Last week I read 3 stories where serious damage has been done to very advanced tech savvy organizations who are losing intellectual property to their competitors. As a business leader, you may find yourself wondering if this is happening to your own IP and perhaps more importantly, how can you avoid it.
Organizational Awareness: Sure, your business may not be curing cancer or developing self-driving cars, but I’m confident there is something that keeps your customers coming back that you wouldn’t want your competition to know or have. Do you know what data is critical to your business? If not, I’d figure it out quickly.
Location, Location, Location: Assuming you have that ‘one thing’ identified, it’s imperative to know ‘where’ it lives. For those of you that think your secret sauce is locked away in your public or private clouds, I’m sorry to tell you that you are flat wrong. It’s all over the world on your organization’s mobile devices, file sharing services and in some cases your employee’s significant others laptop. If you don’t have a formal classification process, consider one.
AUP: If you’ve been having your employees sign the same acceptable use policy for the last decade, it’s probably time to refresh it. Times have changed and having references to improper use of facsimiles may need refreshed. SANS provides some good swim lanes hereif you want a baseline to work from. Remember to include additional addendums for knowledge workers with access to particularly sensitive information while making sure their security awareness training is elevated.
Retribution, not really: You can’t get blood from a stone and while Tesla is suing Cao for taking some 300,000 files of autonomous driving related software, it’s too late. While it may bring satisfaction to the prosecution to watch the perpetrator sit in a federal prison for 10 years, your competitive advantage has potentially been lost.
In summary, we at Katalyst are often engaged after it’s too late and find many of our soon to be clients suffering irreparable harm. In order to prevent this from happening to your business, here are a few measures that you can take if you are in the early stages;
Understand: Talk with you LOB leaders and understand what’s important to them from a data / risk perspective. I assure you that if you take this step, your eyes will be opened.
Classify: Make your data classification simple and enforce the need to know framework. Don’t allow personnel to know if they don’t have the need. There is great software commercially available that will trip when inappropriate access is initiated.
Enforce: As with any program, it’s only as good as the care and feeding it gets after moving into production. Internal to your organization, make sure your risk committee is aware of exfiltration and the possible harm it could have on your business and brand. Validate that your novel data enhancements aren’t being spread throughout the wild after you’ve worked tirelessly to build a program.
Just like the plumbing that in your DIY projects can be most challenging, if you do it right, it’s watertight.
Reading time: 120 seconds