Advertisement

Live Chat

Live Chat 11/06: Enterprise Risks, Intellectual Property & Supply Chains

130 comments on “Live Chat 11/06: Enterprise Risks, Intellectual Property & Supply Chains

  1. Hailey Lynne McKeefry
    November 6, 2014

    We should be getting started at 2PM PST sharp, as soon as our guests arrive.  First, though, there are two housekeeping notes:

  2. Hailey Lynne McKeefry
    November 6, 2014

    First, please make a copy of your post before hitting the “post” button – just in case.  If the system “eats” one of your carefully crafted thoughts, please hit “Ctrl-Z” to recover it.

  3. Hailey Lynne McKeefry
    November 6, 2014

    This will be a fun, fast, and friendly conversation, so please do not hold back with your comments or questions.  There are no dumb questions and we value everyone's point of view.

  4. Hailey Lynne McKeefry
    November 6, 2014

    Second, if you have problems posting, we suggest trying a different browser.  IE9 is a popular choice, but sometimes find Firefox, Chrome, or Safari work better.

  5. Hailey Lynne McKeefry
    November 6, 2014

    Questions, theories, ideas, real world experiences and even friendly rants are welcome here.

  6. Hailey Lynne McKeefry
    November 6, 2014

    As you arrive, please introduce yourself so we can offer words of welcome, and offer you a seat as well as a bit of EBN's famous virtual guacamole and chips.

  7. Ashu001
    November 6, 2014

    Hi folks!

  8. Hailey Lynne McKeefry
    November 6, 2014

    Welcome Tech4People, glad you dropped by. I hope you got a chance to peruse Craig Moss' blog on this topic. It had a lot of great information.

  9. Craig Moss
    November 6, 2014

    Hi Hailey – 

    Craig checking in. 

  10. Hailey Lynne McKeefry
    November 6, 2014

    Welcome Craig. Glad to have you with us! We'll start in just a few minutes.

  11. Hailey Lynne McKeefry
    November 6, 2014

    For those of you who aren't familiar with CREATe.org: The Center for Responsible Enterprise And Trade (CREATe.org) is a non-governmental organization (NGO) helping companies around the globe prevent piracy, counterfeiting, trade secret theft, and corruption.

  12. Ashu001
    November 6, 2014

    Enterprise risk management is supercritical today!

  13. Hailey Lynne McKeefry
    November 6, 2014

    @Tech4People, what are you seeing in this area from where you sit? Is it getting more critical?

  14. Ashu001
    November 6, 2014

    @hailey-absolutely!create has very unique goals going ahead.

  15. Craig Moss
    November 6, 2014

    IP protection is getting more and more critical. Among 269 senior risk managers, 53% said that loss or theft of intellectual property had inflicted damage on their company's financial performance —14% reported this as “major” damage.

  16. Craig Moss
    November 6, 2014

    Intellectual property theft is a growing hazard, with threats that can arise both internally and along a company's global supply chain, and leveraging tools already in place for addressing other risks can enhance IP protection while limiting cost and bureaucracy. Enterprise Risk Management (ERM) systems provide a great structure for bolstering IP protection without creating additional bureaucracy. 

  17. Hailey Lynne McKeefry
    November 6, 2014

    @Craig, those are sobering statistics. Do you find that the threats are mostly insiders or outsiders?

  18. Susan_Nunziata
    November 6, 2014

    Greetings all sorry I'm late

  19. Hailey Lynne McKeefry
    November 6, 2014

    @Craig, do you find electronics industry companies are particularly at risk or is it a widespread problem that affects the breadth of industries in similar ways?

  20. Craig Moss
    November 6, 2014

    The threat some from inside and outside. A lot of the problem actually results from poor management and employee negligence. 

  21. Hailey Lynne McKeefry
    November 6, 2014

    can  you give some typical examples of how poor management and employee negligence show up?

     

  22. Craig Moss
    November 6, 2014

    Each industry tends to focus on the types of IP most critical to them – copyrights, trademarks, patents or trade secrets. But in reality virtually every industry has all of the IP types. 

  23. Hailey Lynne McKeefry
    November 6, 2014

    When i talk to electronics OEMs, it becomes clear that these organizations are sharing all sorts of information (product designs, parts lists, customer lists and more) over a variety of supply chain solutions. The days of siloed information and home grown systems is over.

     

  24. Craig Moss
    November 6, 2014

    There are so many examples – the sales rep that leaves a prototype with a major customer. A factory manager that shows next seasons' product to a competitor. An executive that gives their passwords to an assistant. 

  25. Ashu001
    November 6, 2014

    @craig-its unfortunate that's employees make so many mistakes even today.

  26. Craig Moss
    November 6, 2014

    It is unfortunate, but often it is unintentional. Electronics has many specific challenges. As you know many of the contract manufacturers have customer specific buildings, but the employees often shift from building to building. 

  27. Hailey Lynne McKeefry
    November 6, 2014

    It sounds like training and regular reminders have to be a regular part of IP protection. I worked in a hopstial for a long time and they bombarded us with HIPAA information–it got to be second nature.

  28. Susan_Nunziata
    November 6, 2014

    @Craig: Interesting: The threat some from inside and outside. A lot of the problem actually results from poor management and employee negligence. 

    Do you think employees are more likely to act with malicious intent when it comes to IP, or are such employee lapses generally just pure old human error?

  29. Craig Moss
    November 6, 2014

    I was talking with a US tech company recently that said a BIG problem was that their engineers did not know what they should and should not reveal to a contract manufacturer. 

  30. Susan_Nunziata
    November 6, 2014

    @Craig: wow. how is that possible?

  31. Ashu001
    November 6, 2014

    @hailey-but doesn't the overloading of information also become counterproductive?u tend to overlook small small things in the same of repetitiveness.

  32. Craig Moss
    November 6, 2014

    Of course there are some with bad intent. But a lot is a lack of awareness and knowledge. They don't know the rules and aren't given steps to follow.

  33. Hailey Lynne McKeefry
    November 6, 2014

    That's pretty dismaying! But not particuarly suprising. I think ignorance is a big issue. People just want to do their jobs as efficiently as possible and that is at teh expense of security and IP.

  34. Craig Moss
    November 6, 2014

    Training is critical. You need to think in three stages of training – whether inside your company or with a third party – building awareness, gaining commitment and then giving them the knowledge and skills to implement. 

  35. Rodney Brown
    November 6, 2014

    Howdy folks.

  36. Craig Moss
    November 6, 2014

    Great point Hailey – that's why it is important to get IP protection into normal business operations and not deal with it as a purely legal issue.

  37. Hailey Lynne McKeefry
    November 6, 2014

    @Tech4People, I think it's a delicate balance. People have to hear the same thing six or seven times before it sinks in according to many studies. And in multiple ways from multiple channels. I think the key may be helping people to udnerstand the potential ramifications of their actions and decisions.

  38. Hailey Lynne McKeefry
    November 6, 2014

    @Rodney, thanks for coming by. Pull up a chair and help yourself to some virtual guacamole and chips.

  39. Rodney Brown
    November 6, 2014

    Craig, does a large multinational usually have someone in charge of making sure that the engineers know these policies — or even that the policies exist?

  40. Ashu001
    November 6, 2014

    @hailey-security and ip protection should not work as roadblocks in the work people want to fo.

  41. Hailey Lynne McKeefry
    November 6, 2014

    @Craig, is there one of those three steps (or more) that organizations most typically overlook?

  42. PhDEE
    November 6, 2014

    How do you handle a customer that steals your IP?

  43. Susan_Nunziata
    November 6, 2014

    Hey Rodney!

  44. Craig Moss
    November 6, 2014

    Not all MNC's do. When we started CREATe we looked for companies that had comprehensive IP protection policies – AND found none. 

  45. Hailey Lynne McKeefry
    November 6, 2014

    Welcome PhDEE. I'm glad you could join us today.

  46. Craig Moss
    November 6, 2014

    We published a set of IP protection policies that are available on our web-site. Feel free to take a look and use. 

  47. Susan_Nunziata
    November 6, 2014

    I'm curious to know what the black market business model is for stolen IP. I mean, obviously it's all got to be hush hush, but how do companies manage to compensate those who steal for them? What would motivate somebody to do this?

  48. Rodney Brown
    November 6, 2014

    None?! Now that is downright shameful.

  49. Hailey Lynne McKeefry
    November 6, 2014

    NONE?! Has it gotten better?

  50. Craig Moss
    November 6, 2014

    And policies are just the first step. And in many ways the easiest step. The challenge is embedding IP protection into how a company operates AND how the third parties it deals with operate. 

  51. Craig Moss
    November 6, 2014

    Here's a quick stat:

    PwC's 2013 State of Compliance: Intellectual property risks ranked among the top three risks faced by manufacturing and technology companies – IP risks were perceived to be increasing  

  52. Hailey Lynne McKeefry
    November 6, 2014

    In the IT security world, one best practice is to make safeguarding corprorate systems and information part of everyone's job description. It seems like that would be part of the secret sauce here as well.

     

  53. mdesai
    November 6, 2014

    Electronic engineer

  54. Hailey Lynne McKeefry
    November 6, 2014

    Glad you could join us, Mdesai. feel free to leap in with questions or comments!

  55. Craig Moss
    November 6, 2014

    Some IP infringement clearly has a criminal element to it. There is no doubt, but at CREATe we are focused on reducing IP infringement in companies. Trying to eliminate the IP problems from poor management. 

  56. Rodney Brown
    November 6, 2014

    Hailey, has that had any effect? Seems like the willingness to circumvent security policies for convenience is as strong as ever (Dropbox, simple passwords, etc.).

  57. Ashu001
    November 6, 2014

    @hailey-secret sauce?nice!

  58. Hailey Lynne McKeefry
    November 6, 2014

    @Rodney, i hate to say it but there's a barn door phenomenon. ONce a company has a major breach that costs millions everyone gets much better about it. 🙂

  59. Ashu001
    November 6, 2014

    @rodney-thats all down to lack of convenience. The folks who have jobs r constantly overloaded. The rest don't work.

  60. Craig Moss
    November 6, 2014

    We have looked at the issue of IT security versus more comprehensive IP protection. One of the strongest areas for companies is the IT security, but they often loose site of the broader issues – the human factor. I saw one recent study that said 80% of cyber security problems had employee negligence as the root cause. 

  61. Hailey Lynne McKeefry
    November 6, 2014

    So what are some of the ways that organizations can leverage existing ERM systems and frameworks to do a better job with IP?

  62. Craig Moss
    November 6, 2014

    You're getting at one of the keys- is how do you integrate IP protection into a person's job in a practical way. To do it, it needs to be a cross-functional effort from the start. 

  63. Craig Moss
    November 6, 2014

    The white paper we just released covers examines how companies can:

    • Use ERM more effectively to “identify, assess and manage” IP-related risks;
    • Address IP risks that arise in the closely related areas of information technology (IT) security and supply-chain compliance; and
    • Understand the elements of an effective IP protection program and ways to integrate IP protection into existing business processes and procedures.
  64. Hailey Lynne McKeefry
    November 6, 2014

    Who needs to be invited to the table for that cross-functional effort?

  65. Hailey Lynne McKeefry
    November 6, 2014

    @All, craig's most recent blog on EBN offers a link to the white paper–and more thoughts on this topic

     

  66. Rodney Brown
    November 6, 2014

    @Tech4people, I hear that. Making IT easier for the line worker should be one of the core principles of an IT department. But, sometimes the hammer has to come down hard to prevent IP loss. If a policy is in place, it has to be followed.

  67. mdesai
    November 6, 2014

    How could we prevent IP breach, if the products are manufactured by an overseas contractor? Are there any legal actions available?

  68. Craig Moss
    November 6, 2014

    Agree Rodney. You get into issues of the carrot and stick in motivating employees. Also, how do you effectively change behavior?

  69. Hailey Lynne McKeefry
    November 6, 2014

    @mdesai, i'm sure the overseas component makes it a lot more difficult. Are you talking about China or elsewhere?

  70. Kim Davis
    November 6, 2014

    Hi everyone.

  71. Kim Davis
    November 6, 2014

    IP has been on my mind today, because quite by chance this morning I discovered that the full text of a book I wrote a few years ago is on Google Books.

  72. Rodney Brown
    November 6, 2014

    Craig, it seems to me that organizations are either all carrot or all stick — or have their head in the sand.

  73. Craig Moss
    November 6, 2014

    Contracting production overseas can be a high risk activity for IP. You need to have contractual provisions that clearly spell-out the usage rights and limitations. But beyond that the contract can have provisions that require them to have IP protection policies, to train their workers, to provide access to your IP on a need to know basis. etc. In addition to the contracts, you need to evaluate their management systems for protecting IP – just like you would evaluate their quality systems.

  74. Hailey Lynne McKeefry
    November 6, 2014

    @Kim, glad you could come by…and with such a relevent experience! Any idea how it happened?

  75. Kim Davis
    November 6, 2014

    Craig, I assume you're talking about specific ERM tools?  Because obviously risk management is needed to manage IP-related risks.

  76. Kim Davis
    November 6, 2014

    Hailey, I assume Google just scanned it and uploaded it, but why they should think that a book so recent would be out of copyright I have no idea.

  77. Craig Moss
    November 6, 2014

    ERM is a fundamental tool for helping a company shift from dealing with negative events reactively to taking a preventative approach to the risks that it faces, and for strategically allocating resources to reduce the company's risks internally and in its end-to-end supply chain.

     Although intellectual property is central to the success of most companies, many do not routinely examine intellectual property risks in any detail, or they simply consider them in isolation without reference to other related types of security or compliance risks. 

    Some companies fail to consider how to manage the IP-related risks in their supply chain or with vendors—a vital element for shifting from a reactive to a preventative approach.  

  78. mdesai
    November 6, 2014

    Yes. China is where most of such breaches take place. Our rep cannot be there on the premises 24/7!

  79. Kim Davis
    November 6, 2014

    That helps, Craig, thanks.

  80. Craig Moss
    November 6, 2014

    Hi Kim – I'm not sure if I answered your question completely. Let me know? 

  81. Kim Davis
    November 6, 2014

    ERM=proactive and comprehensive risk management, more or less.

  82. Craig Moss
    November 6, 2014

    Chinese enforcement and customs agencies have been cooperating with some MNCs related to trademark infringement. This is a good sign. 

  83. Hailey Lynne McKeefry
    November 6, 2014

    I would imagine that enforcement would be tough with overseas partners. LIke Kim's experience, are the contracts and requirements more of something to fall back on when things go wrong? Or do they actually raise the potential for success?

  84. Craig Moss
    November 6, 2014

    Yes Kim – the key is to transition from reactive IP protection to more proactive and preventative. The risk assessment allows you to understand and prioritize your risks. To look at probability and severity of a breach. 

  85. mdesai
    November 6, 2014

    My experience is that the Chinese officials take a long time to to contact and prosecute the offender

  86. Ashu001
    November 6, 2014

    Anyone tracking apples malware?seems to affect all chinese users.

  87. Hailey Lynne McKeefry
    November 6, 2014

    Are most of the attacks on IP targetted or more opportunistic?

  88. Hailey Lynne McKeefry
    November 6, 2014

    @mdesai, if this is a new thing, it may be the systems aren't adequate to the task. Thanks for the real-world check in…

  89. Craig Moss
    November 6, 2014

    Contracts are definitely an important part of IP protection – but they are not enough. Again – how do you become preventative? You need to allocate resources strategically and the risk assessment is a critical first step. A lot of companies don't even have an inventory of their IP. 

  90. Craig Moss
    November 6, 2014

    The first vital step in ERM frameworks is to create a complete inventory of strategic, operational, compliance, financial and reputation risks, and that inventory should include risks associated with IP. It should take into account brand protection (trademarks), registered designs, copyrights, patents and trade secrets—both those that are part of the company's own assets or as the intellectual property of others that the company must manage effectively.

  91. Hailey Lynne McKeefry
    November 6, 2014

    @Tech4People, funny you hsould mention it but i just read that 800 million Apple devices are  threatened by 'WireLurker' malware

  92. Ashu001
    November 6, 2014

    @mdesai-china can b very active when it cames to protecting communist party interests.

  93. Hailey Lynne McKeefry
    November 6, 2014

    @Craig, making that inventory is a duanting task…and never ending since new IP is always being created.

  94. Craig Moss
    November 6, 2014

    Here's an example of being preventative with a contract manufacturer. The MNC had identified three areas where they faced the greatest risks – unauthorized use of tooling, design and development phase and disposal of overruns and defected goods. 

  95. Craig Moss
    November 6, 2014

    The white paper has a simple form for getting started on the inventory. We don't expect companies to do this overnight. It is a journey. But for things to be better in 5 years change needs to start now. 

  96. mdesai
    November 6, 2014

    One problem that we experienced had to do with test program software. We discovered that the contractor used it and sold their own products!

  97. Hailey Lynne McKeefry
    November 6, 2014

    @mdesai, how did you discover that was going on? It seems like it would be easy to miss. they were probably playing the odds.

  98. Craig Moss
    November 6, 2014

    At CREATe.org, we outline the elements of an effective IP program into eight categories. These include:

    Policies, Procedures and Records

    Cross-functional Compliance Team

    Scope & Quality of Risk Assessment
    Management of Supply Chain
    Security and Confidentiality Management
    Training and Capacity Building
    Monitoring and Measurement
    Corrective Actions and Improvements

  99. Hailey Lynne McKeefry
    November 6, 2014

    @Craig, that seems pretty comprehensive. Can you say more about what's involved in the category of management of supply chain? Also monitoring and measurement. What and how does an organization measure?

  100. mdesai
    November 6, 2014

    The customer who received the fake parts contacted us regarding operating problem with parts they received!

  101. Ashu001
    November 6, 2014

    @mdesai-the contractor was very very smart!no doubt about it.

  102. Craig Moss
    November 6, 2014

    Supply chain includes the contracts with third parties and the due diligence. In terms of monitoring, it is focused on monitoring compliance to the policies and the effectiveness of the procedures. 

  103. Craig Moss
    November 6, 2014

    There was a situation where an MNC electronics company discovered their largest distributor was selling 20% counterfeit goods. They didn't want to take it public but they needed to control the situation and eliminate the problem. 

  104. Hailey Lynne McKeefry
    November 6, 2014

    @mdesai, did your organization have recourse?

  105. Hailey Lynne McKeefry
    November 6, 2014

    @craig, so what did the MNC do? Counterfeiting is a huge problem in our industry–and we are always scrambling for good answers.

  106. Craig Moss
    November 6, 2014

    Taking legal recourse was one option, but this would destroy the relationship and hurt stock value. Instead they instituted a new procedure for all distributors that had much tighter inventory controls. The problem was eliminated in 18 months. 

  107. Hailey Lynne McKeefry
    November 6, 2014

    At the same time, if everyone gets more aware and demands greater compliance–then it should be better for everyone.

  108. Craig Moss
    November 6, 2014

    This is an example of the legal and management systems working together.

  109. Hailey Lynne McKeefry
    November 6, 2014

    @Craig, that's a great story. I would have thought it would take much longer than that…and they were able to salvage the relationship. I imagine that they realized that the counterfeit goods weren't being sold on purpose.

  110. Craig Moss
    November 6, 2014

    Creating a culture of IP protection is part of our long term mission. Look at the culture of quality that has arisen over the last 40 years. 

  111. Hailey Lynne McKeefry
    November 6, 2014

    Yes…we started talking about six sigma quality at least 25 or 30 years ago.

  112. Craig Moss
    November 6, 2014

    In the case mentioned, you have to assume that at least some people at the distributor knew what was happening. But using systems and controls makes it clear whether people are intentionally violating IP or it is sloppy. 

  113. Hailey Lynne McKeefry
    November 6, 2014

    Over time though it will be a cumulative effect hopefully.

  114. Hailey Lynne McKeefry
    November 6, 2014

    We are coming to the top of the hour. I invite any last questoins for our guest!

  115. Hailey Lynne McKeefry
    November 6, 2014

    @Craig, i guess i'm naive!

  116. Hailey Lynne McKeefry
    November 6, 2014

    @Craig, looking forward, as an industry, where do you see IP protection evolving? What's on the horizon?

  117. Rodney Brown
    November 6, 2014

    Craig, will it take 25-30 years to get everyone on the same page abut IP protection, like it has for quality?

  118. Craig Moss
    November 6, 2014

    I agree Hailey. In the global supply chain, factories and vendors often supply many different customers. Distributors typically work with many brands. It is in every legitimate business' best interest for IP protection to improve.

  119. Craig Moss
    November 6, 2014

    We see IP protection being integrated into a more holistic third party evaluation. Looking at financial stability, capabilities, labor, health and safety – and IP protection. We think that there will be an interesting intersection of legal, management systems and technology to help reduce IP infringement too. 

  120. Hailey Lynne McKeefry
    November 6, 2014

    @Craig, that aligns with what we see happening in all areas of the supply chain.

  121. Craig Moss
    November 6, 2014

    Rodney – I don't think it will be 25 years. The pace has accelerated. We already see companies realizing that they can gain a competitive advantage through better IP protection. I'm hoping more like 3-5 years for the first major wave of leaders and then 5-8 years for the next wave to catch-up. 

  122. Hailey Lynne McKeefry
    November 6, 2014

    That's a very hopeful note to close on! Craig do you have any last thoughts for us?

  123. Craig Moss
    November 6, 2014

    Two things.

  124. Rodney Brown
    November 6, 2014

    Fingers crossed, Craig.

  125. Craig Moss
    November 6, 2014

    Remember it is a journey. But you need to start somewhere. You need to measure where you are now because you can't improve what you don't measure. 

    #2 – feel free to look at our web-site. We have a lot of resources available to use inside your company or in your supply chain. Feel free to get in touch with me. 

  126. Hailey Lynne McKeefry
    November 6, 2014

    Thanks, Craig. This has been a great chat. Please do take a look at the white paper in Craig's latest blog titled Live Chat 11/6: Enhance IP Protection Through Existing ERM Programs

  127. Craig Moss
    November 6, 2014

    Thanks Hailey. Always a pleasure. 

  128. Hailey Lynne McKeefry
    November 6, 2014

    Thanks for the time, and thank you everyone for the great questions. Next week, we're talking about the related topic of cyberthreats. I hope you'll all come back!

     

  129. mdesai
    November 6, 2014

     

    Thank you

  130. saiopen
    January 2, 2015

    Nice article good one information you provided in this site helped me

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.