Canadian Small Business Women

Connection, Synergy, Community

Insider Threats And Data Breaches: They’re Not Always What You Think …

There’s something you should know before you invest your entire IT and information security budget on technical solutions – if a smart thief wanted to steal your intellectual property and/or your client’s confidential information (e.g., credit, financial, and contact information taken during the Equifax data breach), they’d act like a gangster and walk in the front door and take it.

Why? When it comes to protecting what’s worth stealing, it’s your employeesnot your computers, that are the weakest link.

Employees are within the human resources (HR) wheelhouse, so this is a topic of great importance to me. Some years ago, I worked in an organization that invested a lot of effort to keep its intellectual property and confidential employee information protected. This was done in two ways: (1) careful hiring and HR processes and (2) technical measures including firewalls, information security protocols, etc. Both approaches were necessary. It hasn’t become a popular concept, as yet, but it’s easy to argue that cybersecurity alone is not enough.

Many of us have heard of Edward Snowdon, the former NSA Subcontractor who disclosed an immense volume of confidential information to journalists and online sources. After working in an organization that shares some similarities with the NSA, I think it’s safe to say that the presence of sophisticated technical measures was not enough to prevent the intentional disclosure of confidential information. In fact, this scenario is an example of an Insider Threat.

“Insider threats can be defined as risks posed by rogue employees who deliberately cause harm, or by those who may be negligent in the workplace.

Security Hinges on its People, FrontLine Security Magazine, October 2017).

 

 

If insider threats are a real problem why isn’t it better known?

 

analog insider threats

Not all data breaches are external or digital …

Most of us have heard about data breaches that have occurred in organizations that have much bigger security budgets than ours. For example, the NSA and Equifax breaches that I just mentioned. Plus, there have been big breaches at Yahoo, Home Depot, Target, and others. I’ve done extensive research on this topic and one thing is crystal clear: 75% of these data breaches originate inside organizations. Often, we don’t hear about the causes of those breaches because they make the organization look terrible. It has a negative impact on the public’s trust and confidence in the organization’s ability to protect corporate information, including clients’ and/or customers’ personal information. When an organization experiences a security breach, their current and future clients, strategic partners/affiliates, and members of the general public are likely to see the organization as irresponsible. Negative financial consequences usually follow. Approximately 60% of smaller companies are bankrupt within 6 months of a major security breach, so it’s no wonder this is kept quiet.

How can HR, based on I/O psychology help?

I’m addressing this topic because I understand that HR has an important role to play in preventing these insider threats. One problem is that most organizations don’t recognize that HR can make valuable contributions to the risk management process. Another problem is that the C-suite and the IT/information security folks don’t necessarily recognize the role that HR could be playing to keep confidential intellectual property and client information from leaking out of the organization. For example, many organizations don’t address workplace bullying as proactively or completely as they could. They haven’t understood the link between malicious insider threats that are inspired by anger or a desire for revenge that comes from being severely mistreated at work. The consequences of ongoing suffering in toxic workplaces are even more severe when essential government services and critical infrastructure are at risk. So, if the threat of lost productivity and lawsuits aren’t a big enough justification for improving HR policies and practices, the likelihood of insider threats should catch the attention of key decision-makers.

no wonder this is kept quiet.

 

How can HR, based on I/O psychology help?

I’m addressing this topic because I understand that HR has an important role to play in preventing these insider threats. One problem is that most organizations don’t recognize that HR can make valuable contributions to the risk management process. Another problem is that the C-suite and the IT/information security folks don’t necessarily recognize the role that HR could be playing to keep confidential intellectual property and client information from leaking out of the organization. For example, many organizations don’t address workplace bullying as proactively or completely as they could. They haven’t understood the link between malicious insider threats that are inspired by anger or a desire for revenge that comes from being severely mistreated at work. The consequences of ongoing suffering in toxic workplaces are even more severe when essential government services and critical infrastructure are at risk. So, if the threat of lost productivity and lawsuits aren’t a big enough justification for improving HR policies and practices, the likelihood of insider threats should catch the attention of key decision-makers.

If you’d like to learn more about how psychology and HR can help prevent insider threats, listen to Episode 27 of The Insider Threat Podcast where I speak to host Steve Higdon about this topic. Note – since the time that this article was published, I was an invited guest on Scott Wright and Tom Eston’s Shared Security Podcast and we spoke about different aspects of this issue.

Have a sensitive career or HR-related concern? I invite you to contact me by emailphone, or via direct message on Twitter, Facebook, or LinkedIn if you’d like to discuss any of these topics in more detail.

More than career coaching, it’s career psychology®.

I/O Advisory Services – Building Resilient Careers.

Intellectual Property Asset Audit – Make this Part your Business Planning for 2018?

I hope many of you had the opportunity to listen in on Sandra Dawes’ great sessions on planning for 2018 and are spending the time to set out and act on the plan you are developing using her fabulous workbook.  I know I am and in the process of doing so checked out the resources that the Canadian Intellectual Property Office (CIPO) provides for businesses to get a handle on the intellectual property (IP) they have and what they can do to formalize and leverage their IP rights.

So, to help you with your planning, you can add an IP audit of your business assets into the mix. Starting with the easy to read and use resources in the CIPO’s IP Toolbox (https://www.ic.gc.ca/eic/site/cipointernet-internetopic.nsf/eng/h_wr04320.html) you can get a good initial grounding in IP and how to factor it into your business plans.

Take for example, the “IP Inventory Checklist” which lists a variety of types of business assets that you could have operating at the core of and for the benefit of your business (e.g. branding elements, customer lists, software applications) and the kind of IP rights to consider in relation to those assets. You can also refer to https://www.ic.gc.ca/eic/site/cipointernet-internetopic.nsf/eng/wr04055.html for additional insights on the types of business assets that are commonly part of many enterprises and which can give rise to IP rights.

Once you have what you feel is a reasonably complete inventory, you can then check out the “Intellectual property in Canada” fact sheet which provides an indication of the nature of the IP rights that may apply to the business assets you identified in your inventory. To fully leverage the IP rights you have you can refer to the guide entitled, “Intellectual Property – It’s yours. Own it.” to learn more about how the process of creating business assets leads to IP creation and the steps you can take to identify and formalize your IP (e.g. register copyrights and trademarks). There are also individual, more detailed fact sheets to explain what the different forms of IP are and how they can be leveraged, namely for copyrights, industrial designs, patents, trade secrets and trademarks.

Finally, moving from the IP Basics tab on the CIPO’s IP Toolbox page you can access other tabs with information relating to IP when you export goods and services and other information resources.

If you are thinking, how you can identify all of the business assets to include in your inventory beyond what is exemplified in the IP Inventory Checklist, start by simply listing any products and/or services you have developed and sell, and the tools you use to help you sell and market what you sell. Copyrights, industrial design rights, trademarks and patent rights will be relevant to what you give the public access too (e.g. your products and services), while trade secret rights will apply to those assets (e.g. confidential information) that the public does not have access to, but that you leverage internally to support your business and gain a competitive advantage (e.g. to make your business more efficient, or develop new business lines and opportunities).

While conducting your audit consider setting up a spreadsheet to create your inventory and add in information to document details about what you have and the steps you take to formalize your IP and leverage it in B2B and B2C contexts. For example, include in your inventory when the business asset was created, by whom, under what written contract (if any) and whether you have a written assignment (transfer of ownership) from the creators of the assets and related IP rights to your business. Then include a column with information about steps you have taken or would like to take to formalize the IP rights in your assets.

If some of the business assets you have were licensed in, or obtained from third parties (e.g. stock images, products you sell), include the contracts in your inventory which give your enterprise the permissions to use, apply, distribute, lease, or sell those assets and identify the provisions in those agreements which specifically refer to the permissions you have to leverage third party IP rights and what you have to do in exchange to maintain those permissions. These contracts also represent a form of IP rights, which together with what you have invested in to create form the foundation of your business.

Obviously, the intention behind doing an IP audit and creating your inventory of assets is to use it, update it from time to time and determine how you want to invest in IP for your business. Once created, it is itself a business asset that should be maintained as a trade secret. You can use your inventory to make decisions by correlating the performance of your business to the assets and associated IP rights. If you choose to consult with an IP professional on the many ways you can make use your inventory, consider: i) consulting on what other information to include in your inventory, ii)  how to map out budgets to formalize key IP, iii) identify DIY steps you can take to protect and leverage your IP, and iv) milestones to be aware of so that you can be confident that you always have a full picture of all of the IP options and value available to support your business.

————————

Ariadni Athanassiadis

Kyma Professional Corporation

T: 613-327-7245

E: ariadni@kymalaw.com

W: www.kymalaw.com

What Do HR And Psychology Have To Do With Cyber Threats?

Where is the Real Threat?

In the internet world festooned with apps we know it’s important to use strong passwords to secure our own email, social media accounts, and electronic devices. On the corporate side, another important consideration is the role that humans play in cyber threats. People with access to big data, personal information, intellectual property (IP), and critical infrastructure (e.g., power supplies, water treatment, hospitals, railways) can sometimes be the weak link in the chain.

HR as Part of Risk Management

For a while, I’ve been thinking about cyber crimes and cyber security and how to adapt what I learned and applied when I worked in a very secure (Top Secret) environment. In that workplace, we were extremely careful about how people were hired. Also important was how they were treated after being hired. I call my adaptation of those processes and policies “HR as Part of Risk Management.” I’ll admit that this may not be a stylish title but it does address something that most approaches to risk management are missing.

Employees: Often the Weakest Link 

Ominous Dark Buildings

Traditionally, risk management includes “human factors” but to date, relatively little attention has been paid to this source of risk. Normally, 90% of our collective efforts have focused on technical or IT-related interventions to protect us from cyber threats. Yes, these are important. However, to focus on them and not address the human element, psychology or employees’ behaviour is like locking the

front door but leaving the back door open. The fact is that sometimes security breaches reported as cyber attacks are caused by actions that take place inside the organization. As Dermot Williams, the CEO of  IT security firm Threatscape says, “when it comes to organizations, often the employees who are the weakest link.”

Although I have a lot more to say on this topic, for now, I’ll share an article that I wrote called Is Cyber Security Alone Ever Enough?, published in FrontLine Security in October 2016. Take a few minutes and read.

In the meantime, if you have HR or career-related matters that you’d like to discuss, please contact me by email, phone, or via direct message on Twitter, Facebook, or LinkedIn if you’d like to discuss any of these topics in more detail.

More than career coaching, it’s career psychology®.

I/O Advisory Services – Building Resilient Careers.

Doing Business Online – Your Website and Legal Notices

 

The theme of globalization that took center stage at the Canadian Small Business Women’s Expos in 2016 made one thing very, very clear – for small businesses, our communication HQ for reaching the rest of the world is our website.

While most of us are great at talking about our offerings and communicating our brand online, taking the time to set out certain legal notices, demonstrates how seriously we take our business and emphasizes what makes it unique. Drafted and presented properly, such notices can even take on the character of a binding contract between users and your business.

Here is an overview of the kinds of legal notices that should be considered for every website:

 

  1. Terms of Use – These are notices, which let web surfers know the ground rules for using your website by setting expectations with respect to the use of information and other content on your site. Different terms of use may be noted on various pages or footers, and/or consolidated on a separate page of your site. At a minimum, you need to notify users that the content of your website is: i) for their personal use only, and not for commercial application; and ii) intended for general informational purposes and not as advice that can be necessarily applied to their personal circumstances. You also need to provide notice about your intellectual property (IP) rights and the rights of others you have permission to use in connection with your business and site (such as trademarks and copyrights). If you provide links to the websites of others, it is a good idea to also remind users of your website that you are not responsible for the content of other sites which you do not control.
  2. Privacy Policy – This is a policy which every business needs to have to be able to describe for stakeholders, among other things and in accordance with applicable legislation: i) what personal information is collected and for what purpose; ii) how an individual may provide and withdraw its consent for the business to the use its personal information; and iii) how the business collects and safeguards personal information.  In Ontario, most businesses collecting personal information are subject to the FederalPersonal Information Privacy and Electronic Documents Act (PIPEDA). Especially, if collecting personal information through its website, a business should provide notice of its privacy policy online, either as part of its consolidated Terms of Use, or on a separate page.  The Office of the Privacy Commissioner of Canada offers guidance and a tool kit to help businesses comply with PIPEDA at https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/guide_org/.
  1. Marking Intellectual Property Rights – Every business website is likely to include copyrighted content and present its content using various branding elements, such as a logo and word marks to distinguish various service and product offerings for the benefit of customers. In addition, business offerings may have other IP rights associated with them, such as industrial design registrations and patent rights.  Making users aware of these rights by marking them where they appear helps you communicate to users what is unique to your business and makes it easier to prove that someone who misappropriates these rights had notice of them. Furthermore, if you are using IP rights, such as copyrighted content and trademarks with the permission of others it is best to include specific attribution regarding those rights, unless otherwise agreed to with the rights holder(s).

Marking IP rights is a shorthand way of giving notice of the existence of such rights.  A basic copyright notice at the footer of every webpage using the ‘©’symbol and using the ‘TM’ and ‘®’ symbols to denote unregistered and registered trademark rights, respectively, will be familiar to many business owners. Similar shorthand ways of denoting industrial design and patent rights also exist.  It is important to be aware that different countries may have different rules for how to properly apply IP markings to ensure that rights holders are not being misleading about the rights they have, or otherwise engaging in anti-competitive conduct. Given that websites transcend jurisdictional boundaries, understanding these rules in the markets you are targeting with your website is something every business owner needs to learn about, or seek the advice of a legal professional.

Providing conspicuous and clear legal notices such as those outlined above is a pillar of a B2B and B2C communication strategy that leads to mutually beneficial business relationships. It lets the public, potential business partners and competitors know you are aware of, and value your legal rights, as well as the legal rights of others.

If you would like to find out more about how to draft and create legal notices for your website, study the notices used by IP savvy businesses on their websites and consider consulting a lawyer to review the language of your notices and IP markings to make sure you are achieving the benefits that these notices offer.

Ariadni Athanassiadis is the lead attorney of Kyma Professional Corporation, which provides intellectual property (IP) legal services to help your business develop and benefit from the creative efforts and assets that make it distinctive. Whether it is your brand, product, services, designs, technology or business processes, Ariadni can help design IP legal solutions which let you make the most of what you give to your business.

———————————

Ariadni Athanassiadis

Kyma Professional Corporation

T: 613-327-7245

E: ariadni@kymalaw.com

W: www.kymalaw.com

Reaching for the Moon – Entrepreneurship and the Alchemy of Ideas and Relationships

 

ari-2In the coming months, I plan to cover those indispensable tips for working with various forms of intellectual property (IP) in your business, such as copyrights and trademarks.  To set the stage, I would like to touch on the desire we have as entrepreneurs to protect our “ideas”.  At the risk of bursting some bubbles, the reality is that the legal system is really not designed to protect ideas. Instead, the whole premise behind having IP legal regimes is to promote the conceptualization, application and exchange of ideas. So if this is the case, why have IP legal regimes or “protect” anything in the first place?

 Before going down a rabbit hole, let me back-up for a moment and try to clarify what I mean when I use the word “idea”. To me an idea is what comes from inspiration, like the epiphany in the mid-20th century that we could fly to the moon. Examples of innovation and creativity around this idea are everywhere, and include everything from Sinatra’s classic rendition of “Fly Me to the Moon,” to NASA’s Apollo missions, to today’s quest by Branson and others to make private space travel a reality. Our drive to innovate is so core to our humanity it bubbles up everywhere, all the time, in all corners of the universe, in all arts, fine or technical, and in all human enterprise and cultures.

So it is not the ideas, but the innovation that flows from them that is addressed by our society. One way this is done is reflected in IP legal regimes. These regimes speak to what happens when an idea is being translated into a result and made accessible to the public. This can only happen in the co-creative processes that take place in relationship with one another. In these relationships there will be intersecting interests and layered rights that arise and are engaged. Innovation in business is no less personal or fundamental to our existence as it is in other areas of our life, and like many other social imperatives can be supported by guidelines and frameworks for balancing interests and contributions to it. While the debate is always open about whether or not existing frameworks help or take away from achieving the best balance, society will always seek to find harmony through constructs for managing relationships.

The two primary issues that IP legal regimes address are who benefits from intellectual endeavour and how. In general terms, the various regimes create economic rights for creators/innovators and rights of use for the public because, after all, the governments and legal systems that grant rights in the form of patents, trademarks, copyright, industrial designs and trade secrets (confidential information) are there for and on behalf of the public.

So when NASA decides to release a chunk of its patent portfolio (under certain terms and conditions of course –http://www.sciencealert.com/nasa-just-released-56-patented-space-and-rocket-technologies-to-the-public) we are witnessing that the way things may have been done in the past can change and adapt to the way they need to be for the future, shifting the balance point in the relationship between governments, the marketplace, and the public interest.

At the end of the day, innovation is fueled by a continuing tradition of alchemy between ideas and the relationships which shape and mould them. In my experience, the ideas can be relatively easy to come by, but the magic comes from what we do in relationship with one another on our quests for the philosopher stone, or perhaps, just a little moon rock.

Ariadni Athanassiadis is the lead attorney of Kyma Professional Corporation, which provides intellectual property (IP) legal services to help your business develop and benefit from the creative efforts and assets that make it distinctive. Whether it is your brand, product, services, designs, technology or business processes, Ariadni can help design IP legal solutions which let you make the most of what you give to your business.

———————————

Ariadni Athanassiadis

Kyma Professional Corporation

T: 613-327-7245

E: ariadni@kymalaw.com

W: www.kymalaw.com

Intellectual Property is Your Business and “A rose by any other name …”

 

ari-2

I remember my first exposure to Shakespeare in high school and the stress it caused when I realized that somehow I had to understand what looked like English, but which to me, might as well have been written in Klingon. I have witnessed the same stress in business owners when the topic and lingo of intellectual property comes up. The way to get through it, like anything else, is to start with what does make sense and go from there. So, with that in mind, let me recount to you the gist of two conversations I recently had with business owners about intellectual property and their business.

 

Do I really need to bother with intellectual property?

The short answer to that question is IP is always part of your business, so why wouldn’t you? Let’s also consider, however, the context for the question.

The question was prompted after a business owner received mixed messages from her board of advisors about the relevance of intellectual property (IP) to her business, an enterprise focused on educating young entrepreneurs. The different perspectives of her advisors ranged from “forget about IP” to “worry about it later”; focus instead on your “value proposition and managing risk”.

This thinking reveals some common misconceptions about what IP is and the role it plays in a business. The first was that IP can somehow be disassociated from managing risk and is extraneous to the brand, content, and expertise, at the core of her business. In fact, in this case, content is her product, and so the value proposition of her business is all about IP.  Selling her brand of content fundamentally relies on working with her copyrights and trademark rights. Whether or not she chooses to register these IP rights is another question, but even if she does not, she will still be using those rights in her transactions with publishers, distributors and customers.

Then there is the idea that you can put off addressing IP issues until you have some traction in the marketplace and some cash to spare. While addressing IP issues early on can indeed pull on meager start-up resources, suggesting you can cut IP out of the business incubation stage is like saying you can add yeast to bread to make it rise after you have baked it. In reality, you can make the most of the bread (and butter) of your business if you take the time to consider the legal nature of your creative assets from the get go. To do otherwise, is to risk not achieving the very thing you set out to do.

 

If I am dealing with intellectual property in my business, I don’t know it.

The business owner who raised this point works with a number of artisans and was thoughtfully reflecting on how business relationships seem to work fine without bringing intellectual property into the conversation. I get it. The more you talk about “legal stuff”, the harder it can be to get folks on board. The thing is, at the risk of being repetitive, IP is part of the equation even if not seen or acknowledged, and the math generally will not work in the long run if it is not somehow accounted for. So knowing this, would you rather address IP issues before or after they become a problem?

While the language of IP is not the most prosaic, understanding and talking about what something is, instead of around it, makes for clear, transparent and informed conversations, conducive to building solid business relationships. You can also save everyone the trouble of investing in relationships which are not a fit to begin with.

Whenever I have had this discussion with small business owners, I am reminded of my early days as a gardener, going to the nursery, buying plants and overlooking some of the details about how to care for them in different seasons. During the summer, flowers bloomed and there was new growth. In the fall and winter I would bypass a few steps to help the plants weather the colder days, and then when spring arrived, there was not much of a garden to speak of. Out of pocket and starting over, it was clear that there is no substitute for having a few targeted conversations and paying attention to the details.

And so it is with IP and your business relationships –  a more thorough understanding of your creative assets is always a plus and with this knowledge, the options for cultivating business plans and relationships become more numerous, adaptable, sustainable and reflective of the real value of your business.

 

Ariadni Athanassiadis is the lead attorney of Kyma Professional Corporation, which provides intellectual property (IP) legal services to help your business develop and benefit from the creative efforts and assets that make it distinctive. Whether it is your brand, product, services, designs, technology or business processes, Ariadni can help design IP legal solutions which let you make the most of what you give to your business.

———————————

Ariadni Athanassiadis

Kyma Professional Corporation

T: 613-327-7245

E: ariadni@kymalaw.com

W: www.kymalaw.com