Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Intellectual Property Protection: The Basics

Your company's intellectual property, whether that's patents, trade secrets or just employee know-how, may be more valuable than its physical assets. This primer covers everything from establishing basic policies and procedures for intellectual property protection.

By

Page 3

Phone lists? Paper shredders? Sounds a little extreme.

Security pros have to understand the dark forces that are trying to get information from your company and piece it together in a useful way. Some of these forces come in the guise of "competitive intelligence" researchers who, in theory anyway, are governed by a set of legal and ethical guidelines carefully wrought by the Society of Competitive Intelligence Professionals (SCIP). Others are outright spies hired by competitors, or even foreign governments, who'll stop at nothing, including bribes, thievery, or even a pressure-activated tape recorder hidden in your CEO's chair. But most threats to your information operate in a gray zone.

To build solid defenses, consider how snoops work:

  1. They look for publicly available information.

    Leonard Fuld, a competitive intelligence expert, says more damage is done by a company's lax security than by thieves. Consider these common examples: Salespeople showing off upcoming products at trade shows. Technical organizations describing their R&D facilities in job listings. Suppliers bragging about sales on their websites. Publicity departments issuing press releases about new patent filings. Companies in industries targeted by regulators over-reporting information about manufacturing facilities to the Environmental Protection Agency or OSHA, which can become part of the public record. Employees posting comments on Internet bulletin boards.

    All of that data tells a competitor what your company is doing. Combined, the right details might help a rival reduce your first-to-market advantage, improve the efficiency of their own manufacturing facility or refocus their research in a profitable direction.

  2. They work the phones.

    John Nolan, founder of the Phoenix Consulting Group, has some amazing stories of what people will tell him over the phone. This is the man who got his fingers burned in the infamous "dumpster diving" espionage case in 2001 involving Procter & Gamble and Unilever. Nolan won't comment on the case, which was settled out of court, but he insists that there's no need for his company to break the law. "In our experience, it's just not worth it," he explains.

    Nolan has other ways of getting people to talk. In fact, people like him are the reason that seemingly benign lists of employee names, titles and phone extensions, or internal newsletters announcing retirements or promotions, should be closely guarded. That's because the more Nolan knows about the person who answers the phone, the better he can work that person for information.

    "I identify myself and say, 'I'm working on a project, and I'm told you're the smartest person when it comes to yellow marker pens. Is this a good time to talk?'" says Nolan, describing his methods. "Fifty out of a hundred people are willing to talk to us with just that kind of information."

    The other fifty? They ask what Phoenix Consulting Group is. Nolan replies (and this is true) that Phoenix is a research company working on a project for a client he can't name because of a confidentiality agreement. Fifteen people will then usually hang up, but the other 35 start talking. Not a bad hit rate. Nolan starts taking notes that will eventually make their way into two files. The first file is information for his client, and the second is a database of 120,000 past sources, including information about their expertise, how friendly they were, and personal details such as their hobbies or where they went to graduate school.

    Often business intelligence gatherers use well-practiced tactics for eliciting information without asking for it directly, or by implying that they are someone they aren't. This is the tactic known as "social engineering." Such scams might also include "pretext" calls from someone pretending to be a student working on a research project, an employee at a conference who needs some paperwork, or a board member's secretary who needs an address list to mail Christmas cards.

    Most of those calls are not illegal. Lawyers say that while it is against the law to pretend to be someone else, it's not illegal to be dishonest.

  3. They go into the field.

    During the technology boom, one early-morning flight from Austin to San Jose earned the nickname "the nerd bird." Shuttling businesspeople from one high-tech center to another, that flight and others like it became good places for job recruiters. They also became great places for competitive intelligence professionals to overhear discussions among coworkers or to sneak a peek at a fellow passenger's PowerPoint presentation or financial spreadsheet.

    Any public place where employees go, snoops can also go: airports, coffee shops, restaurants, and bars near company offices and factories, and, of course, trade shows. An operative working for the competition might corner one of your researchers after a presentation, or pose as a potential customer to try to get a demo of a new product or learn about pricing from your sales team. Or that operative might simply take off his name badge before approaching your booth at a trade show.

    Employees must know not to talk about sensitive business in public places, and how to work with the marketing department to make sure the risks of revealing inside information at a trade show don't outweigh the benefits of drumming up business.

    Job interviews are another possible leak. Daring competitors may risk sending one of their own employees to a job interview, or they could hire a competitive intelligence firm to do so. Conversely, a competitor might invite one of your employees in for a job interview with no other purpose than gleaning information about your processes.

  4. They put the pieces together.

    In some ways, trade secrets are easy to protect. Stealing them is illegal under the 1996 Economic Espionage Act. Employees usually know that they're valuable, and nondisclosure agreements may protect your company further. What's more complicated is helping employees understand how seemingly innocuous details can be strung together into a bigger picture-, and how a simple company phone list becomes a weapon in the hands of snoops like John Nolan.

    Consider this scenario: Nolan once had a client who wanted him to find out whether any rivals were working on a certain technology. During his research of public records, he came across nine or 10 people who had been publishing papers on this specialized area since they were grad students together. Suddenly, they all stopped writing about the technology. Nolan did some background work and discovered that they had all moved to a certain part of the country to work for the same company. None of that constituted a trade secret or even, necessarily, strategic information. But Nolan saw a picture forming.

    "What that told us was that they had stopped [publishing information about the technology] because they recognized that the technology had gotten to a point where it was probably going to be profitable," Nolan says. Then, by calling the people on the phone, going to meetings where they were speaking on other topics, and asking them afterward about the research they were no longer speaking publicly about, Nolan's firm was able to figure out when the technology would hit the market. This information, he says, gave his client a two-year heads up on the competition's plans.

  5. Some go beyond the gray zones.

    Other countries may have vastly different ethical and legal guidelines for information gathering. Almost everything we've talked about so far is legal in the United States, or at least arguably so in the hands of a clever lawyer. But there's another realm of corporate sleuthing, using bugs, bribes, theft, even extortion, that is widely practiced elsewhere.

    In his days as a global security consultant, Motorola's Boni saw several things happen that probably wouldn't happen in the U.S. A bank in South America that suspected espionage brought in a security consultancy to sweep the place of bugs. When the loss of information continued, the bank hired a different security team. "They found 27 different devices," Boni recalls. "The whole executive suite was wired for motion and sound. The first team that came in to look for bugs was probably installing them."

    Espionage is sometimes sanctioned - or even carried out - by foreign governments, which may view helping local companies keep tabs on foreign rivals as a way to boost the country's economy.

    That's why no single set of guidelines for protecting intellectual property will work everywhere in the world. The CSO's job is to evaluate the risks for every country the company does business in, and act accordingly. Some procedures, such as reminding people to protect their laptops, will always be the same. But certain countries require more precautions. Executives traveling to Pakistan, for example, might need to register under pseudonyms, have their hotel rooms or work spaces swept for bugs, or even have security guards help protect information.

RESOURCE CENTER