There is increasing news coverage and concern over IP theft, reflecting a rapid rise in industrial espionage and exploitation. For adversaries, incentives range from seeking competitive advantage, to organised crime doubling down on ransom activities for financial gain. This includes both denial of service attacks and threats to leak commercially sensitive information, not to mention the selling of critical IP. The stakes are high for businesses of all sizes.
According to AON’s CEO of IP, Lewis Lee, “Intangible assets often constitute at least 50% of the value of a company and, for a tech or innovation-led services business, that value can be upwards of 85%”. From an investor and M&A perspective, buyer beware, the loss of IP and competitive advantage has the potential to cause massive write-downs on a company’s value.
There are also potentially more sinister motivations from state actors. As geopolitical events now make cyber warfare a frontline activity, IP theft and knowledge are becoming a long game armoury for future offensives. As digital increasingly meets physical with the increased scope of IoT, control systems that are embedded in transitional technologies that underlie our energy, transportation, water and food security are weapons of attack.
Gaining an understanding of technologies in their infancy allows threat actors to build a deep understanding of how best to penetrate and exploit weakness, in order to bring down and disrupt mass infrastructure. Many of the leading technologies that will be the foundation of our near term and future transition are being pioneered by smaller innovative companies, both as leads on technology or as part of broader supply chains. The IP and knowledge of systems are therefore distributed across multiple organisations, allowing adversaries to infiltrate at multiple points in order to assess potential attack vectors and assemble an overall picture of technologies and systems that are and will be coming online.
Speaking to our chairman James Stuart on the topic, who has operated in combating complex threat networks, he shares his views
“Companies need to deploy integrity and compliance capabilities to make sure that they are working with partners and clients who they can trust and rely upon. The degree of sophistication a company applies to its integrity and compliance services obviously varies from case to case and the depth of care taken may have to be extensive and wide ranging, especially if the company is operating in a highly complex integrity risk environment – for example in the new world of global sanctions regimes. In addition to the requirements for key policies, procedures, representation and warranties and other controls needs to be added the absolute imperative to make sure that rivals do not seek to gain advantage by cheating, specifically by stealing intellectual property – which is on the rise. This way of shortcutting to get competitive advantage is not novel but what is new is the way competition, in some cases using State sponsored capabilities, is now exploiting the vulnerable parts of a network, rather than targeting the prime’s fortress, in order to gain benefit.
This makes detection and attribution much harder to identify and then hold someone to account. It is becoming more difficult, and more expensive, to be able to seek justice for a theft that may have happened several tiers down in a supply chain and across several companies and clients. The first step in the fight to preserve hard-earned capabilities is for the “at risk” owner to understand, as far as possible, their own network. They need to be able to map their relationships so they can begin to see potential vulnerable points and then take remedial steps to shore up the chinks in their armour.
Once the vulnerabilities are mapped, controls need to be implemented to ensure key defences are erected as far upstream as possible and, if those defences fail, then the mapping will make detection faster and subsequent investigation much easier to target which, in turn, means that resolution is now more evidence based and so more likely to succeed. The cyber risk community has long since recognised the need to help humans in the system avoid opening the company to risk and the same sector has also taken great strides, recently, to help companies map out their networks and specifically their supply chain relationships to help manage risks. These same tools and processes need to be adapted to help companies tighten up the security of one of their critical elements – their intellectual property.”