Light Dark
October 5, 2017 By David Monahan 4 min read
Data Protection
Risk Management

As organizations march into the digital age, data sprawl is accelerating. Information of all kinds is stored everywhere, accessed by multiple people many times a day and shared across corporate and international boundaries. Most organizations do not have a handle on data locations, ownership and flows outside of regulated or compliance-related information. Though this information is critical, other data can lead to corporate ruin if deleted, modified inappropriately or shared with the wrong parties.

The Intellectual Property Security Problem

There are terabytes of intellectual property and private corporate data that, if exposed, could impact careers, business reputations and bottom lines. For example, in 2014, Sony lost a high volume of data valued at well over $100 million, with executives being fired and stars refusing to work with the entertainment company. The next year, cybercriminals stole $160 billion worth of intellectual property from Codan, an Australian manufacturer of metal detectors, which was then used to produce counterfeit products.

Organizations can no longer afford to put off getting their information under control. According to a McAfee study titled “Net Losses: Estimated the Global Cost of Cybercrime,” corporate espionage accounts for more than $445 billion lost across the world in 2014.

Download the executive guide: Protecting your company’s most critical information

Creating a Data-Centric Risk Management Program

Though intellectual property security may seem like an insurmountable problem, it isn’t. Organizations can shift the paradigm by embracing a continuous, systematic approach to managing their data. Failing to be systematic can leave data undiscovered and thus unprotected. Failing to be continuous can at best cause gaps and, at the worst, allow data management to regress into its previous unmanaged state.

Organizations should take the following steps to secure their intellectual property.

  1. Start small, build success and then expand. The task of securing all your data at once is insurmountable, but doing it one byte at a time is the key to success. Each organization has common-use data dumping grounds. Start with a few of the smaller ones and work your way up.
  2. Locate data repositories. Information is everywhere, and you will ultimately need the right tools to find both structured and unstructured information. Starting small allows you to manually create business requirements for the tools you will need to do it on a larger scale and a continuous basis.
  3. Identify data owners and custodians. Every piece of data needs an owner and/or custodian to determine its importance to the business, who needs access to it, how it should be handled and where it should be stored. These are the people responsible for creating policies around the data. Security and IT departments merely implement the policies and should not be held responsible for determining what policies apply to which pieces of data.
  4. Learn how to classify and tag data. This part of the process helps the organization understand the various types of data it has and which data is most important. This creates the foundation for the risk profile and security policies for each type.
  5. Map data flows in processes and applications. These two exercises are related, but not exactly the same. A process may use an application, and thus a handoff is mapped. But information owners should also know what all the applications in their environments are doing with the data for processing, storage and transport.
  6. Create a risk profile for data. Now that information is located, access is understood, and workflows and processes are mapped, risk profiles can be created for the information.
  7. Adjust the information security policies for data. Once the risk profiles are known, the data owners must work with IT and security teams to create the new policies for the data. Identify which applications and users no longer need access and which business processes need to be updated.
  8. Appropriately adjust access, business processes and application flows. Now that policies are complete, the projects to make changes should be created and prioritized based on the risk levels of each identified issue. A key to this is to intersperse the short- and long-term projects to create a few quick wins upfront. This creates an initial positive impression that will help management understand the importance of the program and operations personnel maintain momentum to complete the larger and longer-term projects.

As organizations become savvier in their data-centric risk management programs, business leaders need timely information to gain visibility into the data. Only with accurate insights can efficient controls be created to protect organizations from very real security risks. These insights cannot be gained by a manual effort.

To accomplish both the intelligence gathering and the data security project implementation, security professionals should look to adopt a toolset that will meet the project’s goals and requirements. An effective tool should have the capability to:

  • Locate data across internal and external repositories.
  • Provide continuous visibility into data repositories.
  • Create early visibility into potential risks to sensitive data.
  • Identify specific, high-value, sensitive data at risk from internal or external threats.
  • Provide a complete view of sensitive data in terms of processes, procedures, application access, compliance and ownership.
  • Deliver easy-to-understand dashboards to facilitate conversations, improve business processes and mitigate risks.

Protect Your Crown Jewels

The road to a data-centric risk management program is not easy, but it is well worth the effort. Creating a programmatic approach to data risk means that the practicing organization will have, at minimum, better-protected data as well as an overall reduction in redundant data and business risks. The projects will surely uncover multiple problems in human and application workflows, ranging from fairly small issues needing only incremental improvement to systems that require major overhauls. Such an intellectual property security program can help organizations streamline processes to fend off data thieves and protect their crown jewels.

Download the executive guide: Protecting your company’s most critical information

 |  |  |  |  |  |  | 
David Monahan
Managing Research Director for Security and Risk Management, Enterprise Management Associates

More from Data Protection
November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature