Looking Within

The insider threat to trade secrets

• By David Drab
• Sep 21, 2007

WHEN it comes to information security, many organizations rely heavily on a tactical and operational approach. The bulk of budgets and resources are directed toward technical solutions like firewalls and filters to keep the bad guys—hackers, spammers, phishers and thieves—out.

But the greatest threat to an organization’s information is already inside the firewall. It’s the organization’s own employees and the daily interaction with critical information assets that creates the greatest risk. In fact, 80 percent of all security breaches are committed by those working within an organization. These breaches happen in a variety of ways—like when employees take work home in an effort to be more productive or when they share company information with external people—because employees don’t realize the information is sensitive.

Protecting a business against insider threats is no small feat. However, there are proactive measures organizations can take to reduce the risk. It is not good enough to merely react to this problem. The stakes are too high. The key is to rethink the way trade secret information is handled and institute a lifecycle management system to acquire legal security for these most critical assets. First, comprehend the complexity and scope of information security, and then take a strategic approach that provides new levels of control and accountability.

Keep Your Eye On the Ball
One of the first things organizations must do to protect themselves is to capture critical information at the point of origin, which can range from the moment an idea is invented by research and development to the first memo about a new product launch. Organizations often fumble at this critical stage, and competitive information that drives profitability walks out the door and is lost forever.

In today’s economy, organizations are looking for ways to drive down cost, grow the bottom line and increase shareholder value. But what happens to customer and shareholder confidence when a major security or privacy mishap makes headlines? Organizations can’t afford to merely react to what’s occurring around them. They must adopt a proactive information security management approach that will secure information assets from a broad spectrum of internal and external threats.

For this approach to succeed, senior management must drive the creation of security policies and processes, and set the overall goals and objectives for enterprise-wide security. This top-down approach must be led by a dedicated champion, such as a CIO or vice president of technology, who has the authority to obtain acceptance and commitment from communities of interest across all levels of the enterprise.

Also critical to this leadership is the involvement of end users and technical experts working with information systems on a daily basis. They have in-depth knowledge, understand the strengths and weaknesses of the respective systems and what’s required to secure them. Much interaction and cooperation is needed to transform a framework into a blueprint that will be used to implement the security program.

Be Strategic
There’s no black box or silver bullet when it comes to information security. No one supplier is able to address all information security needs and issues. That’s why information security is considered an art and a science. You’re going to need some help from the experts.

As organizations shift operations to online global networks, and begin offshoring and outsourcing more and more, keep in mind that a security chain is only as strong as its weakest link. An effective information security management program is required to identify and control risk that’s introduced to the enterprise every day through people, processes, technology and diverse business models. It’s about being strategic, rather than simply tactical.

A Trade Secret Program
An organization can couple this broader approach with a series of interconnected, targeted actions to help it secure its information. Organizations can take each of these steps as part of a trade secret management system to mitigate the risk of theft, loss or misappropriation.

Inventory. Trade secrets may be found on paper and electronic documents, computer hard drives, database repositories and in people’s minds. Organizations must train employees on what constitutes trade secrets so they can participate in the process to identify them. Assign employees to create a list of potential trade secrets, and have the list submitted through supervisory channels for review and consolidation to eliminate redundancies. Record a nominated owner for each. Without an inventory, organizations are hard-pressed to inform employees as to what information is considered a trade secret. Security labeling cannot occur in a uniform manner, and proper use is not clear and definitive.

Categorize. The next critical step is to categorize trade secrets. This requires a broad framework to cover the spectrum of information that could be protected as a trade secret. Some experts recommend a 3-D categorization model comprised of a subject, format and product. A document titled “Manufacturing Process for Digital Network Printer” contains a subject (manufacturing), a format (process) and a product (digital network printer). So an organization with 10 departments, each with 30 formats and 20 products, has 6,000 SFPs available for categorization. Software technologies are available to automate this process.

Identify. This is the stage that looks at the potential trade secret from a legal perspective. Does the information meet the legal requirements of a trade secret? The existence element is the most significant test in making this determination. Technology has played a role in the creation of trade secret information and the growing movement by organizations to protect information as a trade secret instead of seeking patent protection.

Technology also is under development to help automate the process of calculating existence factors. This is important because trade secrets are not static, they change. A financial report can be a trade secret today, but not after it is published tomorrow. Trade secret information is dynamic and must be managed throughout its lifecycle. For example, Mattel and MGA Entertainment became embroiled in a lawsuit over the Bratz doll design. A former Mattel designer hired by MGA was named in the lawsuit. MGA launched the doll line, but Mattel claimed it belonged to them. The designer said it was his idea and Mattel did nothing with it. These kinds of disputes can be averted with a trade secret management system.

Classify. Classification is the foundation of protection. This step involves determining what sensitivity level is required to protect the information. Most organizations use a labeling schema that consists of three to five levels. For purposes of trade secret labeling, two may be considered sufficient: Top Secret and Secret; or High-confidential and Confidential. The classification label serves as a mechanism to trigger the handling requirements that correspond with the security classification.

Trade secret information labeled Top Secret would have more stringent security controls associated with it than trade secret information labeled Secret. The classification label communicates to a handler what can and cannot be done with regard to the handling of the document. Classifications and corresponding handling procedures must be reviewed periodically to assure that the proper security protocols are being applied. For example, failed research may derive greater value over time in light of the competitive landscape, while on the other hand, successful products and corresponding trade secrets may become obsolete. In a court of law, it would be difficult for an organization to claim ownership of valuable information that was not properly identified and labeled.

Undergo valuation. Determining the actual value of trade secret information is essential to this management system. If an organization does not know the value of the trade secret it is trying to protect, it does not know how much money, time and resources should be allocated to protect it. In the legal community, trade secrets are generally recognized as financial assets and are subject to Sarbanes-Oxley regulatory requirements. Proper valuation allows for assetization like physical assets. Once trade secrets are assetized, new possibilities may be realized. They may be insured, licensed and even used as collateral for loans. Unfortunately, organizations that are forced to litigate losses must perform legal audits to create a snapshot of the organization’s crown jewels. What did it cost to develop? How much does it cost to maintain? What revenue loss would occur from a compromise of the information? What benefit would it be to a competitor? These are critical questions that must be answered before the fact, not after. The alternative is sobering. Damage to reputation is difficult to quantify, but the expense of legal audits is not. The meter will run a long time to perform all of the steps. It would make better sense to implement a system to control and manage trade secret information throughout its lifecycle for legal security.

Securing the Lifecycle
Lifecycle management of the most critical organizational assets is a daunting task, but technologies are emerging to automate and semi-automate these five steps. The application of security controls is dependent on where the asset is in its lifecycle. The value may not be fully known at the time of creation, so it would be advisable to apply the highest classification level at that time. Additional trade secret projects, products and strategies are likely to emerge throughout the development phase, depending on the type of trade secret. This framework offers a better means to review and evaluate trade secrets to make decisions, which may include seeking protection under patent law. As trade secret ideas and innovations evolve toward production, they will likely be subjected to a wider distribution, resulting in greater exposure and risk to confidentiality. Trade secrets may require evaluation for licensing and other profitability considerations. At some point, a trade secret may become obsolete.

The Bottom Line
Perhaps at no other time in history has information been more valuable and increasingly vulnerable at the same time. Security must be smarter and more strategic than ever before. Senior executives must wake up and get a firm grip on risk or find themselves and their organization amidst a nightmare.

Information security is about protecting data. Yet the industry is evolving and it is abundantly clear that greater attention and layers of security are being applied to specific types of information. This includes privacy protected information under regulatory law, security standardization for the payment card industry, trade secrets under Sarbanes-Oxley and The Economic Espionage Act of 1996. This kind of security requires vigilance combined with good intelligence and good security practices that integrate with the business model.

Malicious attackers are looking for the fault lines in enterprise security and will exploit them to accomplish their purposes. It is important to keep an eye on the ball and implement a trade secret lifecycle management system that better safeguards important information assets. There can be no alibi for failure: Identify what is important and protect it.