Content

For Your Eyes Only: Securing Sensitive Data from Rogue Staff

Defining what constitutes intellectual property can lead to differences of opinion.

Taking the official U.K. Government explanation, intellectual property (IP) allows companies and individuals to own their ideas, creativity and innovation in the same way that they can own physical property.
In law, there are four main types of intellectual property:

  • patents for new inventions, products and processes, etc.
  • trade marks for brand identity
  • designs for product appearance
  • copyright for material, from sound recordings to software

Even where no IP rights have been applied for, most businesses will own a number of automatic rights, particularly in copyright and designs. For example, databases, marketing collateral, promotional videos and even instruction manuals will attract automatic copyright protection. Equally, a new furniture design or the shape of something purely functional, such as a new screwdriver, is protected automatically by design rights.

Under U.K. law certainly, copyright and design right material sent via email or stored on web servers is generally protected in the same way as material stored on, or transferred by other media. In essence, the law recognizes a vast array of content as having automatic IP rights, stretching across new and old media. Despite this strong legal foundation, many companies still do very little to protect their IP when transferring it online or storing it on computer networks.

Intellectual property at risk

An electronic security policy should be the fundamental cornerstone of protecting IP online. However, according to the Department of Trade and Industry (DTI), only around a third of U.K. companies currently have such a policy in place.

Another useful benchmark of how lackadaisically companies protect their IP is compliance with the 1998 Data Protection Act, which requires businesses to secure data on and offline. The latest official Government figures show that less than half of U.K. businesses are putting procedures in place to comply with the DPA. Even more startling is that only 15 percent of people responsible for corporate IT security are aware of the requirements of BS7799, the recognized information security standard.

Complacency is perhaps the best explanation for this lack of action to safeguard IP online. In a 2001 survey by the Confederation of British Industry (CBI), 73 percent of companies acknowledged that information security crime was rising but only around a third felt it might affect their own business. However, by ignoring best practice guidelines on information security, companies leave IP belonging to themselves, their customers and partners open to interception.

More often than not, that is exactly what happens. According to the DTI, 51 percent of businesses suffered a hacking, unauthorized information access or data misuse incident in 2002 - compared to only 35 percent which fell prey to a virus infection. The average cost of each security breach is £30,000, proving that leaving IP unprotected directly hits a company's bottom line. Where IP involving a customer or supplier is lost because of an unprotected email for example, the consequences can be even worse, leaving the victim open to damages claims under the DPA.

Stopping the leaks

The key questions in thinking about the electronic threat to IP are, where does it come from and how can it be stopped?

The most common source of IP security breaches is the company email system, with 31 billion email messages now being sent every day worldwide. Most messages are innocuous but email has effectively replaced the post as the primary business medium for sharing IP quickly and cost-effectively, both internally and externally.

While letters are signed, sealed and trusted to the mail service for security, with email there is generally no protection whatsoever.

According to Diligence Information Security, over 70 percent of the IT security breaches affecting a company are committed by its own staff, with intercepting and reading other people's email without permission a primary factor.

In most cases, the 'hacker' is interested in salary information, or relationship details - in other words, personal rather than intellectual property. While this invasion of privacy is unacceptable, it only scratches the surface of the damage that this kind of internal 'hack' can do to a company's IP.

When a disaffected employee starts reading other people's email, sensitive information often ends up being sent to the press or to competitors. In March 2003, Barclaycard won an industrial tribunal defending its right to access employee email after sacking a worker over the content of his messages. The employee had sent derogatory email messages about his colleagues to other people in the company and, more damagingly, sent confidential information to competitors.

The damage that this kind of act can and does cause many businesses is astounding. It results in loss of credibility and reputation in the marketplace, loss of earnings through a competitor understanding and undermining current and future plans and activities, and in some cases, ends in blackmail attempts.

Information security breaches by external hackers are also rising, particularly as the use of broadband increases. In the past, a hacker could only break into an email account during the brief moments when the user was logged on via a dial-up internet connection. With always-on access, users are targeted 24 hours a day.

With broadband's faster access speeds, users rely on email to send large files that were previously sent by post. These email attachments regularly contain sensitive intellectual property, such as customer agreements and product presentations, which without protection provide rich pickings for hackers.

As most people in the information security industry know, gauging the volume of breaches is difficult when victims seek to hide their loss and embarrassment by hushing up attacks. The activity of the U.K.'s National Hi-Tech unit provides an indication of the scale of the problem. The Government's digital crime fighting unit has begun offering victims full anonymity to come forward, in an effort to 'jump start' the number of investigations into the problem.

But not everyone is keeping silent. The well respected BBC journalist, John Simpson, has accused the U.K. Government of hacking into BBC systems for advanced warning of stories. Reuters is being investigated after it was accused of hacking into a Swedish company to find out financial information.

Putting hacking to one side, IP is often put at risk by one of the IT industry's oldest trouble-makers: 'user error.' It may sound trivial, but human error is responsible for a number of serious information security breaches. As an example, a schoolgirl in the English county of Devon received sensitive documents from the Pentagon and U.K. Ministry of Defence for six months because of a typing error in the email address.

Protecting IP online

There are differing opinions on how best to protect electronic communication, and the IP carried within it. Writing in The Guardian, David Birch, a director of Consult Hyperion, called for the creation of a secure, parallel infrastructure to be created alongside the internet.

His argument was that because the internet was built without security, attempts to secure it retrospectively were essentially doomed to failure. Instead, anyone wanting to send sensitive information online could use a separate infrastructure with automatic security built into its core.

The problem with this approach is whether anyone would use 'Secure Internet Mark 2.' Security aficionados might but the vast majority of people are still coming to terms with the original internet itself. The whole approach feels rather elitist, protecting the minority instead of the majority.

Instead, there is more opportunity than ever before for companies to protect their IP online quickly, simply and cost-effectively. The cause for optimism comes from advancements in the way encryption services are supplied and managed.

Traditionally, encryption has been rolled out on a device-centric model. In other words, the technology has to be installed on each PC separately and managed individually. However, with severe constraints on the time and budgets of in-house IT departments, device-centric cryptography has become impractical for many.

The answer comes from new server-centric cryptographic technology. With server-centric solutions, encryption can be installed and managed across any number of PCs, laptops or mobile phones from a single, central point. As well as benefiting IT staff, server-centric cryptography is popular with finance directors, requiring around 5 percent of the average information security budget compared to the 60 percent swallowed by device-centric security.

Cryptography has also become significantly easier to use - simple enough even for the most technophobic board director. Classic encryption packages like PGP are still perfect for the technically adept. However, today's solutions simply appear as an extra button on the email toolbar to be turned on and off as required. They make emailing securely as fast and convenient as sending unprotected messages.

The same server-centric features and benefits apply to solutions used for securing Word or Excel files stored on a company network. Different access rights can be seamlessly applied and amended to ensure only certain staff have the power to decrypt the most IP-sensitive files.

A private and confidential future

Intellectual property is a far broader term than most people imagine, covering the majority of information that a company generates. Particularly where electronic communications are concerned, the confidentiality and integrity of IP is breached on a regular basis, often with highly damaging consequences for both the company involved and its customers.

A mixture of corporate complacency and technical impracticality has kept many companies from securing their IP electronically. However with advances in server-centric technology, effective, affordable IP protection is viable at last.

Vanessa Chandrasekaran is executive vice president of global internet security specialist, Indicii Salus (www.indiciisalus.com).

 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.