Transcript – Discussing crown jewels, trade secrets, and Intellectual property and how to protect the data?

hello hello hello happy Friday wow look at that right on the dot I timed that pretty pretty well huh Tim Tim was like hey how many more minutes before I was like oh crap we gotta go click we were all bantering in the green room and I literally just shut everybody up and hit go so hey welcome Happy Friday uh November 3 already oh my goodness where the heck did the year go my gosh uh so Halloween is done is it time for our Christmas decorations we can just forget about that thing with the turkey in between or like how was everybody’s Halloween Jesse did you take the kids out there and do some treating and get so there’s not much to to trick or treat around here but what I will say is that uh one thing that I did this year that I’ve never done before is I left my Christmas lights up all year round so I don’t have to put those up they’re still on the house and I can hear my I can hear my dad’s voice coming down from above saying chiding me and chastising me for not taking those Christmas lights down because he always hated that truth be told I never take mine down only when they’re broken and I have to replace them so I’m right there with you right and generally it’s like oh I’m like looking outside it’s like 90 degrees in July and I’m like I should probably deal with those Christmas lights and then I think about it and actually do it in like four in like fouret to snow so so this week uh insiders yeah Insider thread is that even a thing like what the heck what are we talking about IP like intellectual property like hey we got some really special guests let’s just take a minute here and allow everybody to kind of introduce themselves and while you’re up first C thank you for joining us tell us a little bit about yourself well thank you so much for having me it’s a pleasure to be here on your podcast today I’m Katherine Marin yakub and I’m a principal with control risks I’m based out of our New York office and I support clients to manage uh and mitigate their Insider risks and help protect their intellectual assets great that’s awesome are you is like a is that a virtual background or is that like your office it’s the office wow that’s like super cool because you know I got the fake Olive Tree and you know whatever but I like the stripes GL door in the brick it’s really cool and so up next we have our good friend John John why don’t you come off mute and say hello my friend John yeah thank you very much for having me all the way from the UK so Halloween is kind of a an American thing that’s really taken off over here but my kids are far too old so haven’t been involved in any Halloween things uh I’ve been in IP I think it’s 22 years now I met Tim back in 2010 I think it was uh and we worked together in IP uh then and we followed similar paths maybe but the last maybe six years we we’ve sort of diverged I’ve stuck with IP strategy and and Tim sort of got the the information security component of that and to be fair to be honest I’ve only just w Really woken up in the last six months to the importance of the intersection between protecting defending intellectual property and the whole intersector management of information security so really pleased to be on this call today because I think there’s a lot of really interesting interesting stuff for business so I help businesses with IP strategy and uh you know my point going in today is that everybody is gonna tell you they’ve got trade scpt everybody depends on Trade Secrets but nobody next to nobody can defend their Trade Secrets and that’s where it’s at and that’s where I think we might have some good conversation today so thanks for having awesome glad to have you here hey hey Jesse what’s going on in your world yeah we sh we got some news we’re expecting our third so it’s a I guess it’s LinkedIn official now congratulations my friend that’s very exciting um you’re third yeah any like any hints on like do you do like the whole gender boy girl whatever it happens to be pink blue yellow green or golden we didn’t for the first two but I don’t think they’re going to let us get away with it this this third time my my oldest is uh she is quite precocious and quite opinionated and she basically has already said we’re gonna find out so we’re gonna follow her lead and I think we’re gonna find out ahead of time so there you go and and let me guess we just said a minute ago it’s November 3D you got like the the like No Shave November going on there what you do yeah I mean I think I think I’ve got the crazy I got the crazy week of November going on here crazy start to November so yeah we we’ve um we’ve had all sorts of things going on in the family this speech meet at school and uh just uh yeah I just let it go just letting it Rock so how’s power PSA yeah so I’m with power PSA Consulting power uh we help we help msps build scale and profit from Security Programs for their clients awesome awesome thank you well you heard it here first Jesse’s gonna be a daddy three times over we’re very excited for you thank you so much for for uh allowing us and allowing our msps and our community here to be one of the first to know well okay people not the first to know but at least throwing that out there so thanks Jessie we’re very excited for you and live from DAV Busters it’s Tim Sher hey guys can you hear me okay absolutely so yeah I’m really excited about this episode we’ve been talking about this for a couple months now uh worked with John prior AS Global intellectual property broker for a couple years we were the biggest you know patent and IP broker for a while and really moved over to cyber security uh couple you know a couple years at the big four and it’s amazing as patents have kind of been diminished and Trade Secrets have become more important um there’s really been this collision between you know intangible proprietary assets at firms and let me just tell you small businesses you have intangible assets whether it’s customer list whether it’s uh what we’re spending on Google AdWords whether it’s you know the firm’s finances there’s so much intangible internal assets that you don’t realize insiders have so I think largely on this episode we usually talk about Insider threat as someone who gives away his credentials and gets hacked like MGM or something like that but today we really want to talk about you know this enormous potential risk which is a potential opportunity for you know outsourced security providers like msps and msps and vcos to really make a difference for their customers to really help them protect it and it weaves in extremely nicely with kind of what everyone does here on the phone I mean um you know Tim golden has a fantastic compliance risk you know uh you know GRC tool that can help you you know put things in place Jesse’s helping vcos really get left of boom and be protective and and increase their posture so you know really excited about this episode where it’s going to go so like I said be patient here and I I think there’s real opportunities whether you know no matter what your maturity is as a as a service provider um you know we’re really excited about that so why don’t Tim I’ll kick things off I know I’m a little long in the tooth here I’m Tim shner from cavello we you know I’m really excited about the tool we work with because we have playbooks and tools to help track prevent investigate Insider threat which I think like I said if you don’t come away from this episode thinking that Insider threat isn’t a big deal it really is so um why don’t we start with Katherine um and I don’t get an intro well thanks a lot fine I mean you you started the show so I thought you had an intro go I actually have an anecdote a story like I always do to share that is really about IP intellectual property and before I do that can you fix the little thing on your microphone because it’s kind of like falling off and I’m like it looks very dumb so anyways Tim golden founder of compliance risk compliance scorecard um this whole concept of Insider threat right or intellectual property right we’re goingon to dive into this here a little bit more but I have an anecdote for you so uh those of you that know me know that I was pretty heavily involved in the beer Community here in New England and several years ago probably 10 12 don’t quote me on the dates um there was a very popular beer that came out once a year this time of year uh we’ll call the beer um I don’t know um Bobby I don’t know whatever it doesn’t matter and this was a very special beer and they took a lot of time to promote it to you know to brew it it was only limited very limited very exclusive right and so it became very popular everybody rushed to this Brewery to get this beer back before this big beer explosion and every year they’d come out and every year that and so fast forward five or six years they’ve built this brand they’ve built this cult following the beer was amazing by the way and for whatever reasons we won’t you know I don’t know the details the Brewer and the brewery parted ways here’s the problem the Brewer owned the recipe the brewery that invested all the marketing and all the stuff and all the whatever to build out this great brand around this amazing one-of-a-kind product didn’t actually own the rights to make the product so the person left started his own Brewery renamed it everybody that knew him and knew the beer all went over and followed the new beer and the new Brewery and they were left holding the bag right so how does that relate to us as msps and how does that relate to our clients well I think that’s why we’re all here today with professionals like John and Katherine and Tim and the rest of us here how does that all play in I think that today is a great topic to learn hey your Brewery went out of business because you didn’t own the rights to the actual recipe all right I leave with an anecdote and everybody goes silent yeah I think Tim I’m M I apologize and um I’d love to kind of just kick this off and Katherine you know Katherine go first then John really about you know talk about some of the engagements that you work in I know you can’t get too specific and uh you know this is a this is a very kind of sensitive subject obviously so we won’t talk about country or anything like that but really talk about some of the strategies um that you’re using at a high level to protect mostly large organizations I’m guessing some mediumsized organizations but like what are first of all like what are some of the big misconceptions and what are you what are you doing to help these these companies like navigate there you go thanks Tim yeah so I you know as far as misconceptions I I think a lot of companies just just think about all right we’ll we’ll do training uh to talk about data protection um protecting our critical assets that’s usually done when employees are on boarding into the organization and then not too much else is really done about that and employees generally don’t really understand um the types of data that they’re handling and the impact that it can have if it’s um disclosed or or compromised and so what companies really need to do getting to your second question there um Tim as far as uh measures that companies can take uh I would say first and foremost is companies need to identify what all their critical assets are um so not just their IP uh not just their intellectual assets but everything else as you mentioned right it could be um you know marketing strategies or um pricing or customer lists uh or it could be their you know yearly strategies and so trying to identify what all those critical assets are across the organization um and then where they’re located and who has access to them and who the owners are and it’s a painstaking process it really is the first time that you do it however after you do at the first time it’s really easy to tweak um it should be done very frequently and routinely at least on an annual basis um but more importantly um to track those who enter the organization move around within the organization or separate from the organization so um once you have that done it serves multiple purposes and it it really pays back uh dividends so that also allows you to see where you need to focus your um your controls and your measures and really zering in on those uh crown jewels if you will of of the organization and prioritizing where you’re going to spend your money and your effort because quite honestly there isn’t enough time or money um to do everything and also when there’s um you know a disclosure or uh unauthorized disclosure of these intellectual assets or critical assets it’s it becomes very easy to triage who has access where they they are um when something happens when there’s an actual incident good good perspective thank you that’s great and John um why don’t you talk about some of the consequences and you know maybe fast forward into like the future and lessons you’ve learned right like looking backwards things I needed to do or things you should do or things you should make sure you secure right and that’s an open question so John you’re on mute but uh love to hear your thoughts very broad question and I I completely concur with what Katherine’s just said but you know Visa what I do I think Katherine is far more large companies I’m generally SMB I would say up to about 500 people organizations usually some some some a little bit bigger uh but but the issue I have really Tim is people come to me when it’s too late they come to me when there’s an issue and and the whole purpose the whole mission for me is to try and get people to be proactive because ultimately what you’ve got is you know as I said at the upset they the at the beginning there it was like everybody’s got Trade Secrets right but nobody can defend them nobody can defend them because as you said in that scenario where somebody walks out with a customer list yeah yeah we’ve got a case they walked out with a customer list and as I think I I heard you say but this there’s there’s case law around this okay so so we go to court the judge says you need to show me that he knew this was the the customer list was a trade secret you need to show me that it was managed as a trade secret you need to show me that he had or she had you know contracts that required him to defend Trade Secrets because if none of those are fulfilled then there’s no CA there’s no case to answer and that’s what you find in most cases you know you don’t you don’t actually have uh people think they’ve got Trade Secrets but people don’t actually put the structure around them to enact a trade secret program and the issue with we’ve got here Tim is Tim schn sorry at the head of the program you know 12 years ago for you know 10 years ago when we were working on this in a big way the world was around patents and I think as you’ve alluded to patents are no longer what they used to be you know in your courts in the states when we go to the quter with our patent 75% of the time the claims in those Pats are Fantom be invalid so everybody is now saying IBM are now saying you can’t really rely on patents you need patents but you need Trade Secrets now when people say IP they think patent and trademark as you said they don’t think know how expertise confidential information and they don’t well they may think Trade Secrets but they’re unregistered right so there’s no governmental driven program for you to put in place to capture that and as Katherine’s just outlined there are steps you need to take but in my experience most organizations are not taking those steps and that means they’re going to fall over yeah yeah they may think they have Trade Secrets 80% of execs in a recent eui study Economist Economist intelligence unit eiu study said they got Trade Secrets but 80% of those hadn’t put the processes in place to manage and defend those trade secet and there you big compies by the way that’s that’s not SBS and that’s a lot of what what I tend to talk about right so right near willhouse right Tim and it sounds there’s the softball right everybody likes to talk about CIS controls right everybody likes to talk about you know where do we go what framework right so we talk a lot about CIS ig1 asset management but when we think Asset Management we think uh switches and printers and laptops we don’t think about like uh customer lists or in the case of the brewery the recipe or other aspects of the business right so you know there’s a lot of different things to consider in the asset set category right this is why having what two parts a data data classification document like things like canell can help you do you know classifying the data but even before that having an information classification policy talking about information that’s within the business right you know we do hear a lot about pii or social security numbers or see we hear about those things we don’t ever really talk as an MSP to our customers about customer lists um patents yeah we mentioned that a few minutes ago but like their secret sauce on how they’re doing their business where their data all those other parts of the business that we just tend to like ignore or forget or not even think about right yeah and I and I think you know both John and Katherine said one thing each that kind of worked my ears up something newer that I’ve been doing with my clients as I onboard them to VC so services and that’s uh you know crown jewels thinking of them as crown jewels and then actually showing that we’re managing these Trade Secrets as Trade Secrets and so uh there there’s a a GRC software that I that I’m using for a couple clients that have a lot of this this information and they take you through what’s called a crown jewels exercise and so the the you get all the executives in a room and you do these workshops to say hey what are our Trade Secrets what are our m&a what is our road map formulas all these different pieces of data you know was like well yeah like what about this server it’s on that server and it’s like no we have to think more about the data let’s talk about the data and then we can map that through to our assets right let’s identify what the trade secrets are what are our most critical crown jewels and what constitute an existential event right because Trade Secrets walking out the door it’s not like a ransom where you’re immediately down in the water but that could have been an existential event one year from now when your competition and your Competitive Edge is completely eroded because of it so I think it’s really important that you start identifying those especially at an executive level and get Buy in on the program that we’re going to start managing these Trade Secrets and protecting them as such and so I really appreciate both of the perspectives that John and Katherine brought to that yeah so Katherine um I was goingon to talk a little bit about like when an employee joins a firm what are some of the things they that lock in those those Trade Secrets or intangible assets you want to talk a little bit about you know contracts and things like that yeah sure um I I would even back up a little bit before the employees is onboarded um and want to emphasize the importance of screening employees um particularly those that are going to be filling High consequence positions um you want to you want to try to eliminate Bad actors from coming into to the organization as as much as possible because once they’re in then you’re dealing with a lot of issues right um but screening is so important and many organizations do background checks many of them don’t um and when they do background checks they’re pretty minimal you’d be surprised at how many organizations and companies don’t um check the um you know education um and degrees right and it and that may not seem like a big thing but there’s so many employees who do lie about that and and it becomes an Integrity issue right which can then lead to other behaviors once they’re in the organization right but verifying their past employment and and what they did and um speaking to references and past supervisors um to determine if there were any issues um is so so critically important so um very important to to really start at the very very beginning um and then of course once they come on board to get that training uh about how to handle those intellectual and critical Assets in the organization and that shouldn’t just be done you know it’s not one one andone um that should be done at least on an annual basis um and then have continuous awareness throughout the year across the workforce but um yes absolutely Tim you know having those agreements in place in the employee contract uh as far as you know how they’re going to protect company information uh confidentiality agreements right ndas non-competes uh if you know now they’re looking at doing away with non-compete agreements in some in some sectors so that’s even more of a reason for companies to put in those extra measures in place good points really good points go ahead ahead we’ll get to shanes in a minute I was just gonna add a quick Rider on to that is that you know especially with the non-competes and and those being irrelevant basically now is like how do you control residuals at all it’s almost meaningless right so yeah anyways yeah go ahead John so Katherine’s point that that just underlines and reemphasizes the importance of Trade Secrets that non-competes are eroding if you’ve got a trade secrets program in place right that’s how you defend your confidential information in knowhow these days because uh because non-com are not sufficient I I just wanted to pick up on NDA because I think they are absolutely essential but I think they are utilized in a very loose and fast way I I keep saying to my clients okay so you got an NDA so you’re good right well yeah we’re good okay so uh how do you detect if somebody’s taking your confidential information how can you detect it right how do you know you have Cav right Tim how do you detect it well you label it appropriately you have a see you have a procedure you have enforcement stuff in those policies and procedures that employees have been trained on through handbooks and other stff then you use cavello to actually I’m sorry I dig no so joh Tim’s jumping right ahead to the court case John right in three years from now it’s like like I I I kind of asked you before I’m like if you could do it all again right you’d have great contracts you’d have an NDA you’d have Trade Secret catalog then you’d have the actual cyber security tools enforcing enforcing new term new term Trade Secret catalog how many people have actually talked about Trade Secret catalog catalogs I’ll let John I’ll let John do that one but you know the digital paper trail is possible now where you can catch these people red-handed and I don’t know what movie it is we like don’t get caught right like well now guess what you will get caught and as soon as more people are caught we can build you know people will understand that like they get in trouble anyone has a friend or people they know in finance like people get caught for this all the time like taking a deck out of a you know out of a bank or something or you know people actually do get caught and there are serious consequences so um it’s less it’s less common in the in the SMB World um it it will become more common right like John said like uh non-competes aren’t existent but like there are ways to go about it here where by the way when you work somewhere just because you made that deck it’s not yours I’m sorry like you don’t get you don’t get to walk out the out the door with it the customer list yeah that’s right that’s right so I’m literally going through an employee contract today and I there’s a big paragraph from our legal team about work product and I was like oh that’s a good idea thank goodness I have lawyers that know that stuff better than I do because I’m like oh yeah like I don’t want them stealing my decks well or whatever but yeah interesting thoughts interesting thoughts John why don’t you define a trade Seeker catalog and why it’s important and what it what it does for you what kind of Leverage it gives you yeah perfect uh and it Carries On from I think Katherine mentioned having a list you know just identifying what it is you’ve got I think the first thing I say to clients is prioritize which what information would you least like your competitors to get their hands on if you left your business tomorrow to set up in competition what would you really like to take with you and that starts to help people to prioritize as you said what’s exist existential you know what’s going to damage the the sort of the bottom line and and so on and so forth you put in in that kind of priority you get to start to get the list you then need to capture the trade secrets and that’s this the catalog so you need a cataloging system to manage them and you’re not actually containing you’re not actually capturing the actual trade secret here you’re using metadata to describe it so the description brief summary of what it does without revealing the the secret source and then you know who’s who’s responsible for it who invent who came up with it sorry who created it what dates the date of origination really important you know who it’s been socialized with under what contracts when those contracts did you you know etc etc and you do it once but you have to keep on top of it so it’s a three six month 12 month review cycle on that so there’s two separate things I guess there a well maybe a a rough list and then a catalog on a system but then you also need to document the trade secrets you need to actually document those separately because you need to be able to point back to 5th of December 2017 when you actually came up with that customer list or that knowhow you need to be able to prove that you had it at that point in time so again really interested to hear what you guys have got to say about date stamping you know what technology would you use for digital Rights Management to show that you had that document you know as of 5th of December 2017 really important of course as well absolutely Katherine do you have anything you want to add to that sorry about that no um yeah I I totally agree with um everything that that John has said um and I know Tim mentioned it a little bit at the beginning the importance of having a data classif a program uh within the organization for a couple reasons right first is when you label documents as I know business confidential or sensitive um or public there’s no excuse if employees really mishandle it that they didn’t know because it’s you know there’s a big label right there staring at them in the face um but you know with that you need the training um and again repetitive training of how to handle um these different levels and classifications of information um how to how to store them how to travel or you know when they’re in transit how to dispose of them and that has to be constantly um reiterated so people don’t forget but I think going back to um you know what what John was mentioning and and that that you know timestamp um and and John this is probably more in in your lane but when you demonstrate that you have taken measures to try to protect certain types of information in this case IP or intellectual assets and there is an incident of Ip theft that happens or you know some kind of disclosure or you know corporate Espionage then uh especially from an Insider then it has teeth um from a legal perspective that it demonstrates that the company did take certain steps to protect that data um to you know make it stand out from other data um and this way when it does go to court um they they can demonstrate that awesome yeah so so it was kind of funny because you know we do we do our documentation reviews you know frequently throughout the course of the Year month after month after month and I was like I was looking at the information classification policy that was written in 200 and six and it literally talks about business you know identifying stuff within the business and labeling it bi right instead of pii it’s business information right instead of personal information right and and and John I think you brought it up about metadata right and datetime stamping of stuff yeah so there are like some kind like put a document on your computer it gets date time stamped but now in this world of SAS where things kind of live in SAS actually one of the things that we did with our product and I’m not going to plug my product but what I’m gonna say is there’s an actual standardized format of how you do a datetime stamp according to the world of I lawers and and people like Katherine and John and so when I started to put this together I’m like I want to make sure that I’m using the international standard of datetime and I actually had to go back to my developer was like change these database fields to this structure so that it meets this requirement and and people and they thought I was crazy and I’m like no there’s things like you like lots of stuff to think about so even just all the way down to like the date time stamp and how that is formatted and measured and retained along the way yeah yeah so and Tim on top of that like like I said the the cyber security tools are you know they’re not built for this but they’re they’re doing a great job enforcing it um you know as the the actions or the activity the data access history what did an employee do the last two weeks before they left what did they access who did they send files to I mean I I ig7 ig8 the uh audit logging stuff I always forget the control numbers don’t hold me to the numbers but audit logging that’s a thing yeah and then as you said things being marked you can even Mark files with joke about this I don’t know if anyone saw this on CNBC that people were putting white text on resumes to uh submit and then they’ have 5,000 words of metadata and they’d get you know they get an interview maybe right because the machine is reading it right but you you know there’s a lot of tricks there’s water markeing there’s white text there’s uh I it’s actually better because Katherine said you know it clearly says confidential clearly says trade secret clearly says this I’ve got an employee contract that says Don’t misappropriate that um so you know it it’s really fitting nicely into left aoom people and pro people processes and Technology like all this stuff can can really slot into Tim’s policies and procedures and and things like that and then you you really have the tools here to to enforce it right and the more people that get caught unfortunately like you know people will be afraid like of actually getting caught and be you know and realize that they just can’t walk out with things and because a lot of times it’s just really obvious um and and that’s how those but we talked about I don’t know if we talked about Uber wh right like that wasn’t a patent trial right that was a trade secret case right they walked out with autonomous driving patents clearly most of our clients are not autonomous driving companies um but you know they we they still have uh customer lists and and you know they just have so much intelligence about the company and by the way when that employee leaves they’re not going to some random company they’re always going to the direct competitor right like I’m going to use those skills and bring them across the street and go to the direct competitor so I see Jesse keep trying to chime in here my friend I’m I’m smiling because I’m thinking about uh a specific incident that happened uh early on in our MSP and this was years ago uh we had a salesperson that we uh caught wind that he was leaving I don’t know exactly how but we you know put some monitoring on his on his computer and sure enough he caught him right-handed moving um customer lists out to his personal one drive yeah luckily caught him uh before he you know and confronted him about it he admitted it you know and there was some legal action uh I think the ownership was pretty uh pretty lenient and that they didn’t uh you know they didn’t litigate against him they just did a cease and desist and said hey you can’t have contact with with the rest of the company and things like that so but that was a good example of catching it so that’s where I really wanted to go with this and get a feed back from John and Katherine is yeah I think the point to that is that right once that was happened every other salesperson kind of knew like okay there’s a chance this could happen so it’s let’s not you know there’s we don’t want to do that basically um but bar barring that is there ways or are there ways now rather than you know the threat or catching someone and and being reactive what are some proactive measures that you’ve seen in the last six to 12 months that you feel are potential path forward for prevention rather than reaction so I I’m gonna let Katherine and John the experts answer that but I’m gonna chime in real quick with what I did right so I we we have a CRM CRM has multiple roles and permissions even all the way down to granular stuff as you all know I brought in Frank to help us with client success Frank is amazing I love Frank he does really good work but before I actually put Frank in the platform I set the roles with no export right not because I don’t trust Frank right not because he’s not you know trustworthy person but I went through and I managed and I edited all the granular things of who can do what now that that we did bump up to a spot where it was like hey Tim I can’t do that the platform won’t let me and I was like by Design so I mean it’s not it’s not because I don’t trust Frank I do trust Frank right he’s my employee like he works for us right it’s I want to be able to protect that customer list that I work so hard right now it’s just us so me yes I work so hard to put together I don’t know to take them and go on and do like no so I’m you know trying to put some you know some guidelines just like compliance put some guard rails in place right so John to answer Tim’s question uh do you have I’m sorry Jesse’s question what are some of the things that can be done well listen I’m going to disappoint you because it’s it’s there’s no magic magic formula potion here or secret Source it’s the people you know it’s you know I think we touched on it already and I know it’s a big big topic for you guys but the key thing for any Trade Secrets program is to get your people to understand what on Earth a trade secret is and to think about that that red line on the Rev ometer on the car you know you can go to five half thousand resby you cannot go to six you cannot go to seven because if you re reveal anything above that red line you are revealing our Trade Secrets and here by the way are our Trade Secrets this is what’s in the red line it’s really about and know so so twofold I think we we we hinted at that this earlier it’s a little bit like having that doberman on your garden gate and people going I’m not going to burgle that house because the doberman’s going to bite me so uh you know the the more you talk to your people internally and you send a message externally that you’re on top of this the less likely there’s going to be any form of theft but really it is The Insider threat and mainly it’s inadvertent it’s not deliberate people reveal these secrets because people are people they want to they want to impress they and they overshare and and secret Source gets leaked all the time because I’m out there and I’m trying to win that contract and I want that guy to really give me the business so I’m going to tell him more than I should about that secret stuff we’ve been working on so he’s impressed so he wants to work with us long term bum the you know bang the Trade Secrets going so you know no magic no magic potion I’m giving you there at all Tim it is it is about the P people and it’s about prevention is better than cure and ultimately that and I know you’ve talked about this previously it’s about how do you build that into a business because you can’t impose it you have to engender it and grow it from within and you know that’s that’s you Katherine what about you yeah uh well said John it it is really is it does come down to the people and um I I think this is where culture uh within an organization plays such a key role in security and and getting the people on board um and making them feel like they’re part of the solution and and um having them understand why it’s important right so that their company can continue to have that competitive advantage and get that Revenue which means that they have job security so you know going about it that way I think um really helps to get employees on board um just from a a cultural perspective and again you know that the constant um awareness of how to protect those those critical assets I think another um another thing that is useful for companies to do is to inform their employees of you know what are the current trends that are out there and how bad actors may be trying to penetrate the organization and Target you know their employees right them specifically and what to look out for MGM there’s there’s so much on you know social media targeting for example right and um you know just it it looks very innocent and it’s you know asking employees uh you know to do a a white paper right and you know times have been difficult the last couple years from a financial standpoint and the economic downturn and so you know employees are are looking to make an extra Buck here and there and so they kind of jump on that not realizing that it could be a competitor that’s on the other side of that yeah and I and I think you know and I agree with that all of what everyone said I think culture is going to be your your 8020 rule like that’s you know 20% of culture Improvement is going to give you 80% of results in terms of protecting these things right so I’m going to I’m going to go out to the fringes a little bit here and talk about some uh some extreme cases you know I’ve seen some things recently where uh hackers are using ENT people who have bad um SE Ops they’ll find out where their kids go to school and they’ll start texting them and saying hey let us like you know detonate this malware on the network your kids live here do you do you want us to come by and shoot your kids school up and I was actually reading some things about hackers doing this and I was like wow that is just insane right so what if you have somebody who falls for that and so uh you know technical controls you know I’ve seen some things like uh using Enterprise browser to put watermarks and stamps on pages so even Tim you mentioned not having export rules so uh somebody could still take a picture with their phone but if they take a picture with their phone it timestamps their name and the picture in watermarks all over the page so they’re less likely to share that because they know they’re going to be caught so I think there’s some new controls coming out that can help with that and then again as uh as everyone said you know it’s good fenes make good neighbors type of thing so I think um there are some new technologies that can be leverage for those types of things and so I really appreciate the the feedback that everyone’s given so far on that yeah you know one more this uh we’re talking about preventive measures and this isn’t necessarily preventive but you can run you can run like almost like an IP tabl toop right like you could run um see how your tools are working catch someone doing something not not deadly inadvertently like John said and maybe just sit them down and warn them and say like you know this isn’t a major case but like we need to be more careful like this is something things like this you know are important to us like they have value in the firm and any of those conversations you can have kind of early once again setting expectations what it’s it’s worth it’s it’s worth it you know setting expectations is always important and that might just reset expect by saying oh you know the business owner didn’t like the way we did that or didn’t write this write that white paper that Catherine was talking about and kind of expose something so I think that’s one thing that you know I don’t know if that’s left of Boom or preventative Jesse but um you know you simulations tabletops happen right so they’re they can be really helpful yeah I agree I think that’s left to boom yeah because you’re doing the simulation to prepare so so so let me just let me just do a little rearranging here here put you over there uh yeah that’s good all right so let’s break this down into practical terms right we got about 10 or 15 minutes left here like I am an MSP my clients are five to seven employees right they’re not Enterprise they’re not these big with IP lawyers and privacy people and handbooks they’re not so so what do I do like I have Johnny’s Bakery I have the Brewer and they have a brewer who owns the recipe he leaves we got to start over we’re gonna find a new like what do I do how do I as an MSP walk into that Brewery or that Bakery and say listen Grandma’s recipe right like I think it’s Coke even to this day two different people have half of the recipe or something like that whatever it is right right how do we as an MP approach Johnny’s bakery or or whatever that small mom and pop where Grandma’s recipe is the secret sauce and keeping you know the the junior Baker from grabbing that and leaving with it what do we do how do we explain that to our small customer yeah it’s Tim and and I think it’s kind of what you know Katherine or John was saying about the coming in and saying what’s a list of all the important intangible assets right and by the way this guy has might not even know he might not even know might not even know like and in reality is is it even the msp’s job to bring this up but you’re bringing a lot of value if you’re going hey you’re gonna have to you know I think that was his recipe he brought it before he came in here you might want to negotiate that now right or come up to come up with some kind of agreement right so yeah I’d like to hear from John like what’s what’s a highle list of categories or steps or uh work workflow that we should start thinking through with our clients on these kinds of things you know identify classify protect and protect his train contract Sops and then manage all the above I mean I I I wanted to just raise very quickly something that Tim picked up on Tim schow and that is we you know I listened to something you guys did previously this Falls between the gaps it’s not the IP Department it’s not the legal department it’s not the information security department it’s not the IT department nobody’s picking this up if you go to a patent attorney and say I’d like a trade secret program I guarantee I’m talking UK it’s a bit more advanced in the states 80% the patent attorneys IP attorneys I don’t know what you’re talking about we don’t do trade secrets I’m not quite sure honestly I’m not quite sure how to deal with it so you people aren’t getting that education in my view and I think you know we sort of Shar this perspective trade teachers are probably one of the the most important intellectual property right that any business has but you know as people don’t understand IP they definitely don’t understand Trade Secrets and so that’s the bit that’s the kind of elephant in the room there no nobody’s got responsibility for it nobody really understands it and nobody’s putting this thing to uh to bed properly I I also just wanted to very quickly sorry uh nd’s you know I know what you said hey what you said Tim golden but ndas are you know you’ve got to you got to convince yourself before you sign an NDA two things one is does the person I’m signing this NDA with understand trade secrets are the people hopefully there’s their numbered listed I know he was going to be sharing this trade secret with do they understand trade have they been trained on it have they got a contract that obliges them to protect and defend Trade Secrets because if they don’t I’m not sharing my trade secrets with them right first point second point I guarantee that every NDA you’ve ever come across has a ter five years 10 years usually three maybe five that’s useless for a trade secret because if it’s my search algorithm from Google right that’s protected by Trade Secrets I don’t want that to have a term if I’m sharing it with you not that I’d ever share it with you right exactly years three years is useless because my trade secret can go on forever if it’s as long as it’s maintained as a trade secret that can go on forever okay we can talk about the Coca-Cola recipe is kind of apocryphal but you know that has gone on forever great secret can go on forever unlike a patent that expires after 20 years it can go on forever a patent by the way really important but every patent starts Life as a trade secret and then you determine what you want to patent because you’re worried somebody else is going to invent you know skill in the art can invent to and get there quicker so you patented but patenting is I’ve heard you guys say before you’re making that public you’re sharing that with the world so you know I’m going to retain some of that as confidential I’m going to retain some of that as trade secret because I don’t want to share absolutely everything with the world so uh I I as Tim says i g a bit long in the tooth there so I could tell it but yeah did that help did that answer your question at all is that just yeah it very helpful thank you yeah I feel like you’re trying to chime in there yeah I I I would love to um kind of expand on something that John said uh where he said you know things kind of fall through the cracks and you know who who has ownership and I see this all the time with with clients where you know they they ask you know who should own this right and I think it’s so important to yes you have an owner you you select a business function but it’s absolutely critical that you have cross collaboration across the organization where you involve cyber and legal and HR and security and you get them all together to um put processes and and policies in place from you know before an employee even comes into the organization all the way through to separation and so that there’s that communication and the connecting of dots so when there there is and you know prior to prior to Boom prior to that incident is you know determining what is happening with an individual within the organization a right HR has a certain perspective where maybe an employee um was you know didn’t get a promotion and is disgruntled and that same employee is trying to access files that they don’t have authorized access to for their particular role um and you know then you you look at security where they’re coming in at odd hours um you know of the work day that doesn’t align with their roles and responsibilities each of those things in the eles aren’t a big deal but when you kind of piece all of that together then you you you know connect the dots and think well there might be a bigger issue here so you absolutely need that cross collaboration good stuff really good stuff so we got we got add on that falling through the cracks right um this still happens like I would say 90% or more of Fortune 500 companies there is no one in charge of Trade Secrets which is crazy because like intangible assets or intangible you know if you did an accounting exercise and you looked at most organizations John knows this extremely well I’m sure Katherine does as well but most of the value of the company is not in like plant and you know people and and and and and assets that they own right it’s an intangible asset it’s this extra either brand or knowhow or trade secrets sauce right so um it is crazy that Mo even very Advanced organizations are just starting to pick up on this and just starting to protect it because it’s there has been this shift away from patents um so it’s I like I said small businesses this is actually a fun conversation for an MSP to have or an mssp to have between them and a small business right like Tim like what are you know in the brewery like that’s a great example right like let’s talk about like what what has value right like when you when we get this on the store shelf like how do we like why do people drink it and why do people buy it right so anyway exactly so um so be thinking about uh what we tend to do is the one key key takeaway but before I do that I want to kind of show a little thing bit over here right so um let’s see am I gonna do this all right so it isn’t good so so um yeah all right so before we kind of end the show with one key takeaway um I just want to talk a little bit about hey it Nation next week Thursday team Tim is coming to you live on stage right so Jesse myself Tim um Alex farling will be joining us all mced by our good friend Kyle Christensen uh Alex Kyle and Wes Spencer all part of empath Tim golden Tim schneer and Jesse over here at Team Tim and yeah we’re gonna be talking about some kpis we’re going to be talking about the better dashboard you’ll be able to come and see us live on stage at it Nation Thursday at 3:30 how’s that for my radio voice and so before we uh wrap up I’m very excited um everybody be thinking about your one key takeaway because we’re gonna jump right into that right now and since we’ll start with I don’t know I’ll start with me because I you know here talking can’t shut up right drag me over here and do this so my one key takeaway for um for msps and starting to have the conversation with your client around Trade Secrets I wouldn’t even use the word Trade Secrets when I’m doing that qbr when I’m having that business conversation ask them if you were to quit today what is one thing that you would take when you leave just ask them that one question right you as the business owner if you were to quit today what’s one thing that you would take with you when you go that’ll start to strike that conversation right Jesse what about you what’s your one key takeaway I’m going to go with uh GNA smash two into one here so I think I think you have tools that can help you need to start thinking about this right so this one more thing for us to think about right but it’s something that’s really important because it could be an existential event Maybe not today but a year or two years from from now so um your your data management systems or your knowledge bases those have automations now where you can create certain spaces and do automatic tagging like Confluence is one that I’m pretty familiar with right they have automations now so if you have a space that’s four trade secret the minute you create something in there it populates the tag you export it puts the tag on it there’s all those things you can do right so technical controls uh the browsers that put watermarks on things and just create an an atmosphere that employees know that these things are being monitored and like good fences create good neighbors and so that’s that’s my takeway for today awesome awesome and as you can all tell I just lost my camera it’s doing all kinds of weird things so uh Tim you go next yeah so um you as I mentioned I’m not going to mention certain vendors but these tools are doing things anyway maybe it’s for compliance maybe it’s for um evidenc in compliance or like data access right like auditing uh identity access management tools the tools are out there um the better the fence you can build as Jesse uh talked about the better the neighbors are going to be so the better you can combine it um the better um this same topic I talked to Chris Johnson from uh MS P 1337 I just threw that link in there earlier in the week so if you want to hear more on this uh there’s another 30 40 minutes for you yeah good stuff good stuff and John what about John what about your one key takeaway and we’re gonna wrap up with Katherine right behind you yeah I can do one uh can’t narrow down you know you know I really appreciated what you said I think the language is a really big issue you know if I trade people go Espionage you know James Bond we don’t we don’t do that and and it just puts people off straight away so you’re absolutely spot on to mention that I I’d say two things the list and then the people uh as Katherine said and I hope I’m stolen yours Katherine here get people engaged in the solution that’s the most important thing and then last but not least Katherine do you have some takeaway for us um so my takeaway would be when considering um intellectual property intellectual property intellectual assets critical assets don’t only look internally to your organization um and your employees uh you know compromising those assets but you have to think about the third parties that have authorized access um to them um because they composee a huge vulnerability to your organization and so that can be contractors suppliers vendors uh even Partners JVS and investors so um be aware of what you’re sharing U do they really need to have access to those critical ACC to those critical assets and um you know try to try to lock that down and put measures in place awesome awesome and so with just two minutes left I’m gonna pop this one up here let’s see clickity clack so for those of you that joined part one of getting a seat at the table we’ll be continuing on the conversation from it Nation next week on the following week which is uh the 17th team Tim will not be live next week on LinkedIn we will be live in person at it Nation uh I uh someone asked will it be recorded I don’t know but if it is we’ll see what we can do to try to get the recording or whatever I don’t think it is it’s only like three rooms for some reason it’s not one of ours so all right so okay it won’t be recorded um at least not officially there’s always a way anyways there is anyways uh we’ll be following that up on the 17th with our good friends Wes Kyle and Alex over at empath if you haven’t checked out empath uh and you want to help educate and level up your MSP and your people within your MSP go check them out good friends of ours uh they’re doing really great stuff over there but we’ll be back with part of getting a seat at the table where you can then start maybe even talking about Trade Secrets intellectual property all of that fun stuff that we’ve literally been talking about today um so yeah join us next week we’re so glad to have you here I wish my stupid camera wasn’t doing what it is but oh well I’m L literally sitting holding it in place I love it but when it gets wonky it gets wonky and there we are 3 o’clock any last words before we exit thank you guys for coming on this is awesome this a great discussion joh really appreciate it thank you so much and let us end with guys subscribe now