As nation-state actors become more involved in cyberespionage and trade secret theft, some organizations may think the biggest threat to their IP assets is external.

But at the “Protecting Your IP & Patents From Cyber Threats” session at ALM's cyberSecure conference, in-house professionals noted that the reality is quite the opposite.

“I think that the most likely scenario where proprietary information is going to seep its way out is through employees. It's not your cybercriminals,” said Moshe Malina, director and chief patent counsel at Citigroup.

Most companies, however, often focus on securing what Malina called their “initial perimeter,” essentially their external network, with protections like nondisclosure agreements (NDAs), ”network security, and all sorts of controls over third parties and vendors.”

Keir Loiacono, lead in-house counsel and director of intellectual property at biotechnology company Advaxis, said that all vendors that come into his company's research facility have to sign NDA agreements, “and those NDAs include anything they visibly observe when they're on premise.”

But effectively and securely sharing information within and outside of the organization is an entirely different matter. “At Citi we have over 2,000 employees, so there is the question of how [IP] information should leave the firm and be shared within the organization, and who should have access to it. And that is an ongoing issue,” Malina said.

Giving more employees access to patents and trade secrets increases the risk that the information may be shared outside of secured channels. For instance, email “creates a big risk when people are doing business on their phone, and someone sends a document that has proprietary information on it,” Loiacano said.

“That information is now outside of our secure server, and that becomes a concern because we don't have any way of tracking it,” he added.

But there are tried and true ways to mitigate these risks. One of the first lines of defense against such situations is educating employees on the proper way to handle sensitive data. Loiacono noted that education efforts must occur “cross-functionally,” because so many different in-house teams may come into contact with IP information.

Beyond training, there are also technical measures to limit the possibility that information may get into the wrong hands. Loiacono noted his company has a strict device policy, where the serial numbers of employee devices are logged with the IT department. Additionally, the policy stipulates that “no work is to be done on a device that is not registered with your IT department,” he said.

Yet monitoring devices is but one flank organizations need to cover. Oftentimes, employees' use of mobile or cloud-based storage platforms in order to more easily collaborate internally will present its own host of data security issues. But such access can be allowed, Loiacono noted, so long as the information is secured before being shared.

Advaxis, for instance, has a policy requiring the encryption of any data that is sent to a potentially-unsecured storage container. “In order to download anything to a thumb drive it has to be encrypted by the IT department,” he said, adding that the same policy is in effect for any information stored to cloud services like Google Drive or Box.