It takes a great deal of time and money to turn a good idea into a marketable end-product. What if a competitor finds out about a new technology while it is still undergoing development or testing? Everything goes to waste. Especially in Germany, which is home to some of the most innovative companies in the EU, the loss of know-how is a serious security risk that merits close attention. Despite the significance of this issue, until now there have been few empirical studies into the damage and effects of lost know-how. To address the issue, the Baden-Württemberg Security Forum commissioned the “2009/10 SiFo Study” to look closely at intellectual property protection in Baden-Württemberg. The study was conducted by the Ferdinand Steinbeis Institute in cooperation with experts at the School of Governance, Risk & Compliance (Steinbeis University Berlin). It was also backed by the Steinbeis Foundation, the Baden-Württemberg Chamber of Commerce and Industry (IHK) and the Security Forum itself.
For the study, more than 4000 manufacturing and service companies throughout the whole of Baden-Württemberg were written to, using a standardized, web-based questionnaire looking at a variety of topics related to corporate crime. The issues ranged from background information on the company to security measures taken to protect trade or company secrets, the (possible) damage caused by espionage, and experience with or observation of actual instances of industrial espionage. Responses from 239 companies were evaluated, making it one of the largest empirical studies to look into the issue of security risks within businesses. Due to the nature of business in Baden-Württemberg, the major of respondents worked for small and mediumsized owner-managed companies.
More than 55 per cent of the companies surveyed were involved in research and development at their site in Baden-Württemberg, 30 per cent of them “heavily”. More than half of the companies heavily involved in research own a variety of potentially patentable (64 per cent), but not yet protected ideas. From a legal standpoint, part of their intellectual property is thus unprotected. Half of the companies with unprotected ideas said they are not yet ready for patenting (57 per cent), but also as many small and medium-sized companies view the time commitment (49 per cent), financial aspects (47 per cent) and the legal effort (45 per cent) involved in patent applications with trepidation. Almost half of the respondents complained about the lack of protection outside Germany had prompted them not to patent their products in the first place.
The survey found that just under 38 per cent of companies had been confronted with copyright infringements in the past four years, and 18 per cent had suffered after trade secrets had been divulged. Product and trademark piracy was more likely to affect companies heavily involved in R&D. Almost two thirds of these companies (65 per cent) had been damaged by an incident in the last four years.
Approximately 40 per cent of companies were affected by copyright infringement, resulting in a severe loss of sales (37 per cent), impaired business relationships (40 per cent), or an unfair strategic advantage for competitors (44 per cent). The financial implications of copyright infringement can be severe. Companies estimate the damage per case as anywhere between less than 10,000 and 2 million euros. Companies heavily involved in research are by far more likely to suffer severe damage: on average more than half a million euros (540,000 euros), with 23 per cent of respondents saying that damage was significantly higher.
Typically, business and industrial espionage involves a trade or company secret being divulged or uncovered. More than a quarter of companies heavily involved in research said they were affected at least once by espionage. It is difficult to estimate the financial effect, but the average figure given by the companies affected was 171,000 euros, with companies heavily involved in research suffering significantly more. One in five affected companies said damage came to more than half a million euros.
Only 58 per cent of the companies heavily involved in research admitted they were doing enough to protect R&D, even though it is so important to them. Seven per cent of companies admitted their protection was “poor”. It was also noticeable that not enough attention was paid to the risk of becoming a victim of corruption, fraud, or a betrayal of confidence. Only on in ten respondents believed they could fall victim to such a crime in the next two years.
Most copyright infringements originated in the Far East, followed by Germany and West Europe. This compares to offenses relating to company or trade secrets: more than two thirds of perpetrators or organizations were in Germany – in other words, companies were damaged in their own country by their own employees, competitors, etc.
More than 70 per cent of perpetrators came from within the ranks of the damaged company and had worked there for around 10 years. On average, perpetrators from outside the company had had links to the business for six years. Almost two thirds of companies (64 per cent) thought it was unlikely that their own employees or managers could become involved in espionage. This is an error of judgment, with potentially severe implications – as the study shows. At 44 per cent, the biggest group of perpetrators is within the company.
Some companies could already do more to protect themselves. Only one in two companies surveyed took steps to ensure sensitive information is restricted. A similar percentage had its own ethical guidelines or code of conduct to compensate for poor company values and show employees what to do with sensitive information. Companies affected by espionage frequently fail to uncover malpractice through their own security or monitoring procedures. In most instances (73 per cent) incidents come to light after a tip-off from inside (42 per cent) or outside (31 per cent) the company.
The study demonstrated clearly that copyright infringements, industrial espionage, and leaks present companies with a tangible and still underestimated threat to their business. Companies must do more to protect themselves and their workers from the dangers of know-how losses and industrial crime.
As well as collecting and evaluating data, the “2009/10 SiFo Study” therefore recommended key actions designed to help companies set up networks to protect themselves from damage and optimize preventative measures. One in three companies affected by espionage in recent years indicates that there is a high risk that they will be affected again by product/trademark piracy (32 per cent) or the betrayal or uncovering of company or trade secrets (36 per cent). Despite this, companies that have been affected tend not to discover incidents through their own security and monitoring processes, and that includes IT and business security processes.