How to know where the intellectual property is - and then protect it

I have the thankless job of protecting company secrets from breaches. My efforts are increasingly the spotlight with every new article on the TJX breach. How can large companies, like mine, know where their intellectual property is and how to protect it when it changes daily?

Another day, another headline in the mainstream media about a big company losing control of their data. Recent word from TJX shows that their costs for breach cleanup may exceed $250 million. This of course gets the attention of your executive suite who wants to know what YOU are doing to prevent this from happening at your company. I am happy to say there is plenty you can be doing. The technology has finally caught up with our security needs in watching and protecting our intellectual property (IP).

Three Step Process

There are three major steps in finding and protecting the crown jewels of your company. Each of these is a project in its own right and will take time and energy. These projects however, provide a flexible security program that meets the needs of your business and follows the data in it travels. The system works as I have both seen it implemented successfully at all size firms and deployed the same solutions myself. In short the three steps are:

* Get to Know Your Business

* Scan for IP

* Create Controls and Protections

Knowing your Business

This is the cornerstone to any successful IP protection architecture and thus your security career. You must learn to speak the language of business, specifically your business. Become the wise counselor to the heads of your various business units. Knowing your business processes tell you three important pieces of information about your IP. It helps you to:

* Learn where your IP lives

* Learn which IP is most important

* Learn how it moves from point-to-point

Scan for IP

Once you know the business units have helped to decide what IP they own and its relative value you need a process to scan for it. Most of your IP will be internal so let's begin with that process.

Internal scan

There are several technologies that can automate the process of an IP scan. Some you may already have in place and never thought of using from a security perspective. Using a content monitoring solution is a natural place to begin as it is cost-effective, can scan IP as it transits to/from the Internet and may also scan your network repositories and desktops. It is a versatile solution. You may already have a database monitoring solution in place for compliance. Consider leveraging this tool to look for your most important IP. Use an enterprise forensic/ eDiscovery software tool if you have it deployed. Why wait for an investigation to use this rather expensive tool. This tool is ideally suited for manual scans of IP and its location. Be prepared for some surprises here... Not everyone follows your data classification policy.

External scan

Once your internal scans are in progress begin to use search engines like Google to look for that same valuable IP. Think Google Hacking but for trade secrets instead of servers, routers and switches. Think of it as a penetration test for information

Creating Controls and Protections

Once you've found your information and are learning how it is used within your company you will need policies based on how your business works. Use technology to watch information use and enforce the policy. Interconnect your technology to provide layers of protections. For example you would use your content monitoring solution to "see the data." Once discovered and its value realized you may use an encryption gateway to provide protection automatically. Thus your policy states that IP of a certain value must be encrypted always - you can automatically enforce this without user intervention. Also provide encryption technologies for use on an ad hoc basis (USB drives, DVDs...) Not all IP leaves an enterprise by the Internet, some goes by mobile devices. Create a user-friendly encryption solution that enables this process. If its user-friendly it is much more likely to be used.


Just like your network you must layer your defenses for IP. If I were to choose a starting point it would be content monitoring, which in fact I have done in practice. It offers a picture of what my IP is and how it travels. It also allows for basic controls and protections, all at a good value point for your budget. Lastly work with your business unit heads. Become their ally when they want to advance the business. Provide a secure means of carrying out their goals that it user-friendly. In short-order you become an invaluable resource instead of an impediment.

Tom Bowers is managing director of Security Constructs.Have a question for our insider-threat experts? Drop us a line.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey: The results are in