Intellectual property (IP) is the life blood of many organizations, the thing that distinguishes them from their competitors, that gives them an edge in the market place, and that enables them to charge a premium for their products.
To date organizations have focused on protecting personal identifiable information (PII), but they know they also need to protect their IP. Companies need to take a more comprehensive approach to security, allowing people to perform other tasks that will provide additional cost savings. Some keep their IP in a vault that only a few people can access, but today most store their IP electronically and have set up policies and procedures designed to keep it inside the organization. The trouble is these policies and procedures do not seem to be working.
A recent survey by the Enterprise Strategy Group (ESG) titled "Intellectual Property Rules," found that one-third of enterprises surveyed acknowledge loss of sensitive data in the past 12 months and another 11 percent were unsure if such a breach had occurred. ESG has identified four rules for IP leakage protection that can help security teams responsible for protecting against such information losses understand what they are facing:
1. Electronic copies of IP appear in many forms, structured and unstructured, including financial information, customer contracts, and other types of trade secrets.
2. IP appears everywhere in the network, including databases, portals, and email.
3. Insider misuse is the largest threat to the business
4. Comprehensive programs to protect against IP leakage require extensive resources
Before an enterprise can protect its IP, it has to know what its IP is, where it is located, the ways in which it can leave the organization, and the best way to protect it. These steps seem easy enough on the surface, but grappling with them can be a challenge.
What Is IP?
Since IP may appear in many forms in many places, you have to understand what it is before you deal with it. In fact, IP may be a part of almost anything a company does. According to the survey the most common forms of IP were the following: 81 percent of respondents said financial information and contracts and agreements, 74 percent said source code, 74 percent said personal identifiable information, 70 percent said competitive intelligence and 69 percent said design specifications and internal research data. Other major forms of IP companies identified were trade secrets, CRM databases, and patent documents.
IP also has two characteristics that can make it difficult to protect. First, IP is not simply the data that describes the end result — the design specs, the application, the contracts. IP is created and accumulated throughout what may be a very long and complex process. Second, IP is amorphous and continually growing throughout the network.
Where Is IP?
Companies looking to protect their IP must thus cast a wide net if they want to find all of it. IP may take many different forms: emails, source code, CAD files, spreadsheets, slide shows, and more. Furthermore, the ESG study found that IP can leave the network in many different ways. One-third of companies' sensitive data and IP exists in application databases where it can be centrally secured and managed. An additional one-third resides in file system. This is contrary to past reports that indicated e-mail is the number one source of confidential data.
About 80 percent of companies identified the biggest threat to their data as internal, due either to malicious or negligent insiders or to faulty controls and oversight. And though nearly 60 percent believe IP is likely to leak out of their company via traffic such as email or the web, about 25 percent admit they are not inspecting such traffic.
How can you protect IP?
Carefully defining and detecting IP, wherever it is and whatever format it is in, is of crucial importance. Solutions must enable organizations to customize their own definitions of IP and be intelligent enough to identify it as it moves through the network. The solution must also be flexible in identifying varying formats of IP and not just search for fixed formats.
The ability to automate the detection of sensitive data in files, emails, databases, and shared portals is a critical first step in protecting the data. ESG found that nearly 50 percent of respondents felt that an automated IP protection solution should address not only data at rest but also data in motion as it traverses the network. When enterprises can automatically discover all their IP, when they can apply all their access policies across all formats and all ports, they can do a better job of preventing data leaks. It's like fishing; the wider the net and the finer its mesh, the more fish you can catch.
Of course, there is always the fish that gets away — and IP that leaves the network despite enterprises' best efforts. Some solutions enable users to deal with this situation by capturing monitored data and doing after-the-fact analyses of network traffic that provide "closed loop" insight into how well current policies operate and what new policies might be required. Companies must look for solutions that discover patterns of misuse, which will enable them to effectively apply all their access policies.
Protecting against IP leakage is a continual process; enterprises need to search their networks frequently to discover IP and determine compliance with corporate security policies. But by defining IP, automating its discovery, and evaluating network-based solutions, enterprises will find that they can protect their IP much more effectively.
— Eric Ogren is a security analyst at the Enterprise Strategy Group.