There isn't a company in existence that doesn't have trade secrets and intellectual property worth protecting. The threats may come from computer hacking or from careless end users not paying attention to processes and procedures. One does not exclude the other. Poor cyber-hygiene makes the likelihood of systems and device compromises a real possibility.
Tim Mather of Cadence Design Systems discussed intellectual property protection during his talk "Will Your Company Be to Intellectual Property What Mt. Gox Was to Bitcoin?" at the RSA Conference Asia Pacific & Japan in Singapore in July. "Loss of a company's IP can be disastrous," Mather asserted. It can put you out of work and your company out of business. Malicious insiders or criminal attacks are the most costly data breach incidents, according to the Ponemon Institute's latest survey on the cost of a data breach. Companies have a rough ride ahead, as surveyed companies reported they expect to deal with the following on a monthly basis:
- 17 incidents dealing with malicious codes
- 12 sustained probes
- 10 unauthorized access incidents
What Does it Mean to You?
Your company can expect to experience almost 40 cyber incidents a month. If your organization doesn't have a security strategy or plan in place, you may not even notice the field day attackers are having at your expense as they harvest data. Computer hacking is no longer the domain of script kiddies and amateurs. This bears repeating: It is not just bored kids and wannabe criminals.
Organized criminal gangs have significant resources to devote towards compromising your organization if something within your control is on their "targeting bill." You and your company do not get to choose whether you are part of the targeting equation—you only get to choose whether you are going to be a hard or soft target.
What Can Be Done?
Investing in threat and risk management processes is time well spent, and the aforementioned Ponemon report calls out that the primary root cause of data breaches are malicious insider or criminal attacks. Companies where a CISO was involved with creating and implementing a business continuity management team were, as a whole, better positioned to deal with the security incidents, the report found.
What and who should be included in your business continuity management team depends on your company size and geographic footprint. If you are a multinational with 20–100,000 employees and contractors, your team may be comprised of multiple levels of business continuity and incident response.
- Local incident response at the tactical level is empowered to alert the next rung up the ladder, which may be an office, district, or regional crisis management team.
- The crisis management team is empowered to assess, plan, and execute solutions addressing the regional/district/office incident response. For issues that affect the entire enterprise, they advise and the CEO authorizes the corporate crisis management team to activate.
- The corporate crisis management team consists of the company decision-makers (or their designees), since the issue at hand affects the entire enterprise.
While this describes the crisis management and incident response flow, smaller entities should at least have a plan of action designed to address the potential for a network penetration and/or breach of their network. The need for a multi-tier solution may dissipate, but what does not dissipate is the need for having the aforementioned plan of attack.
Companies with security-aware end users are less likely to be the victim of an inadvertent data loss or to be tricked into installing malware. Employees need knowledge and education awareness programs to learn—you cannot expect an employee to be aware and understanding of the organization's security policies if he had not adequately learned about them.
No one wishes to have his company or device be a victim of computer hacking. Taking steps to identify, quantify, and mitigate risk in a manner commensurate with available resources should be every company's answer to addressing the threat to their intellectual property and/or their customer's data.