The highest profile hacks, the ones that get the most digital ink, are the ones that affect millions of people. When personally identifiable information (PII) is stolen from a major healthcare company or retail provider (think Target), millions of ordinary citizens find themselves in financial jeopardy, and the media and lawmakers take notice.
But what about a company that does not have a treasure trove of PII on hand? What are the biggest cyber-risks for a company like, say, Sony? The entertainment giant was hacked last year, and, though PII related to Sony employees was indeed taken, the biggest impact of the hack came from the theft of other data, confidential information that led to monetary and reputational damage.
So, what are the risks for companies that have massive amounts of important information—trade secrets, client lists, manufacturing methods and the like—and what can they do about it?
Some aspects of cybersecurity are universal, and are applicable in multiple situations, whether you are concerned with locking down customer credit card numbers or your own secret formula for hot sauce. The first step is to do a risk assessment.
“Go through the risk assessment process. Determine what you have that is valuable. There are some things, such as customer lists... it surprises me when companies don't protect those better; this includes pricing, strategic planning information and financial information as well,” says Jason Straight, senior vice president and chief privacy officer, UnitedLex.
“The crown jewels” is a term companies use to refer to the information that is most vital to the day-to-day and/or long-term success of the business, information that, if exposed, would reduce the value of the enterprise by giving competitors advantages or insights to use against the company. But Straight sees a disconnect between the assets that companies value and how they go about protecting those assets. Much of that resistance comes from employees themselves.
“Companies are talking about protecting customer information and trade secrets,” says Straight, “but when they try to lock down those assets, limiting access to them, they start to run into resistance. ‘What do you mean I have to use this token when I log into Salesforce?’ employees ask. When it impacts the user experience, that's when you start to get pushback.”
This pushback could come from the rank and file, or it could come from senior executives. According to Straight, they are often the ones who make noise about changing their passwords and implementing other security protocols that are vital to protecting those crown jewels.
The employee equation
“Employees remain the weak link in the cybersecurity fortress,” explains Collin Hite, head of the Insurance Recovery Group at Hirschler Fleisscher. “Anyone who thinks they can make the network 100 percent secure and that breaches can't happen to them is fooling himself.”
When it comes to protecting the network that houses your valuable trade secrets and other sensitive data, human beings remain the biggest chink in the armor. Whether they sell their login information, forget their laptops in a taxi or tape their passwords to their workstations, intentional or unintentional actions by employees can blaze an easy path toward a disaster.
While the media jumps on news of foreign nationals crashing security to gain access to intellectual property, employees remain an aspect of cybersecurity that businesses can more easily control. “A user name and password are easier for an attacker to obtain than getting around intrusion detection systems, and human beings usually take the past of least resistance,” explains Straight. This means that companies need to train their employees, especially the ones who have access to vital systems and intellectual property.
“Tell them not to use their cat's name as a password or reveal login information on Facebook or Linkedin,” he says. “Warn them about spearphishing, when a hacker tries to build a trust relationship by pretending to be your old boss or college buddy and asking for your information. These strategies are heavily used by attackers and can lead to network compromises.”
Trade secrets are not the only type of intellectual property that should be top of mind when considering matters of cybersecurity. Copyrighted materials can be targets of hackers as well, and theft could also lead to financial and reputational harm.
Lex Machina is a company that has gained a reputation for providing legal analytics for patent litigators, and has recently expanded its reach to analyze copyright and trademark information for intellectual property attorneys. The company found that a large percentage of copyright cases dealt with file sharing sites, peer-to-peer sites where anonymous users could illegally share copyrighted material with others.
In 2009, a pirated, unfinished copy of the Fox movie X-Men Origins: Wolverine was posted online, and downloaded by countless curious fans. Those fans were disappointed, perhaps in part because of the unfinished special effects and music, and this fiasco likely cost the movie at the box office, where it fell short of prognostications.
“Unauthorized copies of movies being are being shared on peer-to-peer file-sharing sites online. In universe of file sharing cases, there is an overlap with cybersecurity. If a company's security is breached to obtain a copy of the movie or other work, it can then be distributed on peer-to-peer file sharing networks,” says Owen Byrd, chief evangelist and general counsel at Lex Machina.
Of course, Lex Machina has its own share of important, specialized data, including its software solutions, so it sees cybersecurity as a top priority for itself. “We have worked hard over the years and invested millions of dollars to create our proprietary IP data litigation set, so you can be sure that we have built into our system protection for that extraordinarily valuable data,” says Byrd.
And, because Lex Machina's solutions are used by countless in-house and firm lawyers, it also takes pains to protect their data as well. “We have built in protection to protect user data. We assert that using our platform gives lawyers a competitive advantage. Those who use our site want to know that the data they access on the site and the insights that the data provides to them does give them that advantage. Just like any other software-as-a-service-based data offering, we are careful to protect the usage of our users,” says Byrd.
To help prevent these breaches of confidential, proprietary information and trade secrets, Hite recommends that companies “take a holistic view of risk. You cannot have a turf war, with groups operating in siloes. Information technology can't think that risk management and legal don't need to worry.”
Angela Matney, Certified Information Privacy Professional and attorney at Hirschler Fleischer agrees that the protection of trade secrets is a team effort. “One key thing to think about is that your policies need to match your practices,” she explains. It's one thing for the risk or legal team to develop policies and training that protect trade secrets and intellectual property, but that has to be backed up by the IT team, implementing the policies and procedures that will lock down those crown jewels. And, with the implementation of these policies and procedures, companies can avoid losing those crown jewels and taking a tumble in the marketplace.