4 keys for IP protection

Do you think data breaches are up or down in 2011 compared to 2007 or 2008? The official answer may surprise you. According to DatalossDB and the 2011 Data Breach Investigations Report ] by Verizon, the number of records compromised per year has been decreasing since its 2008 peak. But these reports are missing something very important. It all comes down to what is reported. Last year I met with more than 450 CIOs and CSOs, and almost all of them said that incidents are way up. New breaches are constantly making headlines, so why is there a discrepancy between our perception and what these reports are finding?

Many industry reports focus on the never-ending stream of leaked or stolen personally identifiable information (PII). Most laws and industry standards, such as PCI DSS, also concentrate on PII. But there is something that could be more dangerous to lose than PII and that isn't getting enough attention in data breach reports--intellectual property (IP).

As records show, stealing PII (credit cards, social security numbers, and so on) used to be big business for cybercriminals. Then it started to get a bit harder for hackers to get PII because overall awareness increased as more regulations were passed and organizations started to invest in information security solutions. Verizon's Data Breach Investigations Report states, "Our leading hypothesis is that the successful identification, prosecution, and incarceration of the perpetrators of many of the largest breaches in recent history is having a positive effect." Researchers also suggested that there are fewer hackers and the threat they pose is losing prominence. I believe protection enforcement is a factor in the reduction of PII theft, but I don't believe there are fewer bad guys out there. In fact, quite the opposite: The threat has never been greater than it is now.

The next big thing is stealing IP, which includes product designs, secret formulas, and other trade knowledge. It's what organized cybercrime, state governments and hackers are all going after. Why? Mostly because of the value of the data. One stolen manufacturing process can be worth millions in saved development costs or billions in market share.

Not protecting IP is a huge mistake for companies and countries alike. Intellectual property is what makes modern nations competitive in the world economy. It fuels innovation and development, and it keeps you ahead of the competition.

What do CSOs think? More than 70 percent of the CIOs and CSOs I spoke with last year said their IP is under attack. Yet only 30 percent of them have data-loss prevention (DLP) tools in place. And most of them do not have software to protect their data in the cloud or on mobile devices, which are the two big new blind spots that they need to worry about.

Why IP Loss Isn't Making Headlines

First, no one is making companies disclose IP loss. When PII is exposed, laws such as HIPAA and HITECH demand companies disclose that information, but no similar laws exist for IP loss. Only the SEC has come out and said that if IP is stolen and that could have material financial impact on your company, you should disclose that. For example, if a competitor in China gets your IP and could manufacture a similar product, you should disclose that.

Second, companies often have no idea when their IP is compromised. When credit card numbers and other PII is hacked, you tend to find out quickly because the bad guys make money on the breach. They quickly sell the credit card information on the black market, and that data gets used. At that point, the banks know the card numbers were stolen and the forensic trail leads back to the hack. Most companies know the importance of protecting PII and have controls to prevent and detect hacks. But IP is perceived as harder to protect and hasn't been a major focus for companies. The reality is that IP is the hottest target for cybercriminals, your competitors and malicious employees. It will only get worse.

Third, the bad guys know how to sidestep traditional defenses. They use a common blind spot in most companies' defenses--SSL. Most anti-malware security solutions don't look out for man-in-the-middle attacks decrypting the SSL traffic coming into the network. SSL accounts for up to 50 percent of Web traffic, and criminals know that most IT security systems do not inspect it.

Fourth and finally, DLP software isn't being used to its fullest potential. Most companies aren't looking at the SSL traffic, but as services such as Gmail move to automatically send all traffic to SSL, this becomes more of an issue. If you don't inspect in SSL, your DLP solution is giving you a false sense of security.

Four Ways to Protect Your IP

We need to protect our most valuable asset, IP, from criminals' attempts to steal and subvert it. This is one of my focus areas, and here are three steps I recommend for better protecting your sensitive information:

1. Get DLP, but forget the endless discovery process. Gartner Research says that about 30 percent of companies have DLP and another 30 percent are considering it. But the massive "discover everything" process that vendors often recommend is ridiculous. Here's all you need to do to get started: Understand what IP is the most valuable 1 or 2 percent and protect it accordingly. I care less about where every nugget of information is than I do about the crown jewels.

2. Educate your teams on the right practices for handling this data. Again, this is about the 1 or 2 percent that's the most valuable data you have. Work with the people who have access to this data, including the Board of Directors and engineers. Talk to them about how to handle this data and set good controls for admins. Eliminate admin rights on desktops. Then reinforce the training through mock social engineering attempts and penetration testing. I use sites like PhishMe.com. There are good companies out there that can help you with this and measure the success of your education efforts over time.

3. Reinforce your education with technology. In addition to DLP, you need a few must-have protections for securing your top data. You need to be able to monitor your two biggest communications channels (Web and email) for outbound data and you need to be able to stop it in its tracks. (Disclosure: Yes, this is what my company's products do.) Identity- and access-management tools are increasingly useful for ensuring that data doesn't fall into the wrong hands. And using security information and event management software with a solid log-management tool (that you actually pay attention to) can help you identify suspicious behavior and follow it all the way through to remediation of the threat. Be diligent here, and add your findings to training materials. Because while the reporting features of these tools are getting better, you still need to have highly trained eyes regularly analyze the output to ensure that you are truly protected.

4. Focus on your blind spots. Your biggest IP data blind spots are

-- on your mobile devices,

-- in cloud services,

-- and in SSL traffic.

Make sure to pick a strategy and solutions that can give you visibility into these areas as more and more of your data moves off your controlled network. Don't forget to include consumer cloud services such as Dropbox and Box.net.

It's Time to Pay Attention to IP

In early 2011, Nasdaq's director's desk was hacked. Imagine how much money cybercriminals could make if they had visibility into your company dealings the way they did with that breach. The Nasdaq hackers could have made billions by trading with this insider information, which is far more than they could have made stealing credit card numbers.

Think about your company's crown jewels. How much would your company lose if its IP was stolen by a competitor overseas, where IP protection isn't enforced? The trend of hackers going after IP is just getting started and will grow rapidly in the next two years. But there are ways you can protect your IP and save your company serious headaches. Feel free to contact me on LinkedIn to discuss this in more detail. If you have questions or want to connect and network, drop me a message.

Jason Clark is CSO of Websense.

Join the CSO newsletter!

Error: Please check your email address.

More about Box.netDLPDropboxetworkGartnerGartner ResearchLPSECVerizonVerizonWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jason Clark

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place