UK security vendor Becrypt has released a white paper looking at the risks to businesses from the loss of Intellectual Property (IP) and confidential information. The paper, which can be downloaded from the Becrypt website, uses a 2011 report from the UK Government to claim that IP theft costs UK businesses in excess of £9.2 billion.
Another figure from the report states that the World Intellectual Property Organisation (WIPO) puts the value of licensing fees and royalties from IP as over $180 billion per year. That figure is likely to be a significant underestimate of the potential size of the market as many companies tend to not licence IP but simply bank it for the future. The technology sector is a prime candidate for this where large vendors often sit on a patent until it suits their need rather than rush to get licensing revenue.
What is IP?
The problem with IP is that many people inside an enterprise are unaware of exactly what information is considered IP and what isn’t. For example, the formula for a popular fizzy drink or a medicine would be easy to identify. But what about a carefully curated and validated mailing list?
If the company has spent money on having the mailing list checked, deduplicated, validated and added unique data to it that is essential to the business then it is just as valid a piece of IP as a drinks recipe. The same can be true of other data owned by the company even when it has been mixed with publically available information.
Skyhigh Networks last quarterly Cloud Adoption and Risk Report showed that the average organisation uses over 1,000 cloud services. The largest group of these are cloud-base storage and file and sync services, many of which are deemed to fall below the threshold that Skyhigh Networks deems enterprise safe.
This ties in with the concern of Becrypt as to companies failing to track and control where their data is stored and who has access. What is interesting is the claim in the white paper that IP theft is now the number one target for cyber thieves. Some of these are competitors, some are criminal gangs and nation state sponsored hacking is increasing involved. In reality this is just the 21st Century equivalent of the economic spy game with seemingly less chance of getting caught.
IP theft is often a serious security breach
While companies struggle to identify what is IP and what is not, there is another side to the loss of IP – data breaches. Between July – September 2015 the UK Information Commissioners Office (ICO) recorded 559 separate data breaches. Not all of these were related to electronic data either lost or stolen but it was a record quarter for all types of breaches.
Becrypt looked at data breaches for 2014 and said: “The UK Information Commissioner’s Office (ICO) reported that, in 2014, there were 111 data breach incidents that were due to the theft or loss of an unencrypted device; and 10 that were due to insecure disposal of hardware.” The rate of acceleration of incidents is one that should worry even the most laid back CISO inside an enterprise.
Many of these incidents were serious enough to warrant the ICO issuing fines as they contained personal data on individuals. As Becrypt points out, companies have until 2017 when the European General Data Protection Regulation (GDPR) comes into force to sort this out. After that, any breach that occurs could cost a company 4% of its global turnover or up to €20 million in fines.
Earlier this year Blancco Technology Group published their 12-step action plan for GDPR. Becrypt has produced a similar 10-point plan listing what they call the top 10 best practice guidelines for securing data.
Unsurprisingly the list covers the need for strong policies, data classification, encryption and auditability. Unlike many such lists, however, it also calls out a need to reduce complexity for both administrators and users as well as to taking the time to educate users. The latter is something that companies are still failing to do and it is not just users that need it. Education of their supplier and customer channels are equally important in an age where both are becoming tightly integrated into enterprise systems.
While some of the data referenced by Becrypt is a little out of date it is worth jumping to the end and taking a good look at the 10 best practice guidelines. Will it stop you losing IP or suffering a data breach? No it won’t. However, it might just reduce the number of breaches and the scale of losses you suffer.