A company's cyber security plan can make all the difference in protecting against a data breach, but when a record 60% of all data breaches are internal, it can be hard to know who to trust. In this article, we will go through potential approaches you can take to protect your company's confidential and intellectual property.
Last year, there were over 4,145 publicly disclosed breaches that exposed over 22 billion records. This means that your company’s critical data, confidential and intellectual properties are more vulnerable than ever before. Today, hackers go for anything they can find, looking for data that they can monetize from you or any outsider.
Company confidential information covers a broad range of areas including sales and marketing plans, anything IT network-related, internal memos, letters sent to clients and business associates, H.R. information, and pretty much anything you wouldn’t want someone outside the company to have access to.
Intellectual property in business relates to one-of-a-kind original works including documents, software, hardware designs, and formulations that can be used by the owner, or licensed for use by a 3rd party. An example of intellectual property could be a new cancer therapy involving gene therapy, or the design of a rechargeable battery that uses a never before used chemistry.
By definition, Title 19 of the U.S. Federal Code states that confidential business information is privileged information, classified information, or specific information (e.g., trade secrets) of a type for which there is a clear and compelling need to withhold from disclosure.
An important stipulation of company confidential information is that you make a reasonable effort to keep this data secret. That extends not only to your own internal employees but to any 3rd party.
You also need to make a reasonable effort to maintain secrecy through vendors associated with your business. Clearly written 3rd party business agreements coupled with mandatory 3rd party assessments are best practices that will help protect your sensitive information. Failure to do this could make it difficult to sue your 3rd party for a data or intellectual property theft or spill that they may be responsible for.
The confidential information you have comes in different forms:
Commercial information includes anything that provides an advantage over the competition. The general rule is something that the competition does not know that provides a competitive advantage. This can be information under a confidentiality agreement/NDA (non-disclosure agreement).
Most companies store this information in a digital format. This could be PDF documentation, Word, Excel, or PowerPoint files, or file types designated for specific programs such as CAD (in the case of engineering prototypes). If you store your information on hard drives or the cloud, it is at risk of being stolen.
There are numerous ways that a hacker or insider can steal trade secrets.
Most employees may not realize that certain information could be valuable to competitors and the most common way they give access to cyber criminals is by falling for phishing scams.
In other cases, they may have a weak password that a hacker can guess. Having a strong password policy including a forced 60-day password change lessens the likelihood this may occur. Employee awareness training is another essential practice in keeping your confidential information safe. Your employees should be educated to know the best practice in every situation, and how to respond in case an issue occurs.
Remote work creates even greater security risks as they are using their personal machines for company business that involves sensitive information. One policy to enact and enforce is that remote workers not store any company information on their personal machines. Also, remote workers should only be allowed to access company systems via a 2-factor authenticated private VPN.
The easiest way for an employee to steal data is to email that data elsewhere. Such was the case for GlaxoSmithKline and Eli Lilly s where all it took was a few emails for employees to exfiltrate sensitive information.
The possibilities don't stop there. They could insert a USB flash drive or portable hard drive to copy over the data. The solution to that scenario is to lock down and deactivate USB ports of company-owned equipment at the Active Directory level.
It is essential to understand what your vulnerabilities are, and where they lie. Undertake a comprehensive vulnerability assessment through a 3rd party cyber security expert like JANUS. This assessment will clearly show what issues exist, their severity, and how best to remediate them. Closing your security gaps will help prevent employees and hackers from accessing and stealing your organization’s confidential information and intellectual property.
Using the JANUS approach allows you to customize a solution to your specific circumstances. This is a team effort that couples industry-recognized and JANUS proprietary methodologies along with proven best practices to mitigate the risk of data exfiltration. The JANUS approach is all about making your business strong and resilient in the face of an ever-hostile cyber security environment.
Many companies fail to implement basic cyber protection like:
As previously mentioned, having strong password policies in place is a good starting point. Using two-factor authentication is rapidly becoming a worldwide cyber security standard in all operational sectors and a requirement for procuring cyber insurance.
Although more complicated and costly, encryption of all information, in transit and at rest is another good method of protecting your data. VPN for remote employees when connecting to your company network should already be standard for your organization, if not, now is the time to deploy it. Block any traffic that does not route through your private VPN.
End-to-end encryption of emails helps to prevent email data theft, email filters, firewalls, and other readily available technologies minimize the risk that data doesn’t make it to competitors, cyber criminals, or nation-states.
Equally important of all is to limit access to all sensitive information. Mark documents as confidential and sets strict rules/permissions via access control about who can access them. All data on your systems should be available on a need-to-know basis to minimize unauthorized access from internal and external parties.
With cyber-attacks increasing in severity and frequency, there's no better time to put a system security plan into practice. Failure to implement proper cyber protection is inviting a data loss or spill which can lead to serious financial losses, legal ramifications, declination of a cyber insurance claim, and reputational damage. Download the JANUS Guide to Insider Threats and learn more about how you can minimize your downside risk and protect your operations.
For 33+ years, JANUS Associates have helped hundreds of government agencies, commercial entities, critical infrastructure operations, educational institutions, and not-for-profit organizations protect their infrastructures, data, clients, and employees. Our decades-long experience has allowed us to achieve deep expertise in every specialty and operational sector, including yours. We are friendly, nimble, and flexible, we listen well and always focus on what's best for your business.