Quantcast
Channel: SNP » Education
Viewing all articles
Browse latest Browse all 11

Intellectual Property – the invisible asset

0
0

There’s been a lot said and written in recent times about digital espionage and digital theft. The discussion has focused on firewalls, anti-virus and malware programs, alert IT security people and the risk of loading private programs or commercial apps on devices that store business critical information.

What is your IP worth?
Let’s start from a more basic and more critical point – the real value in your business. What is your information worth? Yes, we are talking about the business critical information of your company. So, we include here the client list, your charging rates for services or goods, your borrowings, your strategic plan, your financial data, the nature of the contracts of your key people and your perceived competitive advantage relative to your business rivals in the market-place. So, what is that sort of information worth? We will approach the issue from a risk management point of view.

Why you must place a dollar value on it
When you start to put together your emergency management plan or your business continuity management plan, one of the really critical steps is the business impact analysis (BIA). The BIA determines, as a result of extensive questioning of different parts of the business and sometimes actual testing, how the identified risks will affect various business operations. This process establishes business priorities. It also establishes the clear linkages and contingencies between different operations of the business. The consequence analysis looks at the cost to the business if these risks are not mitigated, but become full-blown. One of the elements of that consequence analysis is placing a dollar value on the loss of functions, assets, inventory, etc.

Placing a dollar value on company assets enables us to understand their true value and relative importance to the operation of the whole business.

Ways to categorise information
It may be very difficult to assign a dollar value to a particular set of data or piece of information. A better approach is to create some categories and then apply a band of value to that category. For instance, the base category would be information that is developed, handled and stored by the company. This information may have value for the company but it equally may already be in the public domain. There is little sense placing any restriction on it and it would not damage the company if it passed into the public domain. For most companies, this band probably constitutes upwards of 60% of their information holdings.

Moving to the IP component
The next category might be information which has been provided to the company in confidence or generated internally; the disclosure to unauthorised persons or the market-place is likely to impact adversely public confidence in the business or the brand, or the company’s capacity to meet its regulatory, privacy and professional obligations. This may amount to some 30-35% of the company’s information and its loss would hurt.

The most sensitive or critical category applies to information, which if disclosed to unauthorised persons or the market-place is likely to cause harm to the company’s strategic plans, its share price, public confidence in the business or the brand, or the company’s capacity to meet its regulatory and professional obligations. Examples might be information dealing with mergers and acquisitions, profit forecasts, restructuring proposals, customer lists, new product proposals and similar. This category may amount to 5% of all company information, but it is the essence of the company’s value. 

Putting a dollar value on your customer list, the impact on your share price if business critical information is leaked, or what you hope to achieve in sales with a new product: these are not difficult. A possible approach is to pick broad bands for the two categories of information, the disclosure of which will hurt the company. Decide whether it is thousands of dollars, tens of thousands, millions, tens of millions or more.

Offer guidance – employees cannot guess this stuff
Of great importance is that you put in place guidelines to help employees assign values and ensure consistency across the company. Next, make sure that all your critical processes, proprietary information and componentry sourcing is documented. The last thing you want is to be held hostage by a long-term employee, consultant or supplier.

Who gets to see what?
With the information documented and graded, the next step to address is who should have access to it, what are the conditions under which they have access, who determines it and what are their obligations? The whole point of marking some information as sensitive or business critical is that only some need to know it or have access to it. So how do you restrict it, allow access to it? The obvious answer is that the information is located in a particular electronic file or on a particular server to which password access is required.

Criteria and a checking capacity
What are the criteria to determine access? Normally they are that the person will require regular or routine access to that information to perform his or her normal duties. If it is a case that only occasional access may be required, then it is more appropriate for the manager to make a special arrangement and provide the material as an excerpt or summary. It has nothing to do with perceived status or the name-plate that people may have on their desk or their door. Obviously, sensitive information should not be disclosed to another employee without assurance that the recipient is an authorised person. So, those authorised to project information or to categories or sensitive information must be able to interrogate a password-protected database and establish or confirm that the intended recipient is an authorised person.

Management of the process
Other questions to be addressed are who is responsible? Who oversights the process? What are the reporting lines? Who conducts periodic audits and to whom is reporting on this directed? These are all vital questions and if they are not attended to, then all the information becomes business critical or everything is dumbed down for the sake of convenience. In either event, as a company and as a manager, you lose. Information does not remain sensitive forever, so there need to be processes set up with a sunset date, which will prompt a review and either downgrade of sensitivity or maintenance for a period of the classification.

Centrality of Culture
Culture must support this approach to preserving the company’s intellectual property. It is the sort of culture that comes about through leadership of the senior managers, documented corporate values, training and procedures. The expectation the company has for employee behaviour needs to be stated clearly in the terms and conditions of employment. This should be by way of a signed declaration on commencement of employment, which requires candidate employees previously to have read the terms and conditions of employment and the Code of Conduct. This allows management to terminate the services of an employee who fails to abide by the commitment enshrined in that declaration.

The same expectations must be levied on contractors and consultants (lawyers, accountants, bankers, etc.) engaged by the company and be enshrined in their contracts.

And at the end of the day…
When employees, contractors or consultants terminate from the company, there needs to be a thorough exit process and any final payment should not be made until all items on the check-list have been satisfactorily addressed. Those items will include the return of any equipment and PDAs issued by the company to the person; a reminder of the obligations of confidentiality, which should be enshrined in another signed, dated and witnessed declaration; and an exit interview that allows any concerns, grievances or suggestions to be recorded.

Gerard Walsh

Gerard Walsh is a business risk and resilience management consultant with over 25 years security experience, including Corporate Security with global responsibility for AMP and former Deputy Director-General of ASIO.

 

Disclaimer
All reasonable care has been taken in the research and preparation of this assessment. However, G P Walsh & Associates (GPW) is not responsible for any non-disclosure by the client, its agents or contractors or by government websites, regulatory authorities or other persons GPW has interviewed or consulted in the preparation of this assessment. By commissioning a report, the client acknowledges all such reports require accurate information to inform the detailed assessments and GPW is neither responsible nor liable for any omission or error in its reporting, unless professional negligence is proven. Furthermore, no such inquiry is definitive and GPW can only make an assessment for further consideration of its clients.


Viewing all articles
Browse latest Browse all 11

Latest Images

Trending Articles





Latest Images