Protecting Intellectual Property and Trade Secrets in a Small Irish Business.

A Donegal engineering consultancy spent seven years building a proprietary estimation methodology — a detailed system of cost modelling that allowed them to price complex projects more accurately than competitors. The methodology was stored in a series of spreadsheets on a shared drive accessible to all professional staff. A senior engineer left to join a competitor. Six months later, the competitor was bidding on the same work at prices that tracked the consultancy's methodology unusually closely.

No criminal investigation was pursued. The information had not been encrypted, logged, or protected beyond general network access controls. Proving that specific documents had been taken was not possible. The consultancy's competitive advantage, built over seven years, had been commoditised in six months.

What Is Intellectual Property in an Irish SME Context?

Intellectual property in an Irish SME context extends beyond formal patents and trademarks to include any proprietary information that provides competitive advantage — pricing models, client relationship data, technical processes, supplier terms, product formulations, software code, tender documents, and business strategies.

Most of this information does not carry a formal legal designation. It is simply the accumulated knowledge and capability of the business, stored in files, in systems, and in the memories of people who might not always remain with the organisation.

The Primary Risks

Employee departure with data. The most common IP loss scenario in Irish SMEs. A departing employee — particularly to a competitor or to establish their own competing business — takes with them not just their knowledge but copies of documents, contact lists, pricing files, and process documentation. This may or may not be criminal depending on whether they had authorisation to access the specific files and what the terms of their employment contract say.

External compromise. A cyberattack that exfiltrates data before deploying ransomware, or a long-dwell intrusion that copies proprietary files over weeks, transfers intellectual property to criminal actors who may sell it to competitors or on criminal markets. This is documented in enterprise incidents and is increasingly a feature of SME-targeted attacks where the business has identifiable valuable IP.

Inadvertent disclosure. A staff member who shares a pricing spreadsheet with a supplier contact, who sends an internal process document to a client, or who uses an AI platform to refine a proprietary document without understanding that the input data may be used for training. Inadvertent disclosure is not malicious but can be equally damaging.

Could you identify, right now, the five documents in your business that would cause the most damage to your competitive position if they reached a competitor? If so — where are they stored, who has access, and what controls protect them specifically? Book a free 20-minute strategy call — IP protection is a component of every crown jewels mapping engagement we run with Irish SMEs.

Practical Controls for IP Protection

Identify and classify your IP. Begin with the crown jewels exercise — the process of explicitly identifying your most valuable proprietary information. Not everything is equally sensitive. The files that contain your core competitive advantage warrant specific protection beyond general security controls.

Apply access controls proportional to sensitivity. Your most valuable IP should be accessible only to those who genuinely need it for their current role. A folder in SharePoint or a file server can be given specific permissions that override the general access model. The pricing methodology should not be accessible to everyone with company network access.

Enable access logging on high-value IP stores. Microsoft 365, SharePoint, and most business applications support access logging. Enabling logging on the folder or system containing your most sensitive IP means that unusual access patterns — large numbers of files downloaded, access outside business hours, access from unexpected devices — can be detected and investigated.

Review employment contracts. Irish employment law provides some protection for trade secrets and confidential information, but the protection is stronger when employees have signed specific confidentiality obligations and their employment contract explicitly addresses what constitutes confidential information. Ask your solicitor to review the confidentiality clauses in your standard employment contract.

Leaver controls specifically for high-IP roles. When a staff member with access to high-value IP departs, the leaver process should include a specific review of their recent file access, confirmation that no unusual downloads occurred in the period before departure, and, where appropriate, a formal acknowledgement from the departing employee of their ongoing confidentiality obligations.

The AI Platform Dimension

An emerging IP risk for Irish SMEs is the use of AI writing, coding, and analysis platforms — ChatGPT, Copilot, Gemini — by staff who paste proprietary document content, pricing data, or client information into prompts without understanding the data handling implications. Many AI platforms process inputs in ways that are used for model improvement, and some have had incidents involving user prompt data.

A clear policy on what categories of information may not be entered into AI platforms is now a necessary component of IP protection for any Irish SME that uses these tools. The policy need not prohibit AI tool use — it should specify that proprietary processes, pricing data, client information, and draft commercial documents are not suitable for input into external AI platforms without explicit review.

What Next

1. Identify your five most valuable proprietary documents this week. Where are they stored? Who has access? What logging is in place?

2. Review and tighten access permissions on those documents. Remove access for anyone who does not actively need it for their current role.

3. Update your leaver checklist to include an IP-specific review. For staff with access to high-value IP, the last week before departure should include a review of file access logs and, where appropriate, a formal acknowledgement of ongoing confidentiality obligations.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Mapping Your Crown Jewels: Identifying the Data and Systems You Must Protect
• Detecting and Handling Insider Threats Without Building a Culture of Mistrust
• Data Classification: Deciding What Is Public, Internal, Confidential or Highly Sensitive

[^1]: Data Protection Commission Ireland [^2]: NCSC Ireland — Data Protection Guidance [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.