There's no question — as the headlines remind us daily — that companies and other organizations need to continue to assess and strengthen their IT security in the current threat environment to prevent the loss of valuable corporate assets including intellectual property (IP) and sensitive data. Aligning a company's IT security is just one component of an overall strategy that integrates people, processes and technology to protect important information.
Fortunately, many companies are already using an integrated system to protect from risk in other areas — financial, supply chain disruptions and so on — through application of Enterprise Risk Management (ERM). There are several variations on ERM, but they all seek to do three things: identify risks, assess their potential for damage, and then address risks according to their implications for the company.
To extend the ERM approach to information and IP, companies need to create a comprehensive inventory of sensitive data and intellectual property that are key to their competitiveness. Where is that information stored, who has access to it and how is that access monitored? A remarkable number of companies do not have a handle on what they need to protect.
In addition to building a robust IT system to meet international standards, the framework for effective security also requires a number of non-tech elements. At the most fundamental level, companies need to establish policies on the handling of sensitive information and valuable intellectual property and then formulate procedures that employees are expected to follow. These need to then be conveyed through training and monitored to assure follow-through.
A system to secure intellectual assets must also be designed with an understanding of the evolving threat environment for the specific organization. Most companies are operating in a highly competitive globalized economy, characterized by complex supply chains, with a high degree of mobility among its talent, and ever increasing amounts of digitized data that can easily be shared electronically.
As most IT security professionals understand, the malicious insider is the most pervasive threat, and can do significant damage. An example of how that threat often plays out is seen in the case of the U.S. textile company, Gore and Associates. Recently a departing Gore employee, a chemical engineer, was arrested after an investigation revealed he had downloaded and printed hundreds of documents about a high-tech camouflage material the company was developing for the military. He was just hours from boarding a flight to his native South Korea.
Beyond that, companies now have risks that arise in their supply chain and business partnerships, which may comprise a web of tens or hundreds of relationships. To cite a Japanese example, an educational services provider Benesse, suffered a breach of personal data for some 22.6 million customers. The suspect, who is now in custody, is a systems engineer contractor who allegedly loaded the data onto his smartphone, then sold it.
This example points to another element critical to protecting sensitive information: In conducting due diligence for potential partners, the scrutiny should include the IT security system of that party, as well as their practices for handling sensitive information and IP. Increasingly, cyber thieves are targeting larger corporations through the less-robust systems of their small- and medium-sized partners.
Does the company use pirated software, for instance? Doing so could make them vulnerable to intrusions. Do they have a need-to-know policy for sensitive data and information? Do employees use their own devices for work?
In addition, since most companies need supply chain partners to be competitive, they can bolster security by sharing best practices and training those partners to protect assets. They can also, as a condition of their contract, require monitoring of those practices.
In our experience working with global companies, we are seeing a greater interest in this comprehensive model of protecting corporate assets.
For example, when digital services company arvato was implementing ISO 27001, executives recognized that they needed to go beyond the standard – to effectively address full protection of IP and other sensitive information – which is absolutely critical to its reputation and success.
The company, based in Germany, provides clients around the world with customized services in digital marketing, finance, CRM, SCM, print and information solutions — often handling intellectual property that lies at the heart of its clients' businesses. Arvato employs some 68,000 people in 200 locations, and has relationships with scores of third parties.
In addition to its IT improvements, arvato put in place a larger security framework using, for instance, a blueprint for supplier risk assessment, and essential contract components on IP protection, including those for information security and data security.
Arvato's newly developed approach to security and IP protection is now being adapted by other divisions of its parent company, German media giant Bertelsmann SE, which operates in more than 50 countries.
Other companies are exploring how to integrate protecting IP and sensitive data into their ERM approach — such as Amsterdam-based technology giant Philips — but these enterprises remain the exception, not the rule.
Indeed, what most companies currently have in place to secure their critical corporate assets is not up to the task. But the good news is that most companies have systems in place to manage other risks that can be optimized for the risks to data and intellectual property. This systematic approach—aligning people, process and technology will better prepare for and address the evolving threat environment.
Pamela Passman is President and CEO of the Center for Responsible Enterprise and Trade, (CREATe.org), a non-governmental organization helping companies around the globe prevent piracy, counterfeiting, trade secret theft, and corruption.