As organizations march into the digital age, data sprawl is accelerating. Information of all kinds is stored everywhere, accessed by multiple people many times a day and shared across corporate and international boundaries. Most organizations do not have a handle on data locations, ownership and flows outside of regulated or compliance-related information. Though this information is critical, other data can lead to corporate ruin if deleted, modified inappropriately or shared with the wrong parties.
The Intellectual Property Security Problem
There are terabytes of intellectual property and private corporate data that, if exposed, could impact careers, business reputations and bottom lines. For example, in 2014, Sony lost a high volume of data valued at well over $100 million, with executives being fired and stars refusing to work with the entertainment company. The next year, cybercriminals stole $160 billion worth of intellectual property from Codan, an Australian manufacturer of metal detectors, which was then used to produce counterfeit products.
Organizations can no longer afford to put off getting their information under control. According to a McAfee study titled “Net Losses: Estimated the Global Cost of Cybercrime,” corporate espionage accounts for more than $445 billion lost across the world in 2014.
Creating a Data-Centric Risk Management Program
Though intellectual property security may seem like an insurmountable problem, it isn’t. Organizations can shift the paradigm by embracing a continuous, systematic approach to managing their data. Failing to be systematic can leave data undiscovered and thus unprotected. Failing to be continuous can at best cause gaps and, at the worst, allow data management to regress into its previous unmanaged state.
Organizations should take the following steps to secure their intellectual property.
- Start small, build success and then expand. The task of securing all your data at once is insurmountable, but doing it one byte at a time is the key to success. Each organization has common-use data dumping grounds. Start with a few of the smaller ones and work your way up.
- Locate data repositories. Information is everywhere, and you will ultimately need the right tools to find both structured and unstructured information. Starting small allows you to manually create business requirements for the tools you will need to do it on a larger scale and a continuous basis.
- Identify data owners and custodians. Every piece of data needs an owner and/or custodian to determine its importance to the business, who needs access to it, how it should be handled and where it should be stored. These are the people responsible for creating policies around the data. Security and IT departments merely implement the policies and should not be held responsible for determining what policies apply to which pieces of data.
- Learn how to classify and tag data. This part of the process helps the organization understand the various types of data it has and which data is most important. This creates the foundation for the risk profile and security policies for each type.
- Map data flows in processes and applications. These two exercises are related, but not exactly the same. A process may use an application, and thus a handoff is mapped. But information owners should also know what all the applications in their environments are doing with the data for processing, storage and transport.
- Create a risk profile for data. Now that information is located, access is understood, and workflows and processes are mapped, risk profiles can be created for the information.
- Adjust the information security policies for data. Once the risk profiles are known, the data owners must work with IT and security teams to create the new policies for the data. Identify which applications and users no longer need access and which business processes need to be updated.
- Appropriately adjust access, business processes and application flows. Now that policies are complete, the projects to make changes should be created and prioritized based on the risk levels of each identified issue. A key to this is to intersperse the short- and long-term projects to create a few quick wins upfront. This creates an initial positive impression that will help management understand the importance of the program and operations personnel maintain momentum to complete the larger and longer-term projects.
As organizations become savvier in their data-centric risk management programs, business leaders need timely information to gain visibility into the data. Only with accurate insights can efficient controls be created to protect organizations from very real security risks. These insights cannot be gained by a manual effort.
To accomplish both the intelligence gathering and the data security project implementation, security professionals should look to adopt a toolset that will meet the project’s goals and requirements. An effective tool should have the capability to:
- Locate data across internal and external repositories.
- Provide continuous visibility into data repositories.
- Create early visibility into potential risks to sensitive data.
- Identify specific, high-value, sensitive data at risk from internal or external threats.
- Provide a complete view of sensitive data in terms of processes, procedures, application access, compliance and ownership.
- Deliver easy-to-understand dashboards to facilitate conversations, improve business processes and mitigate risks.
Protect Your Crown Jewels
The road to a data-centric risk management program is not easy, but it is well worth the effort. Creating a programmatic approach to data risk means that the practicing organization will have, at minimum, better-protected data as well as an overall reduction in redundant data and business risks. The projects will surely uncover multiple problems in human and application workflows, ranging from fairly small issues needing only incremental improvement to systems that require major overhauls. Such an intellectual property security program can help organizations streamline processes to fend off data thieves and protect their crown jewels.