Are manufacturing businesses doing enough to protect intellectual property?
Intellectual property is the lifeblood of innovation, but are manufacturing businesses doing enough to protect it?
Intellectual property (IP) plays an essential role in innovation in the manufacturing sector, with new ideas fuelling continued progress in many different areas of the economy. Information is a real commodity, of interest to competitors and third parties and has a high profile on a wide scale, particularly shown by recent interest around Huawei.
Some businesses believe that their IP isn't of much interest to anyone outside of their business, and that their competitors aren't a concern. However, what if the IP was simply harvested via a third-party, who picked it up as part of a wide scale security breach, and then sold on the dark web or to targeted firms internationally? Even if your IP isn't of much interest in terms of flat-value, it causes other issues, including reputational damage. It can also bring significant financial penalties through regulatory breaches, i.e. GDPR and Sarbanes-Oxley.
IP theft is on the rise, and the threat landscape is way beyond the old days of targeted corporate espionage. There are potentially tens of thousands of entities who want a business’s data and can profit from it, one way or another. This undercuts the potential success of its rightful owners and damages the future of the business. The good news, however, is that there are several strategies which can be deployed to protect IP, and these lessons can be applied across the entire business.
Ideas under attack
The first step of this process is understanding the nature of security threats to IP. Technological development and the interconnected nature of the digital world has made IP theft far easier than ever before, especially given that the majority of security breaches that go undetected.
The most common strategy employed by an IP thief is spear phishing, which involves using fake emails and other messages to lead a target to leak information, take detrimental action, or to open a security hole that allows the malicious third-party access to a corporate system. They can then see the network landscape, find vulnerabilities, and exploit them to view and steal intellectual property.
Other less common methods are also used such as zero-day vulnerability exploitation, which involves taking advantage of a vulnerability in software code that has been identified but not published widely and thus hasn’t been security patched. Additionally, ‘man in the middle’ attacks are widely used and occur when hackers insert themselves between the communications of a client and a server (typically over a wireless connection), allowing the interception of these transmissions while password attacks, involve obtaining passwords to gain relatively simple access to a company’s system.
These advanced persistent threats (APTs) can go unnoticed for months, and even years, giving hackers the ability to harvest information on an ongoing basis. Manufacturing companies can repeatedly go through entire design cycles, believing that their innovation is private and protected, while it is actually being illegitimately viewed all along.
APTs are hard to detect because most antivirus software depends on lists of known malicious software (malware), but advanced attackers can often adapt their techniques to circumvent security measures, ensuring their malware isn’t added to these lists. Most businesses only realise they are falling victim to an APT thanks to a third party, such as a partner, security consultant, or law enforcement agency, who brings it to their attention.
It’s also important to remember information accessed outside of the controlled network, such as personal devices connected to corporate systems. Businesses must make sure sensitive information isn’t being left on printers or simply dropped in a paper bin. If you want to breach a company, being on the cleaning staff is an easy way to get access.
Defending against thieves
The threats facing IP are clearly significant, but there are steps which can be taken to effectively repel attackers and minimise the risk that innovative ideas are stolen. Identifying and assessing IP and continuously updating a catalogue of all valuable information should be the first port of call. It’s also important to look at where and how it is stored, how it’s transferred within a company network, and crucially, who has access to it.
The next step is to ensure that any information categorised as IP, or potentially valuable to competitors or cyberthieves, is afforded higher levels of protection than standard data. In short, businesses should be considering all of the threats to that information and then assigning controls to those risks. This can include encryption, time-limited access, multi-factor authentication, data leak prevention, security incident management, and much more.
It’s also essential to develop and test an incident response strategy. This should include operational processes such as identifying how a breach has occurred, assessing its impact, recovering systems and data, and communicating with key parties. Businesses should nominate a response team comprising of IT, Legal, Operational, PR/Marketing, HR and Risk Management personnel, who will each take responsibility for different areas of this strategy. It’s important to test this plan at least once a year and update it in line with any significant changes to the business, such as new technology or additional locations.
Finally, businesses should also be prepared to work collaboratively with law enforcement, sharing what they know about the breach. Regardless of whether IP was stolen by a criminal gang, in a state-sponsored attack or by a competitor, the business is a victim of a crime.
But beyond technological defences, there are additional steps that can be taken to benefit the business. Educating employees on a continual basis about threats such as spear phishing and social engineering can entrench a healthy scepticism and critical approach which can not only prevent IP theft, but cyber breaches of any kind. This also applies to protecting customer data, which has taken on increased prominence thanks to the recent introduction of the General Data Protection Regulation (GDPR).
Above all else, instilling a positive attitude towards continuous vigilance and process improvement will deliver significant day-to-day benefits for a manufacturing business, which will extend far beyond protecting IP. Defending innovative ideas is vital, but it doesn’t have to be done in isolation. Instead, it should form part of a broader IT security strategy that continually evolves and develops. A good way to ensure this continual improvement is to invest in implementing the ISO 27001 standard – not doing so could be considered negligent in the current climate.
Robert Rutherford is the CEO of IT consultancy QuoStar