With online threats becoming more ubiquitous and damaging, it may be time to re-think how you protect sensitive data such as intellectual property (IP).
Firming up network and system security weaknesses can go some way to protecting sensitive information, but employing data loss prevention techniques should also be considered to help protect data in the event that it is stolen or lost, according to BAE Systems Applied Intelligence.
The increasing list of significant breaches around the world has made companies aware they must take steps to mitigate the risks posed to their critical information assets.
IP, including creative content, saleable commodities and design details, now sits on corporate risk registers, having been identified as critical to ensuring organisations maintain consumer trust and stability in today’s uncertain economic climate, says BAE Systems.
Motivated groups looking for financial gain, including suspected state-sponsored groups, industry competitors and criminals, are carrying out online attacks aimed at extracting IP for their own gain or to disrupt competition.
No company, regardless of size or industry, is immune, BAE Systems says.
Adrian Blount, BAE Systems director cyber solutions ANZ, says, “IP theft can result in substantial commercial losses and, in some cases, may even put lives in real danger if critical infrastructure is compromised.
“The secondary impacts of data loss events, such as reputational damage, legal action or regulatory intervention, can continue to manifest themselves well beyond the incident response and clean-up period.”
However, despite the risks, few organisations consistently and effectively identify and protect all of their IP, the company says.
The commercial reality is that security controls cost money and companies must find the commercial balance between the cost of implementing a control and the consequences of a successful attack, according to BAE Systems.
Although there is no single solution to safeguarding IP, some security solutions and products are maturing and simplifying the task of tracking and controlling usage of digital assets, the company says.
BAE Systems says data is generally defined into three groups; data in motion (DIM) such as data being transmitted across a network or via email, data in use (DIU) such as data presented within an application, and data at rest (DAR) such as data stored in a database or file repository.
While there are many examples of data loss in each of these groups, by far the most common is DIM, particularly data contained within emails.
Therefore email data loss prevention (DLP), involving content filtering policies and the blocking, encrypting or flagging of emails containing suspicious or sensitive data, is a necessary ingredient of any data protection strategy.
Companies can use DLP measures to prevent and detect the use and transmission of data such as financial information, sensitive documents or intellectual property.
From a compliance point of view, this can help companies comply with regulator requirements around credit card data transmission or protected health information, for example, BAE Systems says.
While trying to prevent the leakage or loss of sensitive data is important, it is a requirement of doing business that sensitive data is exchanged with business partners, customers, shareholders and a range of other entities.
The use of encryption technologies to protect these data transfers can ensure messages falling into the wrong hands doesn’t have to mean the content it is exposed, the company says.
“Email encryption ensures privacy of sensitive communications, meaning you can send sensitive data to trusted parties securely. New technology allows messages to be automatically encrypted based on policy, or on demand,” says Blount.
Historically email encryption has been cumbersome to implement; requiring complex public key networks to underpin it. This has limited its uptake due to the burden it places on end users, he says.
“To ensure ease of use doesn’t put people off using email encryption, it is important that both senders and outside recipients don’t need unmanageable keys, add-ons or external programs; allowing recipients to read and reply through a simple and secure web-based interface overcomes this,” he says.
“It is inevitable that we will see further attacks on, and new vulnerabilities in, the defences we put in place today.
“However, having systems in place to protect your data and flag suspicious activity, can go a long way to giving you peace of mind,” Blount says.