Do you think data breaches are up or down in 2011 compared to 2007 or 2008? The official answer may surprise you. According to DatalossDB and the 2011 Data Breach Investigations Report [PDF link] by Verizon, the number of records compromised per year has been decreasing since its 2008 peak. But these reports are missing something very important. It all comes down to what is reported. Last year I met with more than 450 CIOs and CSOs, and almost all of them said that incidents are way up. New breaches are constantly making headlines, so why is there a discrepancy between our perception and what these reports are finding?
Many industry reports focus on the never-ending stream of leaked or stolen personally identifiable information (PII). Most laws and industry standards, such as PCI DSS, also concentrate on PII. But there is something that could be more dangerous to lose than PII and that isn't getting enough attention in data breach reports--intellectual property (IP).
As records show, stealing PII (credit cards, social security numbers, and so on) used to be big business for cybercriminals. Then it started to get a bit harder for hackers to get PII because overall awareness increased as more regulations were passed and organizations started to invest in information security solutions. Verizon's Data Breach Investigations Report states, "Our leading hypothesis is that the successful identification, prosecution, and incarceration of the perpetrators of many of the largest breaches in recent history is having a positive effect." Researchers also suggested that there are fewer hackers and the threat they pose is losing prominence. I believe protection enforcement is a factor in the reduction of PII theft, but I don't believe there are fewer bad guys out there. In fact, quite the opposite: The threat has never been greater than it is now.
The next big thing is stealing IP, which includes product designs, secret formulas, and other trade knowledge. It's what organized cybercrime, state governments and hackers are all going after. Why? Mostly because of the value of the data. One stolen manufacturing process can be worth millions in saved development costs or billions in market share.
Not protecting IP is a huge mistake for companies and countries alike. Intellectual property is what makes modern nations competitive in the world economy. It fuels innovation and development, and it keeps you ahead of the competition.
What do CSOs think? More than 70% of the CIOs and CSOs I spoke with last year said their IP is under attack. Yet only 30% of them have data-loss prevention (DLP) tools in place. And most of them do not have software to protect their data in the cloud or on mobile devices, which are the two big new blind spots that they need to worry about.
Why IP Loss Isn't Making Headlines
First, no one is making companies disclose IP loss. When PII is exposed, laws such as HIPAA and HITECH demand companies disclose that information, but no similar laws exist for IP loss. Only the SEC has come out and said that if IP is stolen and that could have material financial impact on your company, you should disclose that. For example, if a competitor in China gets your IP and could manufacture a similar product, you should disclose that.
Second, companies often have no idea when their IP is compromised. When credit card numbers and other PII is hacked, you tend to find out quickly because the bad guys make money on the breach. They quickly sell the credit card information on the black market, and that data gets used. At that point, the banks know the card numbers were stolen and the forensic trail leads back to the hack. Most companies know the importance of protecting PII and have controls to prevent and detect hacks. But IP is perceived as harder to protect and hasn't been a major focus for companies. The reality is that IP is the hottest target for cybercriminals, your competitors and malicious employees. It will only get worse.
Third, the bad guys know how to sidestep traditional defenses. They use a common blind spot in most companies' defenses--SSL. Most anti-malware security solutions don't look out for man-in-the-middle attacks decrypting the SSL traffic coming into the network. SSL accounts for up to 50% of Web traffic, and criminals know that most IT security systems do not inspect it.
Fourth and finally, DLP software isn't being used to its fullest potential. Most companies aren't looking at the SSL traffic, but as services such as Gmail move to automatically send all traffic to SSL, this becomes more of an issue. If you don't inspect in SSL, your DLP solution is giving you a false sense of security.
Four Ways to Protect Your IP
We need to protect our most valuable asset, IP, from criminals' attempts to steal and subvert it. This is one of my focus areas, and here are three steps I recommend for better protecting your sensitive information:
1. Get DLP, but forget the endless discovery process. Gartner Research says that about 30% of companies have DLP and another 30% are considering it. But the massive "discover everything" process that vendors often recommend is ridiculous. Here's all you need to do to get started: Understand what IP is the most valuable 1 or 2% and protect it accordingly. I care less about where every nugget of information is than I do about the crown jewels.
2. Educate your teams on the right practices for handling this data. Again, this is about the 1 or 2% that's the most valuable data you have. Work with the people who have access to this data, including the Board of Directors and engineers. Talk to them about how to handle this data and set good controls for admins. Eliminate admin rights on desktops. Then reinforce the training through mock social engineering attempts and penetration testing. I use sites like PhishMe.com. There are good companies out there that can help you with this and measure the success of your education efforts over time.
3. Reinforce your education with technology. In addition to DLP, you need a few must-have protections for securing your top data. You need to be able to monitor your two biggest communications channels (Web and email) for outbound data and you need to be able to stop it in its tracks. (Disclosure: Yes, this is what my company's products do.) Identity- and access-management tools are increasingly useful for ensuring that data doesn't fall into the wrong hands. And using security information and event management software with a solid log-management tool (that you actually pay attention to) can help you identify suspicious behavior and follow it all the way through to remediation of the threat. Be diligent here, and add your findings to training materials. Because while the reporting features of these tools are getting better, you still need to have highly trained eyes regularly analyze the output to ensure that you are truly protected.
4. Focus on your blind spots. Your biggest IP data blind spots are
-- on your mobile devices,
-- in cloud services,
-- and in SSL traffic.
Make sure to pick a strategy and solutions that can give you visibility into these areas as more and more of your data moves off your controlled network. Don't forget to include consumer cloud services such as Dropbox and Box.net.
It's Time to Pay Attention to IP
In early 2011, Nasdaq's director's desk was hacked. Imagine how much money cybercriminals could make if they had visibility into your company dealings the way they did with that breach. The Nasdaq hackers could have made billions by trading with this insider information, which is far more than they could have made stealing credit card numbers.
Think about your company's crown jewels. How much would your company lose if its IP was stolen by a competitor overseas, where IP protection isn't enforced? The trend of hackers going after IP is just getting started and will grow rapidly in the next two years. But there are ways you can protect your IP and save your company serious headaches. Feel free to contact me on LinkedIn to discuss this in more detail. If you have questions or want to connect and network, drop me a message.
Jason Clark is CSO of Websense.
This story, "4 keys for IP protection" was originally published by CSO.