Lance Bellers - Fotolia
The steady drum of high profile breaches continues to serve as a warning: In January a financial advisor at Morgan Stanley allegedly stole 350,000 records about the firm's wealthiest clients and attempted to sell the data online. The Sony Pictures Entertainment hacking incident that played out over the holidays set many executives -- already reeling from the risk and compliance ramifications of a year of unprecedented data security breaches -- on high alert.
A Wall Street Journal reader poll in late December indicated that 54.3% of the respondents viewed the Sony, Target and Home Depot hacking incidents as the top compliance crisis in 2014, more than double the ranking of the Libor scandal, which had 22% of the vote. Moreover, 71.9% indicated that the issue expected to grow most in importance for their companies in 2015 was the combination of cybercrime and data privacy.
Although news of state-sponsored hackers may grab more of the headlines, it is insiders who are often behind the loss of intellectual property (IP) and other sensitive data. As often as not, these insiders don't realize their actions are a crime. A 2013 Symantec survey, conducted by the Ponemon Institute, showed that half of respondents admitted to taking corporate data when they left an employer and 40% indicated that they planned to use the data at a new job. More than half, 56% of those surveyed, did not view the transfer of IP for use at a new employer as a crime; 62% transferred corporate data to personal tablets, devices and cloud apps and never deleted the information. The survey resulted in three primary recommendations: educate employees, enforce non-disclosure agreements and implement monitoring technology in the form of data loss prevention (DLP) software.
Data protection on the line
Jabil Circuit Inc., a global electronic services manufacturer headquartered in St. Petersburg, Fla., embarked on a DLP project in 2014, after hiring a new CISO the previous year. With 90 manufacturing plants and 180,000 dedicated employees in 23 countries, the company wanted to move from "low level" perimeter security to a tiered control set that could offer supply chain management and IP protection in line with customers' security requirements. Part of the challenge was a lack of standardization in footprint and technologies among Jabil's vastly different business units; the company packages and assembles electronics for telecommunications, healthcare, digital home, enterprise computing and storage, among other industries.
"We did a bunch of scans, and we brought in some consultants and did some assessments, and we realized that we had a lot of devices and a lot of endpoints and they were all at this low level of perimeter-based security -- this one-size-fits-all security," Michael Ring, Jabil's senior IT manager, and threat intelligence and solution architect, explained during a presentation in November.
Jabil's security group is staffed with only about 30 people, and the global manufacturer has had a hard time finding the talent that it needed in the market that it serves. After hiring its new CISO, the electronics manufacturer embarked on several managed security projects and decided to contract with a DLP managed service provider, Digital Guardian (Verdasys), for greater visibility into endpoint data activity throughout the company, which includes cloud-based environments. "We wanted … a tiered control set where we could provide the business units with the ability to choose -- based on their customer mix and their requirements -- a baseline level of security that met the company's policies, "said Ring, "but also some higher levels that were more restrictive to give us more visibility around those assets and employees that were interacting with critical data."
Data classification for better IP protection played a role in the project. "We dove into what could be IP," he said. "We broke it into three categories: our pricing data, which is really our secret sauce; our PII, the employee data; and really what we focused on, was the IP -- our tool sets, our molds, customer plans and CAD drawings."
Deploying a DLP agent requires broad-based executive buy-in. The Jabil security team had adequate funding for the project, but they needed to get the CIO on board with the data protection strategy. "Really what got him there was that we had successfully deployed the Web proxy and SSO [single sign-on] services, and pivoted from existing tools as well, with no disruption to the business with immediate time to value," Ring said.
"Once we started paying those subscription costs, within a month we had [the DLP agents] covering the entire company, which is really rare for a large enterprise," he added. "The application-usage collection when you have this level of visibility was really interesting to [the CIO]; it helped us reconcile some software licenses, reduced some costs and saved us in some audit situations. It was without really controlling any data flow; it was just a side effect of having some visibility on the end point. "
During the DLP rollout, which took about 4 months and included a proof-of-concept stage with "friends and family," Jabil didn't report significant performance issues but did acknowledge a few problems with some applications. Visibility improved almost immediately, however, and the security team could see that data was getting copied to USB drives. "That was probably the real eye-opener to the executive management staff," said Ring. "No one really thought we had a data leakage problem. Once you put the agent out there, you get hard data right away that you have a data leakage problem. "
The manufacturer's security team used the egress reports from the DLP service to interact with the company's various business units at a high level. "You had over 10,000 documents moved from your customer shares on your core file server to USB; is that a work flow that you expected? That got some attention," Ring said. "That got some people from the business unit engaged and working with us to define what their workflows were, if there were USBs making sure that they were registered, if encryption was necessary due to sensitivity of data, if control was necessary. They are the ones that have to tell you that. So this got them to play ball."
Heidi Shey, Forrester Research analyst
Data loss prevention technologies (network, endpoint and data discovery) can provide additional controls, such as notification and active blocking of valuable assets internally and at third-party sources, but context-aware tools require heavy lifting upfront, namely data classification and discovery. "Unless the company has an idea what it considers IP information, it makes it very difficult to make the most of the tools that are brought in," said Heidi Shey, analyst at Forrester Research. "IP is one of those tricky things where you really need a human to identify if something is considered intellectual property. It's not like a social security number where you can just write a regular expression for compliance."
Enterprises realize data classification is important, but for many it's something that gets put off because it is not easy to do or the company has tried before and failed.
"It takes effort and coordination across the enterprise. I think a lot of folks put it off to the side and address something sexier like mobile or cloud," said Shey. "But more and more, we are seeing that people are coming back around and realizing that they have to roll up their sleeves and tackle classification because they need to understand what data they have, and what is sensitive, if they want to do a better job -- and focusing their efforts on protecting the sensitive information, and getting rid of stuff that they no longer need."
Enterprises looking at IP protection need to understand that any tool that you bring in, whether DLP or something else, is only going to look for data that has been identified and classified as sensitive or confidential by informed people, often within business units. DLP tools are increasingly offering user interfaces that are targeted at business users, who can work with IT to implement the policies and configure the tools so that the agents and alerts know what to look for.
"With DLP, one of the mistakes that we see often is that people expect it to be magical," said Shey. "You bring it in; you turn it on and boom. But that is very far from reality, where so much more has to be done up front in terms of planning and considering policies that you have to implement and processes that you have in place to really enable these tools to work successfully."
Native installation on tablets and mobile devices is also an issue. Most content-aware DLP deployments still rely on mobile device management and VPN connections to scan traffic. Even so, enterprise interest in DLP as a control for IP protection is growing significantly -- both for "soft" IP protection of things like text-based assets and process documentation and "hard" IP protection for CAD/CAM files, chemical formulas and source code, according to Gartner.
DLP managed services do not take away the headaches involved in creating content rules, policies and workflows, but may allow companies like Jabil to ramp up deployments more quickly by relying on the technical expertise and support of the service provider. While the managed services DLP market remains relatively small, Gartner estimates that 20% of DLP will be managed services by 2016.
Even with DLP controls in place, IP theft remains the elephant in the room for companies, dwarfing revenues lost by PII and other data security incidents. The losses are hard to quantify, but a 2013 report by the Commission on the Theft of American Intellectual Property estimated that it was upwards of $300 billion for U.S companies.
Once the theft has been discovered, what recourse does an organization have? Even with patents, and copyright and antipiracy laws in some countries, sometimes very little. Cyberinsurance does not cover losses associated with IP or trade secrets. Sony reached out to Mandiant, a division of FireEye and the FBI to help track down the perpetrators of the attack on their movie division. The company also hired a high-profile lawyer, David Bois, who sent a letter to media outlets threatening further action if they released stolen information.
While China has not been implicated in the Sony hacking incident, the country has been directly linked to other cybersecurity espionage and has continued to butt heads with the United States on IP issues. Companies that do business with partners in countries with lax data protection laws have limited recourse. It's critical to monitor and enforce security requirements through service level agreements and other contracts with third-party vendors and supply chains, such as Jabil.
Joint responsibility for data security, as well as rising awareness among C-level executives and boards, may drive renewed focus on data classification and better funding for IP protection. Data security is moving beyond IT at many companies; responsibility for IP protection often falls on chief privacy officers or data governance officers. "In the past, some of the mistakes that have been made with classification are that enterprises thought of it as a job for the security team and only the CISO," said Shey. "Someone in IT didn't think about business implications or that stakeholders should be involved, and that is changing today."
About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.