Cybersecurity is key to IP strategy
Cyber takes centre stage: The Warren Centre's Ashley Brinson and Verizon's Rob Le Busque
Cybersecurity is big business and an increasingly important business issue and these days is central to any discussion about protecting intellectual property.
Certainly this was the case with the discussions at InnovationAus.com’s Intellectual Property – Your Business Here and Abroad seminar in Sydney.
The discussion around cybersecurity at the event centred on the dangers of having trade secrets stolen. After peaking in 2012, espionage has declined slightly as a motive for hack attacks, but only in a relative sense. The absolute number of attacks is still rising.
More than one in ten cyber-attacks are classified by the annual Verizon Data Breach Investigations Report (DIBR) as ‘espionage’.
The numbers were quoted by Verizon’s Rob Le Busque, an Australian who is global head of international strategy and sales for Verizon‘s Enterprise Solutions division. The report aggregates cybersecurity data from 40 agencies around the world, including the Australian Federal Police.
“Cyber-espionage features external threat actors infiltrating victim networks seeking sensitive internal data and trade secrets,” said Mr Le Busque. “The actors are predominantly state-affiliated groups, although organised criminal groups, competitors and nation states are also mixing it up.”
But in the Asia Pacific, the proportion of cyberattacks motivated by espionage, usually to steal trade secrets, is twice as high, at 21 per cent of all attacks. “Three quarters are financially motivated, smash and grab, stealing data that they can monetise quickly."
“Over 90 per cent of espionage attacks involved trade secrets, where hackers have gone into commercial organisations looking for information proprietary or secret to that organisation, that they can steal for their own benefit or to monetise in the market.
“We can’t geolocate all of the cases, but where we can, in 94 per cent of cases it is North Asia. You can draw your own conclusions. Eastern Europe is the hotbed for financial theft, credit card credentials, log-in credentials. North Asia is the hotbed for IP theft, either state sponsored or advanced systems threats, where gangs organise to steal trade secrets to sell on the black market or to monetise for their own purposes," Mr Le Busque said.
“A key way to prevent cyber based espionage is to choose your partners wisely. Half the IP-based cybersecurity attacks are helped by someone inside. It might not be an employee, but a subcontractor or someone in a partner organisation. It might be someone running your help desk, something as simple as that.
“If an attacker can compromise someone working in that partner organisation they can get credentials they can use to break in. That’s an asymmetrical threat that can happen to small organisations as well as large ones.
“There are very practical measure you can put in place to prevent that – clean data rooms, physical security, key personnel signing confidentiality agreements, and the like. That’s a critical aspect in protecting yourself against this type of cybercrime.”
Ashley Brinson, Executive Director of Sydney University’s Warren Centre, echoed these views. He spoke of three levels of protection to guard against the theft of IP.
“The first and most important is behaviour. Train your employees on what IP is, especially if you are operating in a country that has little awareness of it. China has a communist past, where the government owned all the factories, so there isn’t much awareness if the concept of IP among the general public.
“You can teach employees about privilege principles – where no one person know everything that is going on. Separate information between departments. depending on your size. Put critical pieces of the technology inside a black box, a place where no-one ever sees how it works,” Mr Brinson said.
“Then there is physical security – locked server rooms, knowing who comes in to the premises. And the third is cyber security. There is a lot of sophisticated IT out there. You should learn how to encrypt your laptop, for example. There is a lot you can do that is free or doesn’t cost very much.
“You can create deterrents through your behaviour. There is a saying in China - kill the chicken to scare the monkey. React ferociously to people who steal your secrets, and that will give you the reputation of someone who protects their property.”
Mr Le Busque said that the single most common way of accessing people’s IT infrastructure is through phishing emails. “It is very effective, with a one in ten opening rate, despite all the education warning against them. And it cost very little. The average time for an attack to exilfrate data is just 1 minute 40 seconds.
“In many cases that breach is not found for months, or even years, and just 3 percent of people who get the emails report them as suspicious. That just shows how important awareness and training is,” he said.
“Phishing provides a number of advantages over many other exploit approaches. It provides a mechanism for attackers to target specific people in an organisation. And by using a service that is necessary for business communication to the internet, it allows an attacker to bypass many security devices and gain a foothold on an endpoint in the organisation from a remote attack.”
IP Australia assistant director Casey Martone, speaking to InnovationAus.com on the sidelines of the seminar, said the organisation was getting an increasing number of enquiries about cybersecurity.
“We don’t have a lot of information on the subject, but startups are asking us about mechanisms for protecting their patents and trade marks, especially in international markets," Ms Martone said.
“We are looking to work with industry more to get this expertise. IP Australia does not provide advice, but we do provide information, including where to go to get advice. Cybersecurity is becoming a really big issue," she said.
"It’s not part of our core business, but with more organisations pushing into IT a key challenge for us is to ensure we have enough information to help companies coming to use for help.”
“We may not have all the answers, but we want to be able to point people in the right direction.”