Keeping your Intellectual Property Secure in China
China gets a bad reputation for their treatment of intellectual property. The reality is that all multinational firms should pay attention to protecting their intellectual property both at home and abroad. While the lessons in this post are written with China in mind, we believe they are applicable anywhere.
I still remember the first industrial designer that I hired in China. As I and many others will tell you, recruiting in China has been challenging for some time; It is now in 2016 and it was even worse in 2010. So when we were able to hire a designer that had experience in our industry we were understandably ecstatic.
On his first day of work, the engineer pulled out a portable hard drive from his bag, and mentioned, casually, that he had downloaded as many models, drawings, BOMs, and emails as he could from his previous employer. I must have looked a bit shocked (I was relatively new to China, a mere shadow of the grizzled old China hand you know of me today), and so this new engineer quickly moved to assuage my fears, blurting out “don’t worry, everyone in China does this”.
It stuck with me, what that engineer said. Everybody does this. All I could think, and I am sure this is what you, dear reader are thinking, was that I never wanted to be on the wrong end of that transaction. What happens when this employee leaves? Will he bring his portable hard drive into the office and make off with as much of our proprietary information as he could? My guess would be a resounding yes. I was not about to let that happen. We do business above board, a mentally that I worked hard to install into all of our people, and continue to do so every day.
In the years that followed I’ve learned heaps about the way Chinese attitudes, culture, and government regulation drive the behavior of the average Chinese employee.
As a part of on-boarding American colleagues, one of the fundamental lessons that I teach is about trust. Our employees are here because we trust them (I wrote a whole post on the necessity of hiring adults) and it is out of that trust that we rely on employees to make sound, well informed decisions. Early on in my career I fell prey to the seductive trap of believing that policy and procedure was a good way to manage growth, when all it really fosters is an environment of distrust. When people make mistakes we use it as an opportunity to coach, not set new rules; if coaching is not enough, then perhaps you’re not the right fit.
This methodology is problematic in China, and in a lot of ways, it’s a challenge because some employees don’t see the theft of company intellectual property as wrong. I often use cooking as an analogy. I like cooking and often times if I find a recipe that I like, I copy it down, and later I cook that same recipe at home. Despite the fact that I am making this same recipe at home or even if I sell that same food in a restaurant, nobody would be likely to come after me for copying their recipe. A restaurant found something that sells well, I copied it, and I could make money from selling fundamentally the same thing, and nobody would look down on my for doing so (well, maybe other chefs). In China most intellectual property is looked at in the way that I look at recipes. You’ll find many businesses in China that start as a small group of former employees that resign and start their own company which copies exactly the business model of their previous employer. They usually also steal the complete company contact list, which is when they reach out to people like me, offering the same goods for lower prices.
The internet in China is a funny, funny thing. Nothing will prove to you how reliant you have become on Google or YouTube like a week in China, a country where these services, and many others, are blocked by the government. Bill Clinton once said that censoring the entire internet would be like “Nailing Jell-O to a wall” but so far the Chinese government is proving him very wrong. What this means is that an entire other industry has emerged in China of home-grown tools and services that can be hard to understand for us outsiders.
I say this all the time and it bears repeating: Don’t fall for the line that “Things are different in China”. Don’t let your employees convince you that QQ (China’s answer to Skype) is the best way to send confidential documents to suppliers or that a supplier can’t read a PDF and needs your complete solid model. These statements and many more like them provide opportunities to coach both employees and suppliers in the right way to control and share information.
So what do you do to minimize your risks of information “walking out of the building”? There are two groups of people that you need to be concerned with: Your employees and your vendors.
For employees, working on computers that you provide (which they should always be doing in your China office!), there are some basic steps you really should take to keep your information safe. Always bear in mind that, with as many restrictions as China has on their internet access, many savvy computer users in China have grown accustomed to all manner of work-arounds, so your systems really do need to protect people from themselves. Make it easy and fool-proof or they will work around it!
For vendors, your first line of defense needs to be limiting the amount of information communicated. For example, don’t send drawings for related parts, don’t ever leave your customer’s name or brand logos on your drawings, never ever send box artwork to anyone other than the person printing it (and even then, be careful!). The other tactic to control information is to make sure no one vendor knows everything about what you are building. If you’re making an internet connected thermostat, you are far better to have one factory make the PCBA, one make the display, a third make the buttons and still another make the plastic housing. Keep the individual vendors from learning about each other and you will minimize the risk that they’re able to make a duplicate of your product. These days every vendor you meet will strongly urge you to use their network of suppliers to meet your other needs; the PCBA vendor has a “preferred” vendor for plastics; etc. Kindly explain that you already have those items sorted (even if you don’t). Again, coach your team to play dumb as much as possible. What’s that PCBA for? No idea. Where do those brackets go? Not important. You get the idea.
Now you know about some of our strategy, but how do we implement those strategies? Below are some of the tactics that we have used to control the flow of information into and out of China.
Block USB Drives:
No data transfer method today is more prolific nor dangerous than the USB thumb drive or usb hard drive. If you listen to no other advice that I give you, heed this: Block your employees from using USB-based drives. Windows is perfectly capable of blocking USB storage, the only caveat is that you need to be the administrator of the computer and the employee can be only a standard user. Your employees in China should never be administrators of their own computers as they will likely install all manner of unnecessary or dangerous software, not to mention illegal versions of just about anything. Instructions for blocking USB are here
Sign up for business-grade online file sharing:
There are lots of secure ways to send files, although consumer-grade products are mostly blocked in China. As an example, Dropbox and Google Drive are inaccessible in China. We’ve experimented with both having our own servers (firms like Synology make easy-to-use servers that are very simple to set up) as well as commercial solutions like Egnyte and Sharefile, both have proven to be very reliable for sharing files both between our Chinese offices and suppliers, as well as between our US clients and Chinese employees. Sharefile is a little bit more full featured but a bit pricier since it was bought by Citrix.
Use a strong firewall between any computer in the office and the internet:
On two separate occasions, two government employees turned security contractors gave me the exact same advice: when it comes to network hardware, always purchase in the US and bring to China, don’t buy security devices there!
You need a good firewall to prevent intrusions into your network, to watch for computers trying to phone home to hackers, and if necessary, to block access to certain websites. A good firewall can even enforce policies like making sure computers that try to get access to the internet have up to date anti-virus software.
I’ve had good luck with the Sonicwall TZ and Soho firewalls, but if $500 for a firewall-router is too steep, in our early days we used a Linksys router running DD-WRT as our router and it served us well, although it was not as easy to use as the Dell Sonicwall. Synology also makes routers now but I have not tested them out.
One thing that I’ve taken for granted is that here in the US, many of us have used computers for our entire lives, and so we know a lot of the things not to do on computers and online; some of our staff, in the early days, had only really used computers in the computer lab at college and their sensibility was less developed.
It goes without saying, but I’m going to say it: Use strong passwords. By default most of our Chinese users wanted to use only numbers for their passwords. I don’t have to tell you how fast those can be broken.
Restrict the information that you send to vendors:
Assume that any information that you send out to vendors is going to be disseminated far and wide, which means taking precautions like removing your client’s name from any drawings, bills of material, etc. Train your staff to make informed decisions about what gets shared and in what ways.
Both Egnyte and Sharefile have plugins for outlook that will automatically remove attachments and replace them with a file link back to your server. this way, you can know what has been sent, and if necessary pull the plug. Plus you can see, in general, how many times a file has been downloaded, and even restrict the number of downloads. In addition, these types of “upload and link” plugins tend to be faster than emailing huge attachments, especially if your email servers are overseas.
Remove unnecessary software:
There’s no shortage of crapware in China, just like in the US or anywhere. Make sure you limit what can be installed to software with legitimate business purposes. Sure, there are times that employees need chat apps; I personally make great use of the Alibaba trade manager software to communicate with suppliers. Again, it takes some training for your staff (e.g. – use trade manager to contact suppliers but not to place orders) as well as good restrictions, like making sure software is installed on a need-to-use basis.
One other thing to look out for: In order to type in Chinese, computers use what is called an “IME” or Input Method Editor. Windows has lots of these built in (Several for Chinese alone), but there are lots of 3rd party IMEs on the market, especially in China. It is not unheard of for bad actors to inject keystroke-logging software into an IME, which means you should think really long and hard about whether any of your staff need an IME other than the ones that come included with Windows. The Hello Kitty IME may appeal to your 19 year old analyst, but it may also be sending out every piece of data that goes into your BOMs and pricing sheets.
Don’t allow unlicensed software on any company owned computers
Anyone that has been to China has seen that many firms are running unlicensed, cracked versions of all types of software, usually on a cracked install of windows XP, on a homebuilt PC. Don’t be fooled; software firms are good at finding violators, and being an international company they will find you and happily come after you at home as well as in China. Additionally, cracked software comes with the further risk of brining viruses into the building. Zero tolerance on this one folks, seriously.
Check in regularly
I’ve written a lot about “quality fade” in China. This is the phenomenon whereby, starting from the moment you leave the factory, the quality of output starts to decline, little by little, until it hits the lowest level you’ll accept (and usually lower). The only way around the quality fade issue to to have regular visits to, and audits of, your factories and partners. Your own office and IT infrastructure should be treated the same way. Without checking in regularly, you may find out, too late, that your systems were “too inconvenient” and your team set up a workaround that has caused a failure in manufacturing, a missed order, or jeopardized your (or your client’s) intellectual property.
Need to know more? Drop me a line at mike (at) mikediliberto.com