[BreachExchange] Protecting Critical Assets From Cybertheft

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 17 18:36:22 EDT 2016 

http://deloitte.wsj.com/cio/2016/10/17/protecting-critical-assets-from-
cybertheft/

The headline-grabbing thefts of consumer credit card data, social security
numbers, and health profiles in the last few years have put the spotlight
on threats to consumers’ personal information. Leading retail chains,
banks, and health care companies have all been victims of such
cyberbreaches. Now, companies are more alert to the dangers, as are
government regulators.

In the rush to address the issue of consumer data theft, however,
corporations risk giving short shrift to another hot target for
cybercriminals—one that could be more damaging to a company’s core business
value and future viability. Intellectual property (IP) is a tempting quarry
for cybertheft. IP assets such as trade secrets, proprietary know-how,
research data, and product designs can constitute more than 80 percent of a
company’s value. With so much at stake, protection of IP should be a top
priority. Yet many organizations don’t fully account for IP in designing
their cyberprograms, leaving themselves exposed to a cascade of risks.

Recognizing the value of IP to the company is an essential first step in
designing tighter cyberprotections for these assets. An effective way to
grasp that value is to look at the potential cost of losing it. The total
costs of IP cybertheft extend beyond the loss of the value of the IP
itself, which may be measured in lost future revenues and market share,
foregone royalties, or other metrics. Many of the costs are not immediately
obvious and can unfold for years beyond the initial incident itself.

More Than Meets the Eye

The costs of IP cybertheft include expenses that may be expected to follow
a cyberincident, including those for legal counsel, public relations,
cybersecurity upgrades, and regulatory compliance. Not as obvious are less
tangible impacts that can occur over time, eventually even crippling a
company that is highly dependent on IP for its competitive edge.

Consider the case of a tech manufacturer that was preparing to launch a
suite of networking devices supporting the internet of things when
cyberthieves from a foreign nation-state stole IP important to the product
line. The IP had been expected to contribute 25 percent of the company’s
total revenue over the next five years. The company suspended planned sales
and shipments to upgrade cyberprotections on affected devices. Meanwhile,
given doubts about the company’s security capabilities, the federal
government and other major customers cancelled their contracts. In a few
months, copycat products hit the market. The company’s credit ratings
eroded. The value of its trade name plummeted, as did the backing of
investors.¹

Collaborating For a Better Defense

To stave off such possibilities, elevating IP cyber risk within the
corporation’s overall enterprise risk management program is paramount.
Indeed, integrating the entire cyber risk program, including the IP
component, under the organization’s enterprise risk framework provides
leadership the ability to evaluate IP cyber risks in the context of overall
corporate strategic goals.

Prioritization of cyber risk protections within a company’s broader IP
management strategy is also vital. Hand in hand with corporate cyber risk
leaders, top IP managers can identify the company’s most strategic IP,
understand better where and how the company’s various IP assets are
safeguarded, and design IP cyberprotection as part of the overall IP
management program. As a baseline, educating researchers and developers
about the company’s storage, data management, and retention policies can
help prevent careless exposure of important information to outsiders,
including cybercriminals. In addition, reducing the number of people with
access to IP and identifying the most vulnerable links in the process of
handling and protecting IP can help batten down the hatches.

Working together, IP and cyber risk managers can further fortify defenses
by integrating cybersecurity into each stage of the IP life cycle. IP needs
to be protected at every stage. Even before the decision to file for a
patent, IP can be very valuable to competitors and adversaries. In deciding
to file for patents and trademarks, leaders can consider the balance
between the legal protection offered by these designations and the
possibility that such public filings will attract greater attention from
attackers. In addition, as collaborative research, development, and
monetization of IP become the norm, ensuring cooperation from partners and
suppliers in protecting against cyber risks helps close other potential
areas of vulnerability.

When IP is a key driver of business value, prioritizing IP cyberprotections
helps ensure companies’ competitiveness, growth, and even future viability.
IP cyber risk strategy gains greater strength when integrated into overall
enterprise risk management and IP management itself through coordination
among top executives across the company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161017/ea5996f1/attachment.html>

More information about the BreachExchange mailing list