As online threats become more ubiquitous and damaging, protecting sensitive data such as intellectual property (IP) is becoming increasingly difficult.
Firming up network and system security weaknesses can go some way to protecting sensitive information but employing data loss prevention techniques should also be considered to help protect data in the event that it is stolen or lost.
The ever increasing list of significant breaches around the world has made companies aware they must take steps to mitigate the risks posed to their critical information assets.
Intellectual property, including creative content, saleable commodities and design details, now sits on corporate risk registers, having been identified as critical to ensuring organisations maintain consumer trust and stability in today’s uncertain economic climate.
Motivated groups including suspected state-sponsored groups, industry competitors and criminals looking for financial gain are carrying out online attacks aimed at extracting IP for their own gain or to disrupt competition.
No company, regardless of size or industry, is immune.
“IP theft can result in substantial commercial losses and, in some cases, may even put lives in real danger if critical infrastructure is compromised,” says Adrian Blount, Director Cyber Solutions A/NZ, BAE Systems Applied Intelligence.
“The secondary impacts of data loss events, such as reputational damage, legal action or regulatory intervention, can continue to manifest themselves well beyond the incident response and clean-up period.”
However, despite the risks, Blount believes few organisations consistently and effectively identify and protect all of their IP.
The commercial reality is that security controls cost money and companies must find the commercial balance between the cost of implementing a control and the consequences of a successful attack.
Although there is no single solution to safeguarding IP, Blount believes some security solutions and products are maturing and simplifying the task of tracking and controlling usage of digital assets.
Data is generally defined into three groups; data in motion (DIM) such as data being transmitted across a network or via email, data in use (DIU) such as data presented within an application, and data at rest (DAR) such as data stored in a database or file repository.
While there are many examples of data loss in each of these groups, Blount says that by far the most common is DIM, particularly data contained within emails.
For Blount, therefore email data loss prevention (DLP), involving content filtering policies and the blocking, encrypting or flagging of emails containing suspicious or sensitive data, is a necessary ingredient of any data protection strategy.
Companies can use DLP measures to prevent and detect the use and transmission of data such as financial information, sensitive documents or intellectual property.
From a compliance point of view, Blount believes this can help companies comply with regulator requirements around credit card data transmission or protected health information, for example.
While trying to prevent the leakage or loss of sensitive data is important, Blount says it is a requirement of doing business that sensitive data is exchanged with business partners, customers, shareholders and a range of other entities.
The use of encryption technologies to protect these data transfers can ensure messages falling into the wrong hands doesn’t have to mean the content it is exposed.
“Email encryption ensures privacy of sensitive communications, meaning you can send sensitive data to trusted parties securely,” Blount adds.
“New technology allows messages to be automatically encrypted based on policy, or on demand.”
Historically email encryption has been cumbersome to implement; requiring complex public key networks to underpin it - Blount believes this has limited its uptake due to the burden it places on end users.
“To ensure ease of use doesn’t put people off using email encryption, it is important that both senders and outside recipients don’t need unmanageable keys, add-ons or external programs; allowing recipients to read and reply through a simple and secure web-based interface overcomes this,” he explains.
“It is inevitable that we will see further attacks on, and new vulnerabilities in, the defences we put in place today.
“However, having systems in place to protect your data and flag suspicious activity, can go a long way to giving you peace of mind.”