The theft of intellectual property from the U.S. is "unprecedented," and costs the nation an estimated $300 billion each year, according to the IP Commission Report, issued in May. Worse, corporate employees—through their information sharing practices—are making it easy for IP thieves.
Sharing information is now the way of business and social life. Companies have outsourced business processes to partners, moved data and applications to “the Cloud” and embraced social media for communication with customers and collaboration with suppliers. Individuals now bring their own computing devices to the office, mixing company and personal data on the same machine, and mobile devices are increasingly replacing desktops as the standard in business technology. All of these changes greatly increase the potential for data loss.
As the realities of these changes on modern business practice take hold, it is quite possible that we have crossed a dangerous line in this new information sharing culture. How are we to know if we are putting too much of our personal information on the Internet? And are we blurring the lines between what should and shouldn’t be said in public?
We’ve come a long way since the “Loose Lips Sink Ships” campaign of World War II, when a “need to know” concept was enforced and warned against giving away anything that could help the enemy. Now, seemingly irrelevant snippets of personal data can be used to piece together intelligence to enable hackers to target individuals, facilities and organizations. We are now at war over information. Hacktivists, criminal gangs, terrorist groups and even rogue states are targeting valuable intellectual property, customer and employee personal details. Individuals must consider their Web profiles, behaviors and security settings and wise up to the risks. Companies are also exposed to risks interacting with their supply chain, partners and customers.
A New Business Strategy
To reduce cyber risk, companies need to develop a new business strategy that is “secure by design” and understand that this isn’t just a technology issue, but a wide-ranging problem that encompasses culture, processes, staff behavior, training, and includes interactions with suppliers, partners and customers.
A key component in this strategy is to decide upon an information classification scheme. A decision must be made about what type of information should be kept secure, shared internally and published externally. Employees must be made to know what they should and shouldn’t be sharing, so the information must be marked to make it clear. Furthermore, they must understand what criteria to apply when marking their own generated content and handling protectively marked documents. Rules should be in place on information handling to reduce chances of leakage and information should be shared on a “need to know” basis internally as well as externally.
The military have used a multi-level security system and protective marking scheme for many years. This six-tier system ranges from “Top Secret” to “Unclassified” and was designed to protect paper-based information stored in filing cabinets and moved between places physically. Companies should introduce similar schemes. Here is a pragmatic example of security classification levels for different types of data:
1. Private – Company-critical information including personnel records, customer data, intellectual property, for example inventions, the design of products, components or future products, concepts and plans.
2. Transactional / Confidential - Information that needs to be shared with suppliers and customers for the business to run including contracts, invoices, purchase orders, proposals.
3. Unclassified - Data that can be shared with the world in print or online.
Some, but not all, data may move from “Private” to “Unclassified” over time. For example, the marketing strategy starts as “Private” but then becomes “Transactional” (but embargoed) as events are planned with partners, with some data becoming “Unclassified” as the campaign is launched to the public. Website content will be considered “Confidential” until it is published, but even then the organization will still own the copyright.
Controls and measures need to be put in place appropriate for the security level and industry cyber risk profile.
Collaboration at All Security Levels is Required
A key issue is that companies need to share information with partners at all levels. For example, an aircraft component design may need to be shared with a third-party manufacturer. The key emphasis and business enabler is secure collaboration – making it easy for information to flow with the business activities that require it.
The partner organizations must then operate similar security models with appropriate controls in place such as identity and access management, encryption and partnering agreements and contracts that include terms for secure collaboration.
The Private security level necessitates stricter controls and procedures, limited device access, and most importantly, better-protected information. There will be fewer people with access privileges and a lower volume of data. Enterprise strategic information assets should be given the highest priority for security spending.
Network perimeter security is no longer enough as critical data is passed out of the company to partners, customers and cloud services. The data itself must therefore be protected with encryption -only visible to the intended recipient. It is little known that e-mail and attachments are sent over the internet “in the clear,” with very little encrypted traffic. Companies should implement secure signed and encrypted e-mail, as the default standard for confidential information transfers between businesses.
A New Culture of Security and Controls
In order to enable this tiered information management structure, business processes and information systems need to be designed and implemented to prevent data loss. Employees must be trained and a new culture of “appropriate” security and controls should be introduced.
As the tools and techniques employed by cyber criminals become ever more sophisticated so must the approach to applying defense strategies. To remain static in approach to security, and to retain an improper culture of information sharing, is to accept an immediate and continuous step backward into the clutches of cyber criminals.
Doing business securely in the era of cyber crime and espionage is a significant challenge. Embedding an information security classification scheme, and with it a “need to know” cultural change, will act as a catalyst for secure, collaborative working and communication. It will also protect strategic information assets and enable organizations to prioritise spend to protect their brand.