Protecting intellectual property (IP) is a challenging task for companies, especially when it needs to be shared with business partners. The risks increase significantly when IP is exposed to external parties, as once it falls into the wrong hands, it becomes nearly impossible to regain control. While contractual obligations and insurance can offer some financial relief, they cannot undo the damage caused by the disclosure of corporate secrets or the potential exploitation by competitors.
From a technological perspective, Chief Information Security Officers (CISOs) have a few options to limit user access and enhance IP protection. One approach is to adopt a zero trust network architecture (ZTNA) tool instead of traditional virtual private network (VPN) remote access. This enables more granular control over who can access certain resources. Role-based access control (RBAC) based on data classification, tokenization, and other security controls can also be implemented. Additionally, identity access management (IAM) solutions can help restrict access to authorized personnel.
However, it is important to note that not all IP requires the same level of security controls. Each organization has its specific types of IP that require different protection measures. Aaron Tantleff, a partner at Foley & Lardner LLP, emphasizes that the value of the IP, both in monetary terms and for the company’s operations, determines the necessary security measures. As a result, organizations may implement varying security controls based on their critical IP versus IP with lower value.
When it comes to sharing IP with partners, traditional technologies and even some emerging zero-trust-based approaches offer limited security. Companies often share only specific portions of their IP with business partners, granting access to the necessary information without divulging everything. For instance, false steps or obfuscation techniques can be added to the shared IP, making it less useful to unintended recipients. Modified details and obfuscated elements, such as project code names or renamed functionalities, add an extra layer of protection.
Jennifer Urban, co-chair for Cybersecurity & Data Privacy at Foley & Lardner’s Innovative Technology sector, suggests another strategy to limit vulnerabilities related to IP sharing. By retaining all IP within the company’s own system and granting access to partners locally, the exposure to risks associated with third-party risk management (TPRM) is minimized. Urban advises prioritizing vendors based on the type of IP they receive and minimizing the transmission of IP whenever possible.
However, some common misconceptions regarding IP persist among CISOs and corporate executives. Peter Wakiyama, an intellectual property expert and partner at Troutman Pepper, highlights two important issues. Firstly, the absence of immediate harm, such as a data breach, does not imply that no legal consequences exist. Companies must consistently make reasonable efforts to keep trade secrets and confidential information secure.
The second misconception pertains to ownership rights. Simply paying for the creation of IP does not guarantee full ownership. Depending on the agreements and circumstances, vendors and developers may retain significant IP ownership rights, including patents and copyrights. Clear contractual agreements should be in place to establish the ownership and usage rights of IP.
Andi Mann, founder of the management advisory firm Sageable, emphasizes that protecting IP should be approached from both a technological and human perspective. While technologies such as audits, monitoring tools, and network visibility solutions play a vital role, it ultimately comes down to people and their actions. Implementing controls, understanding the reasons behind accessing specific IP, and limiting access based on genuine needs can help mitigate risks effectively.
In conclusion, safeguarding intellectual property is a complex endeavor, particularly when sharing it with business partners. Companies can leverage various technological measures, such as ZTNA and RBAC, to limit user access and enhance IP protection. Different types of IP require different security controls based on their value. Additionally, strategies like sharing only necessary portions of IP and obfuscation techniques can add an extra layer of defense. It is crucial to address common misconceptions about IP, including the need for continuous protection and clear ownership agreements. Ultimately, a comprehensive approach that combines technology with human factors is necessary to protect intellectual property effectively.