As organizations march into the digital age, data sprawl is accelerating. Information of all kinds is stored everywhere, accessed by multiple people many times a day and shared across corporate and international boundaries. Most organizations do not have a handle on data locations, ownership and flows outside of regulated or compliance-related information. Though this information is critical, other data can lead to corporate ruin if deleted, modified inappropriately or shared with the wrong parties.

The Intellectual Property Security Problem

There are terabytes of intellectual property and private corporate data that, if exposed, could impact careers, business reputations and bottom lines. For example, in 2014, Sony lost a high volume of data valued at well over $100 million, with executives being fired and stars refusing to work with the entertainment company. The next year, cybercriminals stole $160 billion worth of intellectual property from Codan, an Australian manufacturer of metal detectors, which was then used to produce counterfeit products.

Organizations can no longer afford to put off getting their information under control. According to a McAfee study titled “Net Losses: Estimated the Global Cost of Cybercrime,” corporate espionage accounts for more than $445 billion lost across the world in 2014.

Download the executive guide: Protecting your company’s most critical information

Creating a Data-Centric Risk Management Program

Though intellectual property security may seem like an insurmountable problem, it isn’t. Organizations can shift the paradigm by embracing a continuous, systematic approach to managing their data. Failing to be systematic can leave data undiscovered and thus unprotected. Failing to be continuous can at best cause gaps and, at the worst, allow data management to regress into its previous unmanaged state.

Organizations should take the following steps to secure their intellectual property.

  1. Start small, build success and then expand. The task of securing all your data at once is insurmountable, but doing it one byte at a time is the key to success. Each organization has common-use data dumping grounds. Start with a few of the smaller ones and work your way up.
  2. Locate data repositories. Information is everywhere, and you will ultimately need the right tools to find both structured and unstructured information. Starting small allows you to manually create business requirements for the tools you will need to do it on a larger scale and a continuous basis.
  3. Identify data owners and custodians. Every piece of data needs an owner and/or custodian to determine its importance to the business, who needs access to it, how it should be handled and where it should be stored. These are the people responsible for creating policies around the data. Security and IT departments merely implement the policies and should not be held responsible for determining what policies apply to which pieces of data.
  4. Learn how to classify and tag data. This part of the process helps the organization understand the various types of data it has and which data is most important. This creates the foundation for the risk profile and security policies for each type.
  5. Map data flows in processes and applications. These two exercises are related, but not exactly the same. A process may use an application, and thus a handoff is mapped. But information owners should also know what all the applications in their environments are doing with the data for processing, storage and transport.
  6. Create a risk profile for data. Now that information is located, access is understood, and workflows and processes are mapped, risk profiles can be created for the information.
  7. Adjust the information security policies for data. Once the risk profiles are known, the data owners must work with IT and security teams to create the new policies for the data. Identify which applications and users no longer need access and which business processes need to be updated.
  8. Appropriately adjust access, business processes and application flows. Now that policies are complete, the projects to make changes should be created and prioritized based on the risk levels of each identified issue. A key to this is to intersperse the short- and long-term projects to create a few quick wins upfront. This creates an initial positive impression that will help management understand the importance of the program and operations personnel maintain momentum to complete the larger and longer-term projects.

As organizations become savvier in their data-centric risk management programs, business leaders need timely information to gain visibility into the data. Only with accurate insights can efficient controls be created to protect organizations from very real security risks. These insights cannot be gained by a manual effort.

To accomplish both the intelligence gathering and the data security project implementation, security professionals should look to adopt a toolset that will meet the project’s goals and requirements. An effective tool should have the capability to:

  • Locate data across internal and external repositories.
  • Provide continuous visibility into data repositories.
  • Create early visibility into potential risks to sensitive data.
  • Identify specific, high-value, sensitive data at risk from internal or external threats.
  • Provide a complete view of sensitive data in terms of processes, procedures, application access, compliance and ownership.
  • Deliver easy-to-understand dashboards to facilitate conversations, improve business processes and mitigate risks.

Protect Your Crown Jewels

The road to a data-centric risk management program is not easy, but it is well worth the effort. Creating a programmatic approach to data risk means that the practicing organization will have, at minimum, better-protected data as well as an overall reduction in redundant data and business risks. The projects will surely uncover multiple problems in human and application workflows, ranging from fairly small issues needing only incremental improvement to systems that require major overhauls. Such an intellectual property security program can help organizations streamline processes to fend off data thieves and protect their crown jewels.

Download the executive guide: Protecting your company’s most critical information

More from Data Protection

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Will the 2.5M Records Breach Impact Student Loan Relief?

Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…