Overlooked Security Risks in the Patent Process

Manufacturing is one of the most frequently targeted by hackers, which means additional steps are needed to protect IP.

Industrial Cyber

It’s no secret that intellectual property (IP) gives businesses a competitive edge. This is especially true in the manufacturing industry, where patents are how most organizations protect their IP.  An average of 600,000 patents are filed with the U.S. Patent and Trademark Office (USPTO) each year, and these patents come in all shapes and sizes — protecting everything from semiconductor chips to vaccines, software, and consumer goods.

While the USPTO itself is not exempt from breaches, announcing a data leak that affected 61,000 people just last year, the biggest risk to intellectual property usually lies in the period of time before an application even reaches the patent office. 

Patenting an invention is a long process that’s fraught with potential pitfalls, many of which are often overlooked by companies fixated on the filing process and working under the belief that protecting their IP via a patent is the way to protect a competitive advantage. Manufacturing is also one of the most frequently targeted industries for cyberattacks, which means that manufacturers should take additional steps to protect their IP. 

The Perils of Unintended Disclosures 

The patent process involves several steps that each contain inherent risk. From initial documentation to legal consultations and applying for a patent, each step involves the transfer of proprietary information that can be intercepted or mishandled. For companies pioneering new technologies in highly competitive markets, even the disclosure of 'unimportant' details can lead to significant strategic losses. For example, seemingly innocuous information may help competitors infer a company’s research direction and technological capabilities. 

By necessity, the patent application process involves disclosing proprietary information, often in the form of internal patent disclosures. These documents establish the novelty and scope of an invention and are often shared freely inside an organization and with third parties, such as patent lawyers. This can result in multiple copies of sensitive information existing in the enterprise in email, on laptops and mobile end point or in cloud repositories.

This unprotected and often overlooked information is vulnerable at least until a patent is filed and granted, and can lead to intentional or unintentional leaks and IP-theft. This kind of unnecessary exposure is especially perilous for companies in the manufacturing sector, where detailed technical specifications and process innovations can give companies a substantial competitive advantage if they remain confidential or protected by law. 

Why IP Data is So Vulnerable 

For years companies have been declaring that “email is dead” while adopting new ways to communicate and share information. The truth is that email is the one common protocol that connects everyone. Email is universally adopted, inherently trusted, and integrally woven into the fabric of business communications.

According to Radicati, there are over 3.13 million emails sent every second, with nearly eight billion email accounts worldwide, so it’s no wonder that email is one of the most targeted platforms for cyberattacks. Email is increasingly targeted with sophisticated phishing and social engineering attacks (strengthened by advancements in artificial intelligence), but the biggest threat is still human error.

In fact, the Verizon Data Breach Investigations 2024 Report found that 86 percent of data breaches in 2023 involved human error. While breaching a single email account may seem relatively innocuous, these breaches often give malicious actors the ability to escalate permissions and exfiltrate sensitive data like intellectual property.

Despite proclamations that “email is dead”, email is largely how business gets done, so we need to find better ways to secure it. After an email that contains sensitive patent information is sent, it's hard to determine who has access to that information, where it’s being stored, and where it might end up next. The recent Microsoft and HPE email breaches serve as a stark reminder that hackers may have had access to the accounts of senior leadership for months before anyone noticed. Just imagine the amount of sensitive information they could have compromised in that amount of time. 

How Manufacturers Can Protect Themselves 

When it comes to protecting proprietary information transmitted via an organization’s email, traditional methods such as network, authentication, and perimeter-based security protections just aren’t sufficient to safeguard IP. While these methods are pretty good at protecting information stored in organizational inboxes, they are insufficient when patent-related information is shared with third-parties, or a hacker gets access to a company email account.

Legacy protections that once worked to secure sensitive information in the enterprise are now plagued by vulnerabilities, and represent a rapidly growing attack surface. To remain secure, security teams must shift their strategy to a data-centric approach. By focusing on protecting the data rather than assuming the perimeter will never be compromised, organizations can protect what really matters – the sensitive IP that gives them a competitive edge. 

Key strategies for applying data-centric security include applying persistent defensive measures directly to files that contain sensitive data. This ensures the data remains protected wherever it goes, even when it’s sent beyond the protected perimeter of an organization. This can be achieved through encryption, masking, and access controls.

  1. Encrypting data can help protect it at rest, in transit, and increasingly, while in use.
  2. Masking and tokenization can be used to protect sensitive information, ensuring the data remains obscured even if unauthorized access is obtained.
  3. Finally, implementing strict access controls and rights management policies for the data ensures that only authorized individuals or systems can access or process that data.

In the world of data-centric security, patent applications and disclosures can be freely shared over email or cloud environments without risk. In this world, even if someone with nefarious intent were to obtain sensitive information, the impact could be negligible. 

As the saying goes, you’re only as strong as your weakest link. When it comes to securing your most sensitive data, email is often the weakest link. Rethinking your security approach and shifting from perimeter and authentication-based security to a data-centric position can help keep your precious IP information safe until you’re ready to share it.

More in Cybersecurity