Attacks/Breaches

7/21/2016
11:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Majority Of Companies Say Trade Secrets Likely Compromised

About 60 percent of companies in a survey by Ponemon and Kilpatrick Townsend say at least some of their trade secrets are likely in the hands of rivals

A surprisingly large proportion of security executives appear to believe that at least some of their company’s trade secrets and intellectual property have already been compromised and are in the hands of a rival.

The Ponemon Institute and Atlanta law firm Kilpatrick Townsend’s cybersecurity, privacy and data governance practice recently conducted a survey of 600 executives familiar with their organization’s approach to protecting and managing intellectual property and knowledge assets.

A startling 60 percent of those who responded said they believed that at least one or more pieces of their knowledge assets was in the hands of a competitor. Some 74 percent said it was likely their organization had failed to detect a data breach involving a loss or compromise of a key knowledge asset.

Barely three in 10 of the survey respondents said their company had a way to classify data based on value of the data to the organization, while just 28 percent expressed confidence in their ability to detect and block theft of their organization’s knowledge assets by a malicious insider or external attacker.

For the purposes of the survey, the researchers described knowledge assets as information such as trade secrets, customer data, and confidential corporate information -- including product design documents, pricing plans, and other non-public information like partnership or merger plans. Typically, the loss or compromise of such data do not trigger state breach disclosure laws, which usually pertain only to loss of personally identifiable data and financial information.

“The big takeaway for enterprises is that the data that has been the focus of protection has been chosen based on compliance requirements rather than on strategic risk assessments,” says Jon Neiditz, a partner at Kilpatrick Townsend and co-leader of the firm’s cybersecurity and privacy practice. “The most critical data is in dire need of better protection.”

For instance, more than half of those who participated in the Ponemon and Kilpatrick Townsend survey admitted that a loss of knowledge assets would impact their ability to continue as a business. Even so, senior management appeared far more concerned about protecting data covered by breach regulations such as credit card information, Social Security Numbers and other personally identifiable information. Less than one-third said management appreciated the security risks facing their knowledge assets.

Cyberespionage and hacktivism were cited as the two biggest threats to knowledge assets, by the survey respondents, says Neiditz. About 50 percent believed they are being targeted by nation states while many others believed cyberespionage was being carried out against them by rivals as well.

The survey showed that the cost to remediate an attack involving knowledge assets in the past 12 months was around $5.4 million. The overall costs to organizations from theft or loss of intellectual property and other knowledge assets ranged from $100 million to $150 million.

Generally, the costs associated with the theft or compromise of knowledge assets tend to be highly variable based on industry and the type of data that is involved, Neiditz says.

For example, the cost associated with the theft of secrets pertaining to a major weapons system would be significantly different from the theft of retail or financial data. “The key point is that in the survey the respondents were asked to estimate the costs to their organizations, in their industries,” Neiditz said. “Even though we’re just diving into this huge new area of need, I doubt we’ll ever have universal components of costs across industries.”

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11763
PUBLISHED: 2018-09-25
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
CVE-2018-14634
PUBLISHED: 2018-09-25
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerabl...
CVE-2018-1664
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
CVE-2018-1669
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
CVE-2018-1539
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.