I work with organizations around the world across a variety of industries, and I’m perplexed by one thing that most of them have in common: their data protection programs are focused solely on regulated data such as social security numbers, credit card account information, and other personally identifiable information (PII).
Complying with data security regulations is important, but rarely is regulated data the only data worth protecting in a company. In most organizations, risks associated with regulatory fines presents far less risk than the potential losses associated with intellectual property theft—loss of market share, loss of competitive advantage, loss of revenue, and potentially loss of the entire company.
Why Are We Not Protecting What’s Most Important? It’s Complicated.
Protecting IP requires making calls that are not black and white, yes or no. IP data is often unstructured and doesn’t fit neatly into established categories. It takes Information Security teams into gray areas that’s uncomfortable. Before you can protect your IP effectively, you need to identify the difficulties around dealing with those gray areas.
Here are some of the most common issues.
It’s difficult to define IP
It’s true that protecting IP is not as straightforward as protecting other types of sensitive information. Regulated information is well defined in the public space. Something is either a credit card number or it’s not. It’s either personally identifiable information (PII) as defined by global regulations or it’s not.
Mature organizations have a list of people who can handle that regulated sensitive information and have defined acceptable use of that information. The Information Security team can set up rules to enforce those documented policies easily. It’s black and white.
IP protection, in contrast, is messy. It isn’t black and white. It’s one big squishy gray area. Although a few rules govern how IP cases can be brought to court, no external entity dictates what constitutes Intellectual Property or how an organization must protect it.
IP is difficult to define even for the organizations it belongs to. To properly protect IP, the Information Security team must engage the business leaders who create and profit from it. They need to know what drives revenue for the organization, what role the IP plays in that revenue, and whether the information would be valuable to an outside entity. And they need to understand who plays a role in the creation, storage, usage, and transmission of the data.
After that, they need to speak with the legal team to see what portions of the Intellectual Property are legally protected and therefore not sensitive—and what portions of the IP are considered Trade Secrets or Know-How and have few legal protections.
It’s difficult to quantify the risks associated with IP
Even when IP is defined, quantifying the risk of its loss is a challenge. The ability to quantify risk is a measure of a company’s overall health. Publicly traded companies must produce an annual report known as a 10k report. In that report, section 1A is a detailed list of the risk factors affecting their business.
In that evaluation, regulatory fines are risks that are easy to understand. If you don’t comply with a specific regulation, the regulating body will fine your company for non-compliance with data security regulations. The company can look at the legal precedent to see what organizations were held accountable and what the actual costs were in the event of a breach. It’s black and white. And it’s easy to quantify the value of mitigating that risk too: I am going to invest X dollars to reduce my exposure to a risk of a fine that will cost Y dollars.
In my experience, effectively protecting IP will also mitigate 25%-40% of those easily quantifiable risks. However, organizations struggle to quantify risks associated with not protecting the IP itself, even though those risks are very real. It’s a gray area.
It’s difficult to define the rules related to IP
Organizations often maintain lists of users who can interact with regulated information. Data security regulations also typically define the allowed activities related to that information. For example, the Health Insurance Portability and Accountability Act (HIPAA) states that a health record being transmitted via email must be encrypted. That rule is black and white—easy to implement and enforce.
For Information Security teams asking whether a user can interact with IP inside an organization, the answer is almost never “yes” or “no.” In nearly all cases, “it depends.”
That answer is governed by a variety of factors related to the person’s job role and normal pattern of behavior. How that information should be used often changes quickly, and the changes are typically not well defined. The entire rule set for IP is a gray area.
It’s Difficult to Coordinate Communication About IP
These are conversations that many organizations’ Information Security teams are unwilling or unable to engage in.
In many organizations, data protection programs are categorized under the same umbrella as information security tools. This makes sense from an outside perspective; after all, data protection programs do fall under Information Security and are often operated under the same budgets as traditional security technologies such Security Incident and Event Management (SIEM), Endpoint Protection Platforms, and Intrusion Detection and Prevention Systems (IDS/IPS).
Data protection programs though, are fundamentally different from those technology tools because they require business engagement in order to be effective. And that can be a challenge.
Even in organizations that attempt to force that communication to happen, most Information Security teams do not use the same language (or jargon) to communicate security concepts that business leaders use. Business leaders are becoming more technically savvy, but many Information Security teams struggle to provide information in ways that make sense to their executive teams.
As a result, the IT Security teams default to the areas where they are most comfortable: protecting regulated data with black-and-white security tools. A firewall checks a list of senders, destinations, and ports and allows or denies each piece of traffic that attempts to traverse its network segment. A web gateway puts websites into categories and allows or denies users access to that category. A traditional antivirus program scans a file against a list of known bad files and if a match is identified, the program blocks or quarantines the file.
This is all very straightforward and not nuanced. The decision is black and white.
Operating in the Gray Area: Looking to the Future of IP Protection
There is good news for companies that recognize the value of their IP. Managed data protection solutions are enabling companies to access highly specific protections for structured and unstructured data while dramatically reducing the complexity of security management for their staffs.
In addition, emerging and newly available technologies are helping companies overcome the difficulty of working in the gray areas of data protection. Machine learning is an area showing tremendous promise. Although automated technologies aren’t capable of supporting nuanced decision patterns, they can help streamline responses, improve reporting, and allow for dynamic actions.
In my next post, I will walk through a concept called Dynamic Data Protection, a solution based on the idea is that if you combine analysis of the riskiness of human behavior with what is happening with respect to data, you can program machines to make nuanced, automated decisions in those gray areas.
This is an exciting concept and a major leap forward. It is also not a silver bullet. Organizations still must engage with the business to define what sensitive IP is, and they should start doing that now. Capabilities exist to protect sensitive Intellectual Property, and the stakes are higher than they’ve ever been.
The question is not whether you can afford to protect your intellectual property. The question is quickly becoming whether you can afford not to.
Looking for a proven approach to protect your intellectual property?
InteliSecure offers consulting services to help organizations navigate the gray areas of critical asset protection. Connect with us to start working through your complex conversations.