Companies are sharing intellectual property with partners in increasing numbers, but many lack a formal process to determine the kind of data that can be shared and of those that do, less than half conduct review access and usage policies.
That was the conclusion of a new survey by Milford, Mass.-based Enterprise Strategy Group. In its report, "Expanding intellectual property protection beyond the firewall," the research firm surveyed security professionals at North American-based organizations with 1,000 to more than 20,000 employees.
Among the key findings: Only 41% of respondents work at organizations that have a formal process to determine which intellectual property can be shared. Sharing relationships are also not reviewed very often. Only 42% said their organization reviews the access and usages policies that apply to their business policies more than once per year.
With the costs of data breach soaring, companies shouldn't ignore how intellectual property data is categorized, secured and shared with partners, said Jon Oltsik, a senior analyst at the Enterprise Strategy Group.
"If you find that you can cut your costs by sharing data with customers and suppliers, you're going to do that and you're going to do it even if there's a perceived risk," Oltsik said. "People are willing to jump out in front of technology to get a business benefit and then backfill management, security and operations."
In addition, 64% of those surveyed said they are confident that their security department is aware of all business partners who have access to intellectual property data, but only 54% are confident that their organizations know the specific data that business partners can access.
Many different groups within an organization classify data as intellectual property, including legal and line-of-business management, IT, executive management, and others. With so many groups involved, each with limited oversight or accountability, IP classification can be lengthy, inefficient, and fraught with overlapping tasks and finger pointing, Oltsik said.
"When you start to talk about how people monitor and enforce their policies, then it gets much more scary," Oltsik said. "People are flying by the seat of their pants here and hoping not to get burned. You have a lot of different technologies and methods and you really don't have an end-to-end view. There isn't a lot of confidence in the actual validity of the data."
While the majority of respondents said their organization reviewed intellectual property data access and usage policies at least once a year, 27% said a review took place once a year if at all. Some were not aware of any policy reviews.
"It becomes one of those situations where you're just sharing everything with everybody and cross your fingers. That's a recipe for disaster," Oltsik said.
Oltsik said companies need to begin with a single classification schema. Different business units need to agree to how data is classified. Then businesses need to put policies around classification. Finally, companies need tools to monitor and audit data classification and sharing procedures and also enforce the policies in place.
The survey was sponsored by data loss prevention appliance vendor, Reconnex.