given that organizations often collaborate broadly with third parties, the vulnerability is even greater. Copyrighted material and trade secrets are the types of intellectual property that are most likely to be targeted by cybercrime.
Digital piracy of copyrighted films, music, and more took off a few decades ago in the absence of any real regulation. But even in a regulated environment, digital advances in streaming and file sharing have continued to fuel piracy.
Outside of the media industry, the theft of trade secrets is most concerning. The peril grows exponentially once one person has access to, say, an unprotected trade secret. In many cases, organizations that must share their valuable IP with outsiders ask third parties to sign non-disclosure agreements as a way to protect the sensitive data. However, the agreements offer little protection against the threat of insiders stealing intellectual property, leveraging their specific understanding of systems and access to valuable IP.
According to Mimecast’s State of Email Security 2022 report, 93% of respondents said their organizations had experienced internal threats or data leaks initiated by compromised, careless or negligent employees over the previous 12 months, and nearly half (46%) said the threats or leaks had increased. The connection between IP theft and the insider threat played out in the headlines when an Alphabet engineer was sentenced to 18 months in prison for the alleged theft of trade secrets from his former employer.
This kind of criminal abuse of privilege is a primary method of IP theft. However, IP can also be stolen using other cyberattack methods, such as planting malware designed to read and exfiltrate data from computer memories. It can also be traced to human error.
Protecting Crown Jewels from IP Theft
Some large organizations have technology, personnel, and processes devoted specifically to IP protection, with zero trust security architectures in place. But the average organization may not have dedicated resources to protect these valuable assets. Leaving IP vulnerable to theft is a significant risk, but one that any organization can work to mitigate. Organizations can take the following steps to identify, classify, and protect their IP:
- Inventory your IP. It sounds straightforward, but many organizations have not taken the time to determine just what IP sustains their competitive advantage and might be targeted for IP theft. Identifying these crown jewels is a critical first step.
- Locate your IP. Once you’ve identified these assets, it’s time to figure out exactly where they reside. Hint: They may exist in more than one location — on-premises data centers, cloud applications, employees’ personal devices and third-party systems, for a start. Email systems are usually a treasure trove of company information. Only after this IP mapping exercise can an organization put in place the best policies, procedures, and technologies to prevent IP theft.
- Review IP access. Many internal and external individuals may have access to your IP. Performing an audit of who has access to sensitive IP and limiting that access on a need-to-have basis will substantially lower the risk of IP theft. Don’t forget to include employees and partners who are no longer working with the organization, since these former insiders can become weaponized in an IP-focused cyberattack. You can also consider IP management software to control IP access.
- Educate and train employees. Next, it’s important to make sure that all employees and external partners or contractors understand what IP needs protecting and what their role is in doing so.
- Defend against the insider threat. Whether due to ill intent or ignorance, employees can be a primary vector for IP theft. Securing digital communications channels — especially emails — should be a top priority. Organizations can invest in an insider threat management solution. Leading-edge email security software can continually monitor, detect, and remediate the threat of IP theft across the email network, including those that originate inside the organization. The right tools can remove emails that pose an insider threat or contain at-risk data like IP as while also checking for malware.
- Establish and maintain a robust cybersecurity posture. Organizations that want to protect their organizations from cyberattacks, including those focused on IP theft, will implement the latest cybersecurity and threat intelligence tools and processes. Organizations should continually check for gaps in their security protocols to make sure that attackers stay away.
For those organizations that discover they have already been the victim of IP theft, speed is of the essence. As the IP Commission has warned, damage from stolen IP can accrue quickly.
The Bottom Line
While big consumer data breaches tend to dominate the headlines, the quieter crime of IP theft can have even more deleterious consequences for organizations. To prevent IP loss, organizations need to take action to identify and protect valuable IP, fortify cybersecurity protections, address the insider threat, and educate and train employees. Read on to find out how Mimecast’s insider threat management solutions can help.
 “What is Intellectual Property Theft & Why it Matters,” Thales Group
 “The Soaring Value of Intangible Assets in the S&P 500,” Visual Capitalist
 “Star Technologist Who Crossed Google Sentenced to 18 Months in Prison,” New York Times
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!