"With IP today, most of it goes out the door before it's even captured," Drab asserts. "You need to determine what information you have that is of value and capture it quickly." Stamford, Conn.-based Xerox's DocuShare solution, he claims, provides this functionality.
Scanning tools also provide a method for searching out the vulnerabilities in a system, according to V.i. Labs' DeMarines, who notes that banks' IP is at even greater risk today because of the widespread use of Web-based applications. "Banks use scanning software to look for these vulnerabilities, such as the use of open-source software and back doors, in their applications so they can shut this down," he explains.
"I know of one bank that did this and they were surprised to see how much of their IP was exposed," DeMarines continues. "Banks worry a lot about customer data -- now they are starting to worry about the IP and the application itself. What if someone knows the application well enough to poke holes in it to get to the customer data?"
E-Soft's Walsh says the vendor provides security at the network level. Its solution sits just at the edge of a bank's network where it meets the Internet. It not only scans for viruses and prevents intrusion, it also looks for patterns and keywords, such as documents leaving the network labeled "confidential."
"The scanning engine can detect this word on a document if it's about to leave the network. It puts the file in quarantine and sends an auto alert to an administrator," Walsh explains. Beyond IP, the solution also can zero in on documents in transit containing customer PINs, Social Security numbers and other sensitive data.
Xerox's Drab stresses that banks must protect IP in both the digital and paper worlds. As such, it's vital to control the flow of data from output devices, such as printers and copiers, he says, noting that these are highly vulnerable end points that have long flown under the radar of many companies' IT departments.
"The NSA [National Security Agency] once called the copier 'the spy's best friend,'" Drab relates. "What happens when a document is printed or copied? This is a critical area because you can have all the network security in the world in place, but it means nothing once something is printed."
Drab adds that there is technology available that can track printed documents and help prevent them from being copied. For instance, he says, firms can use holograms, microtext (text that is embedded into a document at 1/100th of an inch) and invisible infrared coding embedded into a document to ensure the authentication of the original document.
"Of course, no matter how much security you have, nothing protects 100 percent," Drab warns. That is why banks and other financial institutions must be able to rely on legal measures to keep their IP safe.
Monitoring the Insider Threat
As with other data security, an important component of protecting IP is monitoring employees, says Finnegan Henderson's Lim, who points to non-compete clauses and confidentiality agreements as important tools. "These must dovetail with your IP strategy," she asserts. "It's important for financial institutions to have clear documentation that they own the process. When you file for a patent, you assign the right to the invention to the company [not the employee]. These are just good business practices."
That's if a bank can determine who does and doesn't qualify as an "employee." "Many banks use outsourcers, employ temporary workers, have partners -- and all need to access the bank's network in some manner," comments Deutsche Bank's Marovitz. "Banks are going to need a semi-permeable/selectively permeable membrane for access control. As organizations become global, the boundary between who is an employee and who isn't becomes more complex."
It's important to address these issues up front when hiring new employees or entering a partnership with a third party and to remain proactive, adds Fish & Richardson's Hudnell. "This is a legal issue and you have to make sure you have the protocols in place to ensure there are no problems down the line," he says. "These legal agreements must also be updated periodically."
But safeguarding what's inside an employee's brain isn't the same as securing a database, points out CashEdge's Sokolic. Despite protocols to protect IP, "They still have all that knowledge in their heads," he says. "This is a risk you take when you hire someone."