In the underground market economy, data is a valuable commodity, and much like any other market economy, principles of supply and demand drive it. As risks increase and profits decline, cybercriminals are constantly looking for the next cash cow.
The stakes are high for any breached party; compromised IP can deal a significant blow to both a firm's long-term competitiveness in the market and its brand.
Consider that the price for a simple Social Security number has fallen to as little as $1. The price for a medical identity in the U.S. is $20. As consumers, security professionals and law enforcement agencies step up efforts to thwart the theft of credit card and personal data, the resale value and shelf life of such data diminishes. As a result, confidential corporate information, such as customer lists, product plans and strategy roadmaps, financial information, and intellectual property (IP) (such as trade secrets and formulas) become even more lucrative and attractive. According to the FBI, corporate espionage has cost U.S. companies more than $13 billion since October 2011.
Security and risk professionals are already keenly aware that protecting data is vital to an organization's continued success and growth. In fact, the results of Forrester Research's Forrsights Security survey indicated that data security is a high or critical concern for 91% of respondent organizations. However, as the threat landscape continues to evolve, chief information security officers must adjust their risk management strategies accordingly to counter the next frontier: the theft and protection of intellectual property.
Protect intellectual property to protect the business
Organizations of all sizes must be wary of IP threats coming from a variety of attackers, but according to Verizon's 2012 Data Breach Investigations Report, large organizations are more likely overall to have sensitive organizational data, trade secrets or classified information compromised in a breach. For a company's competitors, stealing such information directly -- or purchasing it on the side -- can shave off years and millions, if not billions, of dollars in research and development. The theft also provides a deep insight into what the company is thinking and doing.
It would be naïve to assume that no company or government entity would engage in such activities themselves or pay for others to acquire this information. While most organizations are ethical and would not resort to such practices, some individuals may certainly push the limits for personal gain. For example, Pepsi Co. alerted Coca-Cola Co. when it was approached by a Coke employee with an offer to sell Coke's trade secrets; in all, this would have netted the thief $1.58 million. Similarly, Chinese car manufacturers, by cloning or reverse-engineering competitors' automobiles, have reportedly been able to save millions in development costs.
Regardless of the source -- insiders, rival business entities, organized crime, nation-states -- stolen IP and confidential company information can mean a big payday, whether such information is turned over for immediate financial rewards or used to further an attacker's own future economic interests. The stakes are high for any breached party; compromised IP can deal a significant blow to both a firm's long-term competitiveness in the market and its brand. Though the impact may not always be felt immediately, the result of IP theft can be similar to a death by a thousand paper cuts.
Why preparing for theft is critical for minimizing losses
Sun Tzu said that if you are "ignorant both of your enemy and yourself, you are certain to be in peril." Can you identify IP within your organization? Do you know where your organization's IP is stored and how it's protected? Do you know its value, and thus, the cost to your organization should it be stolen or compromised? By assuming that information assets will be lost or compromised, data breach planning and cost analysis can help identify vulnerable assets, show the cost implications of a breach, help prioritize protection efforts and justify current and future security investments.
From the editors: More on data protection
Learn why the role of an outside firm should be determined early in a security incident response
How to create a data breach response plan in 10 steps
At a basic level, this may involve taking an inventory of information assets and estimating their value while reviewing what an organization's incident response plan would involve to help determine a simple approach for estimating breach clean-up costs. For example, are there provisions in the plan to bring in external remediation and forensics experts, call center support or other services? If so, some of these costs can be estimated in advance.
At an advanced level, an analysis of the value of an organization's information assets via the estimated benefits derived from, and costs associated with, the loss of an asset will provide a more disciplined approach and framework for prioritizing security spending where it matters most. This is based off of Forrester's definition of information value, where the value of information is a percentage (up to 100%) of the current and future revenue the information will produce minus the direct and indirect costs needed to produce, manage and protect the information. The goal is to identify the value of an information asset, and then determine if the current effort and costs to protect it are adequate given its value to the organization.
Prepare for IP theft
The costs associated with IP theft can be devastating for a business, which is why preparations
must be made in advance of a data breach. To protect intellectual property, an organization must
first assess the value and location of its IP, and then make the necessary adjustments and
investment for data protection. With the necessary preparations, IP theft costs can be minimized
and the business can continue to be competitive.
About the author
Heidi Shey is an analyst at Forrester Research, serving security and risk professionals. Follow her on Twitter @heidishey.
This was first published in March 2013