Media release: People Won’t Pay for What They Can Steal

AUSTRALIA June 24, 2020: Australian companies are making it far too easy for cybercriminals to access their greatest assets by not understanding which assets within their organisations drive value and need protecting.

According to Michael Masterson, Managing Director of global intangible asset advisory EverEdge, “Many Australian companies are effectively opening the door to cybercriminals by focusing their network security efforts towards protecting the wrong assets.”

Today, cyber-crime is predominantly focused on targeting a company’s intangible assets, which include such things as data, content, intellectual property, confidential information, trade secrets, and products designs. These assets typically represent more than 87% of company value and by their very nature, tend to be digital making them ripe for the picking by sophisticated cybercriminals.

In fact, it is estimated by the US IP Commission that intellectual property or intangible asset theft costs the US economy alone between US$225 and US$600 billion annually, with China being pointed to as the main perpetrator. While globally, Cybersecurity Ventures estimates that “cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015… [and] represent the greatest transfer of economic wealth in history, risking the incentives for innovation and investment.”

Faced by such a significant threat, Australian companies are investing hundreds of thousands of dollars and person hours to create network security systems. However, the reality is that these systems are often rendered useless when faced with human error that creates a chink in the company’s armour, or targeted cyberespionage attacks.

Michael added, “When it comes to cybersecurity, one of the biggest issues is that companies aren’t starting in the right place. Today a companies ability to drive above market margins and/or market share are as a result of its intangible assets. These assets give a company its competitive edge and drive innovation, revenue, and growth yet very few organisations have a register of these assets often rendering them invisible when management are assessing risk.

“Yes, network security is crucial but before companies hook up the alarm, they need to better understand what they are trying to protect and proportionally weight their efforts towards those assets which are business critical and that give the company its competitive edge.”

To do this, EverEdge recommends companies and directors take the following steps, ensuring they can also answer these key questions:

1. Identify and value your intangible assets
   1. What are my intangible assets?
   2. What is the value of each of these assets? (Both to me and in the hands of someone else)
2. Audit your assets
   1. How and where is our confidential information stored?
   2. Who has access to our confidential information? (both internally and through third-parties)
   3. Who else would want our assets and why?
3. Assert ownership of assets
   1. Do we have chain of title and proof of ownership of our assets in order to help provide potential legal recourse if these assets are compromised?
4. Policies, Process, & Education Programmes
   1. Do we have risk mitigation policies and processes in place to protect our most valuable assets?
   2. Are our efforts focused on protecting our most valuable assets?
   3. Is there widespread understanding and adherence to our policies and processes?

Michael concluded “Cybercriminals and their attacks will only get more sophisticated and frequent. It is no longer a case of if a company will come under attack but when. People just won’t pay for what they can steal. What this means is that management teams and directors need to get smarter about how they approach cybersecurity and ensure that attention and effort is focused on protecting those assets that are truly business-critical.

“This requires companies to first understand what they are trying to protect. If this step in the process is missed, it is unlikely that a company will have the right measures in place to protect its assets, which is essentially like issuing an open invitation for cybercriminals to come and take what they want.”