摘要
In this episode of Reasonable Measures, Chris Buntel welcomes Nick McLeod, the Principal of IP & Intangible Assets at Invara, to explore the intersection of cybersecurity and trade secret protection. Nick explains why companies still treat cybersecurity as an IT function and trade secrets as a legal issue, even though the two are deeply connected and increasingly inseparable. As more trade secrets become purely digital, the conversation reframes cybersecurity as a core part of meeting the reasonable measures standard, not a separate track running in parallel.
Chris and Nick dig into how trade secrets are actually lost in modern organizations, from employees downloading massive volumes of files before departing to negligent insiders accidentally exposing sensitive data through personal email, cloud sharing, or public AI tools. Nick breaks down how cybersecurity approaches external threats versus internal threats, using a clear house analogy to show why role based access, monitoring, and behavioral analytics matter just as much as perimeter defenses. They also cover why tabletop exercises and incident response planning reduce chaos when breaches happen, and how strong programs create fewer surprises and less drama over time.
Takeaways
- Cybersecurity and trade secrets are two sides of the same coin. Legal protections fail without strong technical controls around digital information.
- Most trade secrets are now digital. Servers, source code, test data, and internal files require modern cybersecurity measures to meet reasonable measures expectations.
- Insider risk is both malicious and negligent. Many leaks come from mistakes, not intent, including unsafe sharing habits and uploading sensitive information into public AI tools.
- Internal and external threats require different defenses. Perimeter tools help keep intruders out, while role based access, monitoring, and anomaly detection help control insiders who are already inside.
- Monitoring tools can stop trade secret loss early. Behavioral analytics can flag unusual activity like mass downloads or unusual transfer patterns before damage escalates.
- A successful program looks boring. Fewer incidents, fewer lawsuits, and less drama is the real sign that reasonable measures are working.
Transcript
Chris Buntel (00:11)
Hi, and welcome to the latest Reasonable Measures podcast from Tangibly. Today we are talking about the intersection of cybersecurity and trade secret protection. I am Chris Buntel
克里斯-邦特尔, one of the co founders of Tangibly. Joining me today is Nick McLeod from Invara. Nick, it is great to have you here.
Nick McLeod (00:36)
Hey Chris, great to be here.
Chris Buntel (00:39)
Awesome. Can you briefly share a bit about yourself, Invara, and what brings you here?
Nick McLeod (00:45)
Sure. As you said, my name is Nick. I run an IP and cybersecurity consultancy called Invara. My background is in IP, mainly patents. More recently, we have been bringing IP and cybersecurity together. We have a cybersecurity team that supports that side of things, and we are trying to look at IP more holistically. Not just registered patents, trademarks, and designs, but also unregistered rights, trade secrets, and confidential information where legal and cybersecurity overlap.
Chris Buntel (01:32)
Fantastic. When we were discussing topics, I thought it was interesting that many people treat cybersecurity as an IT issue and trade secrets as a legal issue, even though they overlap. Do most companies see that connection, or do they still treat them as separate?
Nick McLeod (02:10)
Most still treat them as separate. Even inside companies, legal and IT or cybersecurity tend to be siloed. That was one of my takeaways working in a technology company. I was protecting the IP and working closely with our IT and cybersecurity manager, and I realized a lot of our most valuable information, software, source code, test data, was being protected through cybersecurity controls. That pushed me to learn the tools and helped shape Invara.
Companies are only starting to see these as two sides of the same coin. With trade secrets, you have the reasonable measures standard. Part of that is legal measures, and part is robust IT and cybersecurity measures. Trade secrets have become more digital over the last decade. Most are stored on computers and servers, so cybersecurity is critical.
Chris Buntel (03:54)
When I talk to IT and cybersecurity teams, they often do not think they are protecting trade secrets. Legal and compliance teams often view cybersecurity as purely an IT function. The cybersecurity teams do not always see themselves as building the defenses that protect the trade secrets inside. It is interesting that both sides do not always connect the dots, but you are right.
Nick McLeod (04:27)
Totally. If you go to cybersecurity conferences, the focus is usually protecting personal data, as if that is all cyber criminals are after. The reality is different. Personal data makes headlines more often because of regulatory consequences. Corporate data loss is under reported, which might be why cyber teams do not talk about it as much.
Chris Buntel (05:13)
In trade secret cases, the vast majority come from an employee planning to leave. They log in at odd hours and download thousands of files. It is all digital now. People are not stealing physical assets or writing things on sticky notes. It is usually huge volumes of data moved through personal email, a thumb drive, or other ways to transport digital files.
Nick McLeod (05:58)
Right, and it is not always malicious intent. Insiders usually fall into two categories. Malicious insiders deliberately steal data to take to a competitor or start a competing business. But we often see negligent insiders, employees who accidentally do the wrong thing. There is usually no malice. They might believe the work they created is theirs and they can take it when they leave. Or they have not been educated on the importance of these controls. They share files with third parties without the right agreements, upload data to cloud services, or send things to personal email.
Another major issue now is AI. People upload sensitive information into public LLMs like ChatGPT, either by ignoring policy or because no policy exists. Sometimes the company finds out too late that sensitive data was exposed that way. It can happen at any level, including senior leadership.
Chris Buntel (07:55)
Yeah, anyone can do it.
Nick McLeod (07:57)
Exactly, and often it is senior employees, board members, and executives.
Chris Buntel (08:05)
How does cybersecurity differ for internal threats versus external threats? At Tangibly we often say much of the risk comes from employees, either negligent or intentional. Does cybersecurity treat those threats differently?
Nick McLeod (08:39)
Yes, it is quite different. A good analogy is a house. External threats are burglars you are trying to keep out, so you add locks. In cybersecurity terms, that is perimeter defenses like firewalls, encryption, and MFA.
With internal threats, the person is already inside the house. You manage that differently. Imagine the trade secrets are locked in a jewelry box. You would not give someone the key to every room, and you definitely would not give them the key to the jewelry box. That maps to role based access control. You also use monitoring tools that detect unusual movement of data. You can set policies for how certain classifications of documents can be shared.
A lot of monitoring tools now use behavioral analytics. They learn normal user activity, when a person logs in, from where, and on what devices. If someone suddenly downloads 10,000 documents, that should be flagged and cut off. With the right cybersecurity measures, many misappropriation cases should be detected early.
There is also overlap because one philosophy is assume compromise, even for external threats. You manage access at the data level, controlling who can access trade secrets and how that data can move internally and externally.
Chris Buntel (11:34)
My pattern is probably too unpredictable. I have been tripped up when logging in from another country or at odd hours. But if someone has a predictable pattern, that kind of security can be effective.
Nick McLeod (11:44)
Yes. That is where AI is strong. It detects patterns and learns behaviors. It can also learn what normal network traffic looks like, not just user behavior.
Chris Buntel (12:14)
Without naming names, do you have any war stories, either something handled extremely well or something that went off the rails?
Nick McLeod (12:19)
Yes, plenty. One recent public example is an Australian financial services company pursued by the regulator after a cybersecurity breach that led to about 18,000 clients having personal information leaked onto the dark web. It was the first time the regulator took a company to court over this. The court issued a civil penalty. The case listed basic failures, no MFA, no role based access controls, and weak vulnerability scanning and patching. They also did not detect the breach themselves. The Australian cybersecurity agency found the information and alerted them. It was a mess.
Chris Buntel (14:08)
How lovely.
Nick McLeod (14:19)
Brutal, right. On the positive side, I worked with a company that was offboarding many employees on the same day. They had a process between HR and IT that worked well most of the morning. After the exit interview, HR would tell IT to disable accounts, and employees would be escorted out shortly after.
At one point, the process broke down and a few people were offboarded but IT had not been notified. One employee had already installed software that enabled him to transfer files out of the network to a personal computer at home. He had a short window before they realized he still had access. Their monitoring system flagged the unusual activity and cut off the transfer. Some files got out, but it stopped quickly, IT was alerted, and they investigated what happened, which folders and files were accessed, and what he tried to download. Legal got involved, and they stopped it before it escalated. It is hard to know if it was malicious or mistaken belief, but it is a good example of the system working.
Chris Buntel (16:38)
Yeah, it is hard to tell.
Nick McLeod (16:44)
Exactly, but it was stopped before it became too much.
Chris Buntel (16:47)
Tangibly is proactive, designed to lower risk and avoid trade secret theft and litigation. But if litigation happens, you want to be positioned well. Do you view cybersecurity as proactive or reactive, and how does it fit in that spectrum?
Nick McLeod (17:25)
It is both. Roughly 70 percent proactive, 30 percent reactive. The goal is to prevent loss in the first place through controls, patching, vulnerability scanning, training, governance, and policies. You try to stop bad actors and prevent trade secrets and personal information from being stolen.
But you also assume someone can breach you, so response matters. An incident response plan is critical. If you are breached, you do not want to be figuring it out in real time. You want a clear plan, assigned roles, external legal counsel, and an external cybersecurity team for forensic investigation. Strong programs limit damage. Weak programs may not even realize they have been breached, or a bad actor may sit in the system for months looking for valuable data and trade secrets, escalating access without being detected.
Chris Buntel (19:41)
We have found mock exercises help. If you simulate a breach, it is less scary, and if a real breach happens it feels less new and chaotic.
Nick McLeod (20:15)
Yes, and you can make them engaging. You get key people together and make sure everyone knows their role. With ransomware, you also need a position on paying ransoms and what thresholds might trigger that. Attackers are sophisticated. It is often double extortion. They encrypt your data so you cannot work, and they also exfiltrate it and threaten to publish or sell it. You want to know how you will respond in advance.
Chris Buntel (21:20)
One last question. How do you know if your cybersecurity program is successful? I have been asked the same about trade secrets.
Nick McLeod (21:53)
A couple of ways. You can look at technical indicators, threats blocked, links stopped, unusual behavior detected, and reporting. You can also look at alignment to frameworks like ISO 27001 or NIST, which signals strong policies, procedures, and controls.
But internally, culture is the true indicator. If employees understand why security matters, even when it is inconvenient, and they buy into the program, that is a sign of maturity.
Chris Buntel (23:45)
When I was asked about trade secrets, I started answering in a complicated way, then stopped. Success looks boring. You are not being sued, you are not suing anyone, and trade secrets are not being stolen. You have your house in order. Less drama is the sign the program is working. If there is a lot of drama, something is wrong.
Nick McLeod (24:38)
I agree 100%. That is true for cybersecurity too. You want to stay out of the news and away from regulators. Boring means you are doing a good job.
Chris Buntel (24:55)
That is right. On that note, thanks Nick. It has been great talking to you, and we will see everyone on an upcoming podcast. Thanks.
