The CFE as IP security advisor
Raising consciousness, promoting balance
“Business is hell,” said U.S. Civil War Gen. William Tecumseh Sherman … well, not quite. “War is hell” were his actual words. But there’s ample reason to believe that this prototypical warrior took the dangers of the marketplace seriously.
As CFEs well know, fraud is one such peril. And if it happens in Silicon Valley or another of the world’s R&D capitals, billions in legitimate profits can disappear. It’s enough to make anyone nervous about their intellectual property (IP).
Sherman, who initially had left the army for a business career that ran from real estate to banking to law, all with limited success, later said that he could more easily lead 100,000 men in battle than manage land in a speculative market.
And it was true. He re-entered the U.S. Army when war broke out in 1861 and led his troops to victory in the South. Before that, however, he had suffered from stress-induced asthma during the 1850s real estate frenzy in San Francisco, where he managed the West Coast branch of a Missouri bank.
In the volatile business environment of the Gold Rush, California land was seen as the key to great wealth, and people resorted to any means — fair or fraudulent — to get it. Then, as now, it wasn’t easy to lead a business in a cutthroat competitive environment.
CURRENCY OF IDEAS
Fast-forwarding to the 21st century, we see that today’s commercial frenzies often are less about land and precious metal than they are about marketable new ideas. For example, when developed into innovative consumer electronics, the right brainstorm can generate more profit than many a gold mine.
“Consider the iPhone,” says Jonathan Turner, CFE, CII, a principal of Wilson & Turner Incorporated, an investigative consultancy headquartered in Memphis, Tenn. “Before it revolutionized cell phones, they all had pushbuttons. Now it’s hard to find one of those. That’s how valuable the touchscreen concept was.”
No one wonder, then, that Apple and other businesses investing heavily in R&D get the heebie-jeebies at the prospect of someone stealing the design of their latest product before the company can bring it to market. You might think the best response would be super-tight security.
“Think again,” Turner says. “Before a new consumer product goes on sale, the manufacturer needs to find out how typical customers react to it.”
Toy makers, six to eight months before Christmas, put early models in front of test groups of kids to see which ones they play with, he says. That feedback determines what will be in stores just before the holidays. Likewise, the New York and Detroit auto shows introduce “concept” cars with radically innovative, sometimes outlandish, features. Some of those elements turn out to be so popular among show attendees that manufacturers add them to the next generation of cars.
“Sure, that market intelligence is beneficial,” Turner acknowledges. “But getting it involves exposing your valuable new designs to outsiders. In the IP world, the competition is for ideas, and once they get out, it’s impossible to put them back in the bottle. Even if you’ve patented your concept, a competitor can create a product that does the same thing in a slightly different way and doesn’t intrude on your patent.”
FACETS OF RISK
Turner recalls two instructive incidents Apple might prefer to forget — after learning from them, of course.
In 2010 and again in 2011, Apple employees field-testing as yet unreleased new iPhones inadvertently left them in public places. Outsiders soon found, examined and discussed them at length not only in the media but in the design labs of Apple’s inquisitive competitors.
“Everyone asked why Apple let these devices be taken out of the laboratory,” Turner says. “The answer is you don’t know how well it’s going to work until you put it in the field. So Apple told its employees to test the new phones in a variety of environments where customers would use them. In doing so, however, Apple took the risk that its competitors would see the devices before they went on sale. Thanks to such premature exposure, competitors often swiftly introduce a similar product.”
Still, product development and marketing people take that risk because they think the “real-world” feedback is worth it, Turner notes. He adds, however, that information security teams — more mindful of risk than of reward — might reject this approach.
“Various internal constituencies often have very different views on IP — what to do, why and how to go about it,” Turner says. “This is a normal, rational conflict that every organization must learn how to mediate.”
THE RIGHT BALANCE
There are up to 30 different constituencies inside the typical business, Turner says — executive-level management, several categories of divisional or mid-level departmental leadership and 10 to 20 categories of rank-and-file employees in functional areas. Each of these groups has its own perspective on how to capitalize on and protect the organization’s IP.
“In many companies, the legal department’s role is to mitigate risk exposures, and the easiest way to do so is to say, ‘You can’t do that,’ ” he notes. “In contrast, the development group wants to put its products in front of as many people as possible to determine which design nuances can turn their ‘okay’ idea into a market breakthrough.”
Finding the right balance between these approaches requires accepting certain shortcomings to obtain what you perceive to be even greater advantages, Turner says. The typical trade-offs? If an organization wants to field-test its products, it has to sacrifice some IP security and vice-versa.
“Often, the CFE is one of the few people in the organization who realizes the bad guys are watching,” Turner says. “So he or she has to remind the various constituencies that sometimes they’re dealing with crooks, not customers.”
He recommends encouraging clients to visualize how fraudsters could exploit IP security gaps. Insights gained from that exercise can help the organization improve its ability to detect and deter intrusions and minimize vulnerabilities. Do this by focusing on proactive policies, not on prohibitions, he advises.
“Instead of saying, ‘Don’t do this or that,’ say, ‘Here’s how to do it more safely,’ with the understanding that there is no such thing as perfect protection,” Turner says.
But what does “more safely” mean? To get a clear answer, there must be organizational consensus on an acceptable level of risk.
If there is no such agreement, Turner says, the CFE should help the organization’s constituencies jointly develop a clear understanding of the potential results of their respective approaches to IP security. For example, the CFE could ask the product development team to consider the consequences if its designs were stolen and brought to market by a competitor. Likewise, he or she could ask the information security staff if it realized how much revenue the company would lose if it didn’t adequately market-test its products before releasing them.
“To facilitate this effort, the CFE has to know exactly what the risks are, find out which constituencies have the most influence and bring those stakeholders together to agree on how much and what kinds of risk they all find acceptable,” Turner says. “It’s not a mathematical calculation; it’s more like deciding whether to jaywalk or cross at the corner. You evaluate the situation and come up with risk-related policies and procedures that are acceptable to everyone in the organization.”
Once the organization has defined its risk tolerance, the CFE can recommend specific ways to mitigate the accepted exposures.
“If, for example, the product development team is about to share design plans with a vendor or other outside party, have the legal department craft strong nondisclosure agreements. And demonstrate your individual value to the organization by coming up with protective mechanisms it can use in such situations,” Turner advises. “For example, when releasing sensitive documentation, vary the wording, pagination or typeface, so that every recipient has a unique copy that can be traced back to him or her if there is a leak.”
He also recommends keeping clients aware of trends identified in the latest ACFE Report to the Nations and staying abreast of developments that pertain to the client’s specific business environment.
“Remember the words of [Speaker of the U.S. House of Representatives Thomas P.] ‘Tip’ O’Neill, Jr.: “All politics is local,’ ” Turner says. “Keep your clients informed about national and global trends, but focus on those that specifically affect their organization, industry and geographic area.”
Once CFEs have elevated stakeholders’ consciousness of these matters, can they be confident the organization’s IP won’t be lost or stolen?
Not in Turner’s view.
“As CFEs, we fight complacency. Our work is never finished. We can’t say, ‘I’ve raised awareness about fraud; my work here is done.’ Quite the opposite. The harder you make it to commit fraud, the harder crooks will work at it. We can reduce the likelihood they’ll try, raise the odds they’ll get caught and minimize the losses victims suffer. But on some statistical basis fraud is still going to occur.”
According to accepted wisdom, though, forewarned is forearmed. So CFEs who help protect their clients’ and employers’ IP might save them from the business world’s perhaps most hellish experience — the theft of your best ideas.
Robert Tie, CFE, CFP, is a contributing editor at Fraud Magazine and a New York business writer.
Read more insight and discuss this article in the ACFE's LinkedIn group.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to FraudMagazine@ACFE.com.