-
Organizations face major reputational and financial damage. This could relate to IT investigation and forensics costs, lost competitive advantage, a falling share price and rising insurance premiums. In this context, proactive cyber security is the best way to mitigate business risk.
In May 2020, U.S. authorities issued a public service announcement regarding state-sponsored attackers trying to steal COVID-19 vaccine research. It was an extreme example of the lengths some parties will go to obtain intellectual property (IP). But while most IP theft isn't a life-or-death matter, intellectual property protection could represent an existential challenge for many organizations.
Intellectual property data protection requires multilayered defense, including proactive threat detection and response, to stop attacks before they can cause lasting damage.
What's the scale of IP theft?
As IP breaches are largely unregulated, the true extent of espionage in this area is hard to gauge. However, individual incidents point to the tip of what could be a very large iceberg. Recent disclosures include:
- The FBI said in 2020 that it had around 1,000 cases open involving IP theft from China, some of which could put national security at risk.
- Chipmaker AMD revealed in March 2020 that a threat actor stole IP related to upcoming graphics hardware, with the attacker demanding a $100 million ransom.
- In April 2021, Apple was targeted in a $50 million ransomware attack after threat actors claimed to have stolen schematics on current and future MacBook products from a supplier.
- In June 2021, hackers broke into gaming giant Electronic Arts and stole source code.
- In 2017, attackers stole 1.5 terabytes of data from HBO including unreleased scripts and videos for flagship shows including "Game of Thrones."
The stakes of intellectual property protection
IP theft isn't directly regulated by privacy laws, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), which address the protection of personal data and personal information. However, even without the threat of regulatory fines, there's plenty to keep chief information security officers awake at night. The main impact of a disclosed intellectual property theft can be summarized as follows:
- Reputational damage that impacts investors and customers
- A hit to the victim organization's share price
- The huge cost of remediation and IT forensics
- Lost competitive advantage and/or customer contracts
- Rising insurance premiums
- National security issues, if military or dual-use technology gets in the hands of a hostile nation
Attackers and attack vectors
Several potential threat actor types are relevant in intellectual property data protection. These include:
- State-sponsored attackers looking to steal for geopolitical gain or to aggrandize "national champion" companies.
- Malicious insiders who may have a grudge to bear or are working with foreign governments, cyber crime organizations or competitors to line their pockets.
- Ransomware groups that steal sensitive data before attempting to encrypt it, in order to force a ransom payment. Verizon detected a 6% year-on-year increase in ransomware in data breach incidents in 2021.
- Organized criminals looking to steal sought-after IP to sell to the highest bidder.
These actors steal IP in the same way they do customer and employee data. According to Verizon's 2021 analysis of global data breaches, some of the top vectors for attack are:
- Web applications, representing more than 20% of all breaches
- Stolen or brute-forced credentials, present in 61% of breaches
- Phishing and social engineering, present in nearly 40% of breaches
- Exploited vulnerabilities, which accounted for 3% of breaches
How to improve intellectual property data protection
So how can you secure the corporate crown jewels and keep IP safe from compromise? It all boils down to implementing intellectual property data protection measures. That means taking a risk-based approach as follows:
- Data discovery and classification: Understand what assets you own and classify them according to your corporate risk appetite.
- Map data flows: Understand how this data is managed, who accesses it and where it flows through the organization, including to any relevant third parties.
- Apply best practice security controls: These could include strong encryption; anti-malware at the endpoint, server, network, cloud workload and email layers; and data loss prevention. Identity and access management, including least privilege access policies and multi-factor authentication, along with network segmentation and user behavior analytics, can also help mitigate the insider threat.
- Get proactive with threat detection: Alongside defensive controls, deploy threat detection and response tools designed to rapidly identify any suspicious activity and support fast reaction times to stop attacks in their tracks.
- Continuously assess risk: Run periodic checks to understand how your security controls are performing, as well as where your key assets are, what vectors and threats are most immediate, and where your main vulnerabilities are.
- Adjust policies: Based on regular risk assessments, tweak policies to optimize their effectiveness. These could cover things like patch and configuration management, security awareness training and access controls.
Learn more about how Verizon's managed detection and response services could help you protect your intellectual property.
FAQs
-
A layered defense-in-depth approach that features anti-malware at the endpoint, server, network, cloud workload and email layers can help. Most important is to conduct regular risk assessments to understand where your sensitive IP is, who can access it, how effectively it's being protected and where your main vulnerabilities are.
-
Common types of intellectual property include patents, copyrights, logos and trademarks, although there are many others.
-
Intellectual property law is designed to protect the rights of intellectual property owners.
-
Depending on the type of intellectual property (patent, trademark, copyright), the creator or creators of the intellectual property may be the owner(s); but this may be modified, for instance, by employment and/or contractual agreements.