Corporate espionage is primarily focused on stealing confidential information (including data, trade secrets, strategy and financial information and other proprietary intangible assets) that are often crucial to a company’s competitive edge. When successful (and it often is), it is highly profitable as the thief becomes the beneficiary of zero cost R&D, hard-won strategic insights, or critical strategic intelligence.
This a fact many Australian companies and government agencies have discovered over the past several weeks as they have been targeted in a spate of seemingly coordinated external cyber-attacks. While in Singapore, the latest statistics released this week by the Cyber Security Agency state that cyber-crime cases now account for more than a quarter of overall crime in the country with cyber attacks increasingly steadily year-on-year.
Across the Tasman, Emirates Team New Zealand, current holders of yachting’s America’s Cup, found out that threat sources aren’t always external after discovering that an internal employee was the source of valuable leaked confidential information. Sadly, Emirates Team New Zealand isn’t alone in facing this issue. According to research from Kilpatrick Townsend & Stockton and the Ponemon Institute, insiders post the greatest risk to knowledge asset breaches, with the most likely causes of a data breach coming from careless, malicious, or criminal insiders.
Whether the threat source is internal or external, the impact of a confidential information breach can be far ranging and in certain instances, catastrophic. In the case of Emirates Team New Zealand, where success is measured in fractions of a second and whose competitive edge relies heavily on its innovative approach to boat building and the integration of cutting edge technology, this information theft has the potential to literally result in the loss of the cup.
However, it is possible to take steps to mitigate risk around the theft or leakage of confidential information and the good news is that the steps required to solve these problems are often relatively simple once companies understand what assets they are protecting and where threats are likely to come from.
It’s Not Only About How Good Your Alarm Is
Before you spend millions on cyber or network security systems (i.e. before you buy an extremely expensive alarm) you first need to understand WHAT you are trying to protect. It is very difficult practically to protect all intangible assets: a better approach is to proportionally weight your efforts towards those intangible assets which are business critical and work to intensively protect these rather than necessarily trying to build the Great Wall of China around the entire business.
This includes working through the following steps and working out the answers to these questions:
- IDENTIFY AND VALUE YOUR INTANGIBLE ASSETS
- What are my intangible assets?
- What is the value of each of these assets? (Both to me and in the hands of someone else)
Once you’ve identified which assets are most important to you and the value of these assets, then you can take steps to reduce risk and ensure attention and resource is focused on protecting the most valuable assets not ones, which in the cold light of day may not actually be that important.
- AUDIT YOUR ASSETS
- How and where are our critical intangible assets stored?
- Who has access to these assets (both internally and through third-party suppliers)
- Who genuinely needs access to these assets?
According to the research by Kilpatrick et al, only 14 percent of those companies surveyed restricted access to their knowledge assets, with 61 percent of respondents also stating that third parties have access to their company’s knowledge assets.
With the majority of data breaches resulting from the carelessness of employees or third-parties with access to information, companies must institute policies and processes to proactively identify, protect and monitor access to key trade secrets, know-how and critical confidential information.
- ASSERT OWNERSHIP OF ASSETS
- Do we have chain of title and proof of ownership of our intangible assets to help provide potential legal recourse if these assets are compromised?
Based on over 1000 client engagements we have found 8 out of 10 companies cannot prove they actually own their intangible assets, which is highly problematic if you’re looking for legal recourse and to file charges if your assets are stolen.
To address this, it is important that companies ensure the ownership of their critical assets is asserted and that information about these assets is only shared with stakeholders on a “need-to-know” basis.
- POLICIES, PROCESS & EDUCATION PROGRAMMES
- Do we have risk mitigation policies and processes in place to protect our most valuable assets?
- Are our efforts focused on protecting our most valuable assets?
- Is there widespread understanding and adherence to our policies and processes?
A core part of any programme should be focused on educating employees on the importance and value of intangible assets as core assets of the company, laying out the steps that employees can take to minimize the risk of assets leaking or being targeted by parties outside the organization.
While these steps are relatively simple, they are also invaluable when paired with an effective cyber security system. However, the critical element in any risk mitigation strategy (traditional or cyber) is to first of all understand what you are trying to protect and why. If this step in the process is missed, it is likely that you will have the wrong measures in place to protect your assets or you will the right measures protecting the wrong assets. Either way it’s like issuing an open invitation for cyber-criminals, spies or competitors to come and take what they want.