When the Justice Department issued indictments for five Chinese military officers in May it only reinforced the importance the Obama administration has placed on cyber security. He was, after all, the first U.S. President to mention cyber security in a State of the Union Address in 2013. The indictments focus on stopping the cyber theft of intellectual property (IP) and trade secrets — an issue we have been watching at our company for more than a decade. In fact, we work with 6 of the top 10 U.S. patent holders and many other leading global enterprises to safeguard their interests. Over the years, we’ve accumulated tips that are helpful when news like this breaks and we would like to share those with you.
1. Prioritize IP & Trade Secret Protection
This may seem like a no-brainer, but despite all of the chatter in the C-Suite about cyber security, very few companies have meaningful data protection programs in place today. They often cite the need to preserve the free flow of information as to not impede worker productivity. But the truth is, there are valuable data protection solutions on the market today that balance the need to protect data with the need to drive rapid innovation. IP and trade secret protection has to be an executive priority or it won’t get done.
2. Identify Your Most Valuable Data Assets
Organizations must have knowledge of their IP and trade secrets if they want to prevent them from being stolen. We have seen too many organizations that have no idea where this valuable data is stored and who has access to it. Simply identifying the crown jewels can feel like a daunting task, but it doesn’t have to be — you don’t have to boil the ocean. Start with your most critical IP — the stuff you know the hackers are after. For example, manufacturers would do well to start protecting engineering and R&D documents like design files. Get that identified first and then move to the next organizational function.
3. Protect Those Data Assets
This is going to sound very basic, but once sensitive data is identified… label it. Literally mark all critical assets as “internal only” or “confidential.” Whether the document is digital or paper-based, this is the quickest and easiest protection method. It provides employees a visual queue to treat the document with care, and those employees are often hacker targets. There are much more sophisticated approaches and technology that ensure your trade secrets stay that way. From encryption to digital rights management and persistent document tagging, to policy-driven data protection, there are numerous solutions on the market that can be used to ensure data flows freely, but only on a need-to-know basis.
4. Think Like The Cyber Criminals
Take a look at all of your business processes to determine where data theft might occur. Assess your data from an outsider’s standpoint — what would you want to steal and how would you do it? And, go about the work to plug those holes. The security pros call it “threat modeling” and there are numerous companies and consultancies that can help you do this.
5. Improve Employee Awareness
The weakest link in data defense is the employee — from the C-level executive to the receptionist. Add data protection to manuals and employment agreements, and train them on your policies regarding the use of confidential data. It also helps to perform regular security awareness training and invite your contractors, vendors and partners to participate, as they should be subject to your data protection policies as well.
6. Bonus Tip — Be Prepared if Your IP is Stolen
Have an incident response plan at the ready. Even the organizations that do data protection very well can still become victims of breaches. Today, cyber criminals are more nimble and financially motivated than ever before.
Salo Fajer is CTO at Digital Guardian by Verdasys.