11th May 2009
In this article Phil Heap, Head of Consultancy Services for
FAST, takes a detailed look at IP theft and how this is challenging
today’s fast-paced business world.
In particular, he provides some much needed clarity around this
crime and explores some of the issues for companies to think about
when considering how secure their own environment needs to be.
Security lapses, intellectual property crime and owners’
rights
Intellectual Property (IP) crime manifests itself in various
ways; from physical product being sold in the traditional
marketplace and online, to the theft and illegal distribution
online of digital content such as films, music, games and
software. There is little doubt that the Internet has
facilitated a startling growth in volume and breadth of illicit
trade.
Online theft is often conducted through file sharing networks,
pirate servers, websites and hacked computers. One of the most
common methods of file sharing is via peer to peer networks using
technology such as Bit torrent protocols to make downloads quicker
and more efficient. A single file pirated via the Internet, shared
and made available for download in this way can result in millions
of illegal downloads and corresponding losses of revenue. Film and
music products are increasingly being copied, purchased and sold
illegally, in a black market that at times handles no physical
product.
The row between 2 Formula One racing teams, McLaren and Ferrari,
last year over the alleged theft of Ferrari’s intellectual property
(IP) brought home to many how widespread intellectual property
theft has become. This is one major instance to hit the
headlines. But in reality, the theft of intellectual property is
taking place day after day, hour after hour around the world, in
both a domestic and corporate environment. Books, journals, DVDs
and software are routinely copied without the permission of the
rights owner. That the rights owner may have rights is conveniently
and routinely forgotten, or ignored, as is any awareness of licence
requirements.
The threat from within
IP theft has already cost UK
businesses around £10 billion a year, that’s 4% out of an
IT spend of £250 billion. And technology, through personal devices,
such as iPods, cameras and particularly removable storage such as
USB disks is actively facilitating this IP theft from both software
publishers and the companies themselves.
Internal IP theft via USB ports is a growing problem that almost
40% of enterprises face. Enterprises have struggled with the issue
of safeguarding themselves from internal data theft since the birth
of the floppy disk. However, the emergence of USB compatible
devices such as flash drives, MP3 players, IrDA, Bluetooth dongles,
and USB cable converters has facilitated a new wave of IP theft
within enterprises.
According to the Yankee Group’s ‘Security Leaders and Laggards
Survey’ in 2005, 37% of businesses reported the disclosure of
company information via USB drives in a 12 month period, and 62% of
these cases of IP theft resulted in the disruption of one or more
business units, a clear indicator that USB data theft is a serious
security issue that enterprises face.
A further report by Centennial Software found that UK staff has
as loose a grasp on their USB devices as they do on the policies
that relate to them. Two-thirds of respondents admitted to having
lost their portable USB storage devices at some time. And
two-thirds of this group admitted that USB sticks they’d misplaced
contained critical business information.
Keeping UK IP protected
It is just over a year since the Gowers Review, a report of UK
Intellectual Property Framework by Andrew Gowers, set out to create
an intellectual property system for the digital age. The Report
published on 6 December 2006 confirmed the crucial importance of IP
to the success of the UK and laid out important targeted
reforms. This included strengthening enforcement of IP
rights to protect the UK's creative industries from piracy and
counterfeiting, providing additional support for British businesses
using IP in the UK and abroad and striking the right balance to
encourage firms and individuals to innovate and invest in new ideas
while ensuring that markets remain competitive and that future
innovation is not impeded.
The Gowers Review covers in detail:
- The way in which Government administers the awarding of IP and
provides support to consumers and business. The award and
observance of IP should be predictable and transparent, with
minimal information costs and transaction costs for firms and
citizens.
- The way in which businesses and other organisations use IP. The
structure of the IP framework should reflect the impact of economic
and technological change on the nature of intellectual assets and
their importance to businesses across different sectors.
- How well businesses, other organisations and individuals are
able to exchange and trade IP - in particular negotiating the
complexity and expense of the copyright and patent systems,
including copyright and patent licensing arrangements. Exchange of
IP should be facilitated by accurate valuation, with no barriers in
access to finance, and liquid markets.
- How well businesses and others are able to challenge and
enforce IP. Litigation and enforcement should be swift, efficient
and judicious with the optimal mix of technical and legal measures.
Businesses should be aware of the range of alternative methods to
challenge and enforce IP such as mediation and alternative dispute
resolution. These methods should be relatively inexpensive, swift,
efficient and transparent.
Additionally the report recommended that:
- Section 107A Copyright, Designs and Patents Act 1988 be
implemented, which in affect means that this makes Company
Directors responsible and ultimately liable.
- IP theft is put on the police agenda.
It is worth noting that measuring the affect of copyright theft
can be difficult as many businesses are not aware of their own IP
and therefore do not protect it at all. If it’s not protected how
will an organisation know when it has been stolen? Companies
should also seek further education in this area.
One year on…
So, what progress has been made on addressing IP theft since the
Gowers Review was published? First of all it is worth noting that
as a result of the recommendations in the Gowers Review the risk to
UK companies who misuse software files, music or films will almost
certainly increase.
In addition since 6th April 2007, Trading Standards have had a
duty to investigate copyright offences and this year the Government
announced an additional £5 million of funds to enable Trading
Standards to carry out investigations of copyright
offences. An increased crime penalty from 2 years to 10 years
imprisonment for online copyright offences and unlimited fines is
now in force. And there is also the potential of increased
damages payable if a company is sued for software misuse.
As a result, the awareness within organisations around licence
requirements and who takes ultimate responsibility has definitely
increased. FAST has worked with over 8,000 companies in the
last couple of years to help them on the road to compliance and
companies are becoming more aware of their legal
requirement. But the threat from within, understanding what is
happening at the employee coalface is still a tricky issue that
many businesses are grappling with.
Careful planning and implementing best practice policies and
procedures are paramount to insider threat. Amazingly, the
number of illegal downloads from peer-to-peer still out strip legal
ones by a ratio of 1 to 3. So once an organisation has defined
processes, it also needs to ensure that these are enforced
throughout the organisation.
Additionally policy and procedure reviews help with regard to
keeping up to date with current legislation, regulation, business
and technology requirements but these reviews alone can not
guarantee a reduction in issues around security and IP abuse or
theft. All policies and procedures regarding the use of IT assets
and the security around them should be integrated into concise but
specific and realistic documentation that is available to all
relevant personnel. These documents should clearly define the
processes around various functions of the business like procurement
of IT assets and the use of the web, USB devices and the
like.
If these policies and procedures are not adhered to, then formal
disciplinary processes should also be implemented. Many
organisations do not actively enforce their IT policies and then
wonder why empty or inconsistent threats fail to encourage
behaviour change. Strong controls over usage should be in
place wherever possible and clear disciplinary procedures if these
policies are broken and organisation’s need to be constantly
reviewing and regularly policing these.
This alone will help considerably but unless these policies and
procedures are coupled with technological solutions such as web
filtering, email filtering, anti-virus, anti- malware products,
software audit and licence management solutions, it is not possible
to effectively police these policies and procedures to monitor
their efficacy in day-to-day operations.
It should be noted that often the board is guilty of assuming
that IT management has all of the measures in place to control
these illegal activities which often is not the case. In addition,
IT is tasked with the responsibility, on the assumption that they
have the training and education needed to keep the risks under
control. The reality is that more often than not they don’t -
because they simply aren’t aware of the potential implications or
they don’t have the skills and knowledge to deal with it.
Buyer beware
And finally, organised crime is seeing illegal software copies
going through the channel and organisations need to think about how
this counterfeiting can be addressed and ensure that their business
doesn’t get caught up in this. Many organisations are made
aware of issues around counterfeit software through education
services, provided by organisations like FAST, which helps
companies to make best efforts to minimise risk in this
area. For example, FAST advices companies to work with
reputable software resellers known to the market place with a
strong track record and to not be tempted by too good to be true
offers. If it appears too good to be true it probably is!
A sobering thought is that Directors can now face fines, or
prison sentences, if they are found to be responsible for the
illegal downloading, or file sharing of copyright material while in
the office environment. As mentioned earlier with the recent
changes to the Copyright Designs and Patents Act, there is no
getting away from it, Company Directors are responsible, and must
act in the best interests of their organisation.
FAST works with its customers at many different levels and the
drivers for businesses joining the FAST Compliance
Programme vary between purely looking at compliance of software
vendors, to plugging gaps in ITAM, SAM and security processes in
order to meet legislative and regulatory requirements. If an
organisation wants to quickly and easily understand its risk
exposure, the FAST
Gap Analysis helps to provide a ‘here and now view’ of an
organisation’s IT security and IT asset management policies and procedures and
can assist in developing more robust and workable policies and
procedures in these areas.
IP theft, security and IT compliance are an every day part of
operating a modern business and issues in this area aren’t going
away. Companies need to make best efforts to ensure that they
are taking all the right steps to protect against risk, that they
are legal and more importantly stay legal and that they have good
policies and procedures to not only protect the business but also
their employees.
