Too Much Information: Using a Security Assessment to Balance Collaboration and Information Protection



As companies in foreign markets face increasing domestic competition, striking the right balance between open information sharing and protecting intellectual property assets is of growing importance. Many companies with core technologies believe they can maintain their technological advantage in a foreign market by continuously developing new innovations.

However, this is not always the case. For many companies, working with a domestic partner can be successful, but a number of scenarios, such as a dispute over rights to future joint innovations, can result in accidental or intentional leaks of critical intellectual property or trade secrets. To guard against this, companies should ensure that they follow a structured and facility-specific approach to protecting information when operating in a collaborative environment.

To more clearly illustrate these challenges and how they should be addressed, the following is a hypothetical scenario:

A project manager named Zhang is in the process of setting up a joint R&D and sales facility with a local partner to launch a new product in Western China. Zhang has been tasked by the company’s China head office to put together a risk treatment plan focused on protecting information related to the company’s core technology. The facility from which his company and its local partner will operate just began construction. Confronted by the challenge of preserving an open and collaborative work environment with the new partner and the need to protect certain key business and technological information, he seeks professional advice on how to balance open information sharing and security.

Zhang’s company has already established contractual and legal procedures necessary to address legal and financial control issues for the new operation. These plans include contractual terms related to how to terminate the venture in the event that there is a dispute or other reason for dismantling the new entity. The company’s legal counsel and senior management have reviewed and are able to prove the value of all intellectual property and trade secrets and have established that the company is in a defendable legal position.

In particular, the senior management has adjusted its contracts to manage disputes over inventors’ rights within the new venture, as this is increasingly an issue in R&D operations. Zhang has learned that part of the company’s defense depends on being able to demonstrate that the company put in place procedures to label, protect and prevent trade secrets from being leaked into the market.

His main objective is to establish practical measures and practices in the new facility to protect critical business and technological information. After further consideration of best practices for managing potential risks, he decides to reach out to an information security provider for advice. In conjunction with input from Zhang and other key members of his team, the security provider undertakes a risk assessment related to the facility and information requirements of the new partnership.

A critical part of this process involves understanding what information the local partner’s employees need to know and what information is essential to protect. As a result, Zhang undertakes a detailed inventory of the intellectual property and other proprietary business information to be present at the facility. He then maps the information flow of key business and research processes taking place at the facility. After reviewing the information flow, he and the security provider conduct an assessment of where information is most vulnerable and develop a risk treatment plan. The treatment options available for risk managers are broken into four main categories: physical, technical, people, and policies and procedures.

When reviewing the physical characteristics of the blueprints and existing shell of the new facility, Zhang and the provider identify several key areas of the facility that are more vulnerable to information leakage. As a result, in his plan to senior management, Zhang recommends giving special consideration to the IT server rooms, storage areas, laboratories, sensitive offices and meeting rooms.

Physical security considerations should ideally be done during the design stages of a facility. At this stage, companies can design a layout that allows them to consider how to separate critical areas with proper physical barriers. Because Zhang performed his evaluation after the design was finished, he realizes that there are more limitations to changing the physical features of the facility. Nevertheless, he identifies a better allocation of the office area in order to reduce the proximity of staff to sensitive areas. The physical separation of these areas during construction is also important, especially if both parties will have access to the premises.

The technical treatment of risks involves deployment of technologies such as alarm systems and access control to increase the detection capabilities of a security program. During Zhang’s review of the new facility’s blueprints and existing shell of the building, he observes that the original plan for access control and closed-circuit television coverage of the sensitive areas identified above are inadequate.

In addition, because the blueprints of the facility contain sensitive information, he also expresses concerns about the plans being taken off the premises once construction reaches a later stage.

To reduce this risk, the security provider recommends that the company invest in installing radio-frequency identification (RFID) tags on the actual blueprints and readers at the facility entrance points. Zhang determines from the evaluation process that he will need specialized assistance to install the equipment to ensure that it covers the necessary areas, adheres to a proper maintenance plan and that all technical systems are properly integrated.

The technical component of his assessment also reviews the IT systems to be installed, including both hardware and software. During this process Zhang understands that there could be a threat to the company’s electronic information, but does not realize that the company potentially faces a significant threat from within its own organization through accidental or intentional leakage by employees.

In an R&D environment, IT plays an essential role in facilitating collaboration, not only inside an individual facility, but throughout a company’s operations around the world. For this reason, IT security risks must include a deep understanding of the inter-connectedness of electronic information as it is transmitted throughout the entire organization.

After assessing the anticipated flow of electronic information, Zhang quickly realizes that this is a highly specialized field that is beyond the capabilities of the internal IT security department. Although he identifies some essential components of electronic information protection, he decides that he will need to seek a separate evaluation and advice from an IT security specialist. He also highlights to senior management the need to allocate additional funds for encryption, server penetration testing and software to monitor server access.

Managing personnel at a company is often the most critical part of protecting business and technological information. The physical and technical treatments of risk help prevent or detect incidents, but they offer little assistance in responding to breaches. It is also important to remember that people steal information and not systems. Based on discussions with his information security provider, Zhang understands that proactive HR measures can often reduce these threats by effectively managing personnel and promoting an awareness of risk management within the new facility.

A critical issue for HR is retaining top R&D talent. With the assistance of a specialized HR manager and an inventory of the types of business and technological information classified by level of importance, he develops a plan to segregate staff and access to information based on roles in the R&D process. An important component of this process is identifying what information different departments and levels of employees “need to know.”

Zhang and the new HR manager also identify critical strategies for attracting and retaining scientists and other R&D staff. This is essential to ensuring a low turnover rate, thus reducing the risk of information leakage with departing employees. Additionally, the HR manager underscores the need to seek further legal review of non-compete agreements for R&D staff, particularly focusing on issues concerning compensation and inventor rights.

Zhang and the HR manager decide to set up an ethics and IP awareness training program for all staff and new hires to establish a clear message on corporate governance and information protection from the start. He tasks the HR manager with creating a training program that emphasizes and facilitates discussion on the organization’s internal controls, corporate values and best practices for minimizing information leakage.

Policies and Procedures
Policies and procedures are often overlooked, especially when companies are first setting up new operations. During the review and risk treatment planning phase, Zhang realizes that the company needs to develop more robust policies with its local partner, such as establishing common HR practices for the hiring and retention of staff at the new facility.

During the process, he also expresses concern that the local partner may not agree to conduct due diligence or background checks on current staff or new hires. Of particular concern is identifying potential conflicts of interest among the new entity’s employees.

Furthermore, the security provider suggests that clear procedures should be put in place to handle the departure of any staff, especially if there is a possibility they are disgruntled with the company. Disgruntlement can be a contributing factor to an individual’s decision to intentionally steal sensitive corporate information.

Finally, Zhang and the security provider identify critical policies and procedures to be deployed by the security team at the facility. These include proper registering and briefing of all visitors to the facility. The plan also includes clear procedures for all security personnel on how to document, respond to and investigate different types of security incidents.

After reviewing the new facility’s information security vulnerabilities and considering suitable risk treatment options, Zhang prepares a detailed information security program. Since he performed the evaluation early on in setting up the new facility, he is able to demonstrate to senior management that the company has greater risk exposure and needs to expand its security budget to reduce the level of risk in line with its overall risk appetite.

A version of this article was originally published in the Shanghai Business Review.


More articles by »

About the Author

Kevin Biggs is a senior consultant of risk intelligence and the editor of the China Risk report at Hill and Associates.


Leave a reply