Nearly a decade ago, a disgruntled chemist in Valspar’s largest laboratory walked off with 44 gigabytes of the paint manufacturer’s most valuable trade secrets—intellectual property that had been developed through years of research. Once they discovered the loss, company officials quickly alerted the FBI, whose agents arrested the thief just before he boarded a flight to Shanghai.
Though Valspar didn’t lose its valuable IP to Chinese competitors, victims of the thousands of data breaches that have occurred in recent years aren’t always as fortunate. While the total number of cybersecurity incidents dropped slightly in 2017, the damage they cause, measured in both data and financial losses, has risen. A single cybersecurity event cost enterprises an average of $884,000 in 2017, up from $471,000 in 2015, according to the 2017 U.S. State of Cybercrime Report.
What can organizations do to protect sensitive digital information? A lot, beginning with the basics, according to a panel of experts who discussed the topic of guarding digital assets as part of Microsoft’s Modern Workplace webcast series.
Block Human Intelligence
The two most common ways in which information is stolen today are human intelligence—IP theft or classic espionage—and signal intelligence, accomplished by hacking or cyberattacks, according to Evan Anderson, CEO of INVNT/IP, a global consortium working to reduce nation-sponsored theft of intellectual property. About 80% of breaches result from human intelligence, Anderson says.
One immediate way to address these threats is to hire cybersecurity experts to secure digital assets, an effort organizations often skimp on, Anderson says. “If you’re not doing that, you are essentially sitting in an open bank with no security,” he says. “Cover those bases; that’s critical.”
Longer term, organizations must come up with an economic plan that provides disincentives to theft, particularly in cases of a nation state stealing valuable IP to get ahead in the open market.
Implement Basic Hygiene
Every organization needs to practice basic security hygiene, says Curtis W. Dukes, EVP and GM of Security Best Practices & Automation Group. “For every asset in your enterprise, know what the configuration of that asset is,” he says. That process includes benchmarking and implementing critical controls, including six fundamental ones developed by the Center for Internet Security (CIS).
To be better stewards of your organization’s digital property, Anderson suggest managers take three primary steps: connect with local law enforcement such as the FBI; connect with security-focused industry groups; and have a contingency plan in place. “When [an attack] does happen, you need to know what you’re going to do,” he says.
Dukes says it’s up to the corporate board to know what their key digital assets are and where that information is stored in the enterprise. To do that, “get behind a cybersecurity framework like NIST [National Institute of Standards and Technology],” he says. “You need to have an incident response plan. It’s not if you’re going to be attacked, but when.”
For Andrew Ubel, who was the Chief Intellectual Property Council at Valspar during its IP theft, the lessons were hard-won. “We were operating under a false premise that all our [sensitive] data was in a database where access was logged and controlled,” says Ubel, now the CEO of CyberWorks. “And that’s not how our employees were using the formulas. … A couple hundred chemists were all putting their work in a common repository; it was a recipe for disaster.”
Ubel is also a fan of NIST’s framework that spells out a plan to protect digital assets: identify, protect, detect, respond, and recover. “If you cover response before you need to, you’ll be better off,” he says.
To learn more about keeping your digital assets safe, watch the Modern Workplace episode, Information protection: guarding your digital assets.