Nine out of ten companies do not have appropriate policies and controls in place to stop employees, contractors or partners from walking out the door with intellectual property and trade secrets.
This is the conclusion from a comprehensive July 2008 report by the not-for-profit IT Policy Compliance Consortium. Given my career split between new product development and R&D, IT compliance and records management, and auditing QA/RA departments, the report’s conclusions come as little surprise. Leaving intellectual property security to lawyers and the patent office is akin to leaving the security of your belongings to the criminal court system; in other words, legal departments do not prevent intellectual property theft – they only give you an avenue to try to get restitution from its theft.
Protecting Information
Carnegie Mellon University’s CERT research think tank has followed information theft for decades and has come to two eye-opening conclusions:
- Most confidential information theft comes from people you know—employees, contractors, suppliers or even partners (especially for co-developed products); and
- More than 30% of this type of theft comes from people working in your computer department (IT/ICT).
Given all the security efforts around stopping outsiders when the real risk lies within, is it any wonder that 90% of businesses do not have any way to stop—much less even detect—intellectual property (IP) and trade secret theft?
Improving Your Chances
In my corporate workshops on putting in place practical IP theft prevention controls, I give my clients a brief set of “yes/no” questions to answer on their own. These questions are straightforward and easily answered in less than 30 minutes. For instance, “Do you have a ‘clean desk’ policy for sensitive or confidential information?”
The goal of these questions is to help my clients quickly outline their weaknesses—and their strengths. In this way, we can quickly shift into discussing solutions.
And while many executives need a more detailed security and controls audit with prioritized recommendations, keep in mind that a half-dozen quick-fixes implemented now can stop today’s disgruntled employee or frustrated contractor from sabotaging your work.
Two Quick Fixes to Take Today
Ask yourself, What documented proof do we have that our policies are being followed?
For instance, a typical “clear desk” policy requires personnel to clear their desk and office area of confidential information before they leave for the day, locking it in a file cabinet, turning it back over to the document specialist for filing and so on.
When companies state they do this, my reaction is always to be skeptical. How do you know this is actually being followed? For example, if employees turn sensitive material over to an archivist, that individual should have log files that can be reviewed. Yet for a “clear desk” policy, what proof is there that employees are clearing their desk and securing their office area?
A simple way to test this is to simply stay late one evening and walk around, from cubicle to cubicle, office to office. How many documents are lying about labeled “confidential” or “private” or “trade secret”? A great place to start is any shared departmental copiers, scanners, or printers.
For non-labeled documents you do find, how many of these can you quickly recognize that should be labeled “confidential” or “trade secret” (such as product drawings, market launch plans and presentations, or new drug formulations) but that aren’t labeled so and aren’t put away?
Then, take the next step. Ask your internal auditors (or hire an outside independent auditor) to include this in their regular audit routine. Assuming no other extenuating circumstances, I usually suggest my clients audit this once or twice a year (perhaps more for habitual “offender” departments).
Final Thoughts
I’ve made a free version of my intellectual property theft prevention checklist available for download. You can use this to quickly assess your strengths and opportunities for improvement.
Are you ready?
Adapted from an article published in SmarterCompliance 2(9), February 2008