Contact Us

data protection:
Securing your
crown jewels

Author: Phil Muncaster

In May 2020, U.S. authorities issued a public service announcement regarding state-sponsored attackers trying to steal COVID-19 vaccine research. It was an extreme example of the lengths some parties will go to obtain intellectual property (IP). But while most IP theft isn't a life-or-death matter, intellectual property protection could represent an existential challenge for many organizations.

Intellectual property data protection requires multilayered defense, including proactive threat detection and response, to stop attacks before they can cause lasting damage.

What's the scale of IP theft?

As IP breaches are largely unregulated, the true extent of espionage in this area is hard to gauge. However, individual incidents point to the tip of what could be a very large iceberg. Recent disclosures include:

The stakes of intellectual property protection

IP theft isn't directly regulated by privacy laws, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), which address the protection of personal data and personal information. However, even without the threat of regulatory fines, there's plenty to keep chief information security officers awake at night. The main impact of a disclosed intellectual property theft can be summarized as follows:

  • Reputational damage that impacts investors and customers
  • A hit to the victim organization's share price
  • The huge cost of remediation and IT forensics
  • Lost competitive advantage and/or customer contracts
  • Rising insurance premiums
  • National security issues, if military or dual-use technology gets in the hands of a hostile nation

Attackers and attack vectors

Several potential threat actor types are relevant in intellectual property data protection. These include:

  • State-sponsored attackers looking to steal for geopolitical gain or to aggrandize "national champion" companies.
  • Malicious insiders who may have a grudge to bear or are working with foreign governments, cyber crime organizations or competitors to line their pockets.
  • Ransomware groups that steal sensitive data before attempting to encrypt it, in order to force a ransom payment. Verizon detected a 6% year-on-year increase in ransomware in data breach incidents in 2021.
  • Organized criminals looking to steal sought-after IP to sell to the highest bidder.

These actors steal IP in the same way they do customer and employee data. According to Verizon's 2021 analysis of global data breaches, some of the top vectors for attack are:

  • Web applications, representing more than 20% of all breaches
  • Stolen or brute-forced credentials, present in 61% of breaches
  • Phishing and social engineering, present in nearly 40% of breaches
  • Exploited vulnerabilities, which accounted for 3% of breaches

How to improve intellectual property data protection

So how can you secure the corporate crown jewels and keep IP safe from compromise? It all boils down to implementing intellectual property data protection measures. That means taking a risk-based approach as follows:

  1. Data discovery and classification: Understand what assets you own and classify them according to your corporate risk appetite.
  2. Map data flows: Understand how this data is managed, who accesses it and where it flows through the organization, including to any relevant third parties.
  3. Apply best practice security controls: These could include strong encryption; anti-malware at the endpoint, server, network, cloud workload and email layers; and data loss prevention. Identity and access management, including least privilege access policies and multi-factor authentication, along with network segmentation and user behavior analytics, can also help mitigate the insider threat.
  4. Get proactive with threat detection: Alongside defensive controls, deploy threat detection and response tools designed to rapidly identify any suspicious activity and support fast reaction times to stop attacks in their tracks.
  5. Continuously assess risk: Run periodic checks to understand how your security controls are performing, as well as where your key assets are, what vectors and threats are most immediate, and where your main vulnerabilities are.
  6. Adjust policies: Based on regular risk assessments, tweak policies to optimize their effectiveness. These could cover things like patch and configuration management, security awareness training and access controls.

Learn more about how Verizon's managed detection and response services could help you protect your intellectual property.


What's at risk if I don't protect IP? +
  • Organizations face major reputational and financial damage. This could relate to IT investigation and forensics costs, lost competitive advantage, a falling share price and rising insurance premiums. In this context, proactive cyber security is the best way to mitigate business risk.

What controls can help with intellectual property protection? +
  • A layered defense-in-depth approach that features anti-malware at the endpoint, server, network, cloud workload and email layers can help. Most important is to conduct regular risk assessments to understand where your sensitive IP is, who can access it, how effectively it's being protected and where your main vulnerabilities are.

What are examples of intellectual property? +
  • Common types of intellectual property include patents, copyrights, logos and trademarks, although there are many others.

What is the purpose of intellectual property law? +
  • Intellectual property law is designed to protect the rights of intellectual property owners.

Who owns intellectual property? +
  • Depending on the type of intellectual property (patent, trademark, copyright), the creator or creators of the intellectual property may be the owner(s); but this may be modified, for instance, by employment and/or contractual agreements.