A surprisingly large proportion of security executives appear to believe that at least some of their company’s trade secrets and intellectual property have already been compromised and are in the hands of a rival.
The Ponemon Institute and Atlanta law firm Kilpatrick Townsend’s cybersecurity, privacy and data governance practice recently conducted a survey of 600 executives familiar with their organization’s approach to protecting and managing intellectual property and knowledge assets.
A startling 60 percent of those who responded said they believed that at least one or more pieces of their knowledge assets was in the hands of a competitor. Some 74 percent said it was likely their organization had failed to detect a data breach involving a loss or compromise of a key knowledge asset.
Barely three in 10 of the survey respondents said their company had a way to classify data based on value of the data to the organization, while just 28 percent expressed confidence in their ability to detect and block theft of their organization’s knowledge assets by a malicious insider or external attacker.
For the purposes of the survey, the researchers described knowledge assets as information such as trade secrets, customer data, and confidential corporate information -- including product design documents, pricing plans, and other non-public information like partnership or merger plans. Typically, the loss or compromise of such data do not trigger state breach disclosure laws, which usually pertain only to loss of personally identifiable data and financial information.
“The big takeaway for enterprises is that the data that has been the focus of protection has been chosen based on compliance requirements rather than on strategic risk assessments,” says Jon Neiditz, a partner at Kilpatrick Townsend and co-leader of the firm’s cybersecurity and privacy practice. “The most critical data is in dire need of better protection.”
For instance, more than half of those who participated in the Ponemon and Kilpatrick Townsend survey admitted that a loss of knowledge assets would impact their ability to continue as a business. Even so, senior management appeared far more concerned about protecting data covered by breach regulations such as credit card information, Social Security Numbers and other personally identifiable information. Less than one-third said management appreciated the security risks facing their knowledge assets.
Cyberespionage and hacktivism were cited as the two biggest threats to knowledge assets, by the survey respondents, says Neiditz. About 50 percent believed they are being targeted by nation states while many others believed cyberespionage was being carried out against them by rivals as well.
The survey showed that the cost to remediate an attack involving knowledge assets in the past 12 months was around $5.4 million. The overall costs to organizations from theft or loss of intellectual property and other knowledge assets ranged from $100 million to $150 million.
Generally, the costs associated with the theft or compromise of knowledge assets tend to be highly variable based on industry and the type of data that is involved, Neiditz says.
For example, the cost associated with the theft of secrets pertaining to a major weapons system would be significantly different from the theft of retail or financial data. “The key point is that in the survey the respondents were asked to estimate the costs to their organizations, in their industries,” Neiditz said. “Even though we’re just diving into this huge new area of need, I doubt we’ll ever have universal components of costs across industries.”