Light Dark
October 5, 2017 By David Monahan 4 min read
Data Protection
Risk Management

As organizations march into the digital age, data sprawl is accelerating. Information of all kinds is stored everywhere, accessed by multiple people many times a day and shared across corporate and international boundaries. Most organizations do not have a handle on data locations, ownership and flows outside of regulated or compliance-related information. Though this information is critical, other data can lead to corporate ruin if deleted, modified inappropriately or shared with the wrong parties.

The Intellectual Property Security Problem

There are terabytes of intellectual property and private corporate data that, if exposed, could impact careers, business reputations and bottom lines. For example, in 2014, Sony lost a high volume of data valued at well over $100 million, with executives being fired and stars refusing to work with the entertainment company. The next year, cybercriminals stole $160 billion worth of intellectual property from Codan, an Australian manufacturer of metal detectors, which was then used to produce counterfeit products.

Organizations can no longer afford to put off getting their information under control. According to a McAfee study titled “Net Losses: Estimated the Global Cost of Cybercrime,” corporate espionage accounts for more than $445 billion lost across the world in 2014.

Download the executive guide: Protecting your company’s most critical information

Creating a Data-Centric Risk Management Program

Though intellectual property security may seem like an insurmountable problem, it isn’t. Organizations can shift the paradigm by embracing a continuous, systematic approach to managing their data. Failing to be systematic can leave data undiscovered and thus unprotected. Failing to be continuous can at best cause gaps and, at the worst, allow data management to regress into its previous unmanaged state.

Organizations should take the following steps to secure their intellectual property.

  1. Start small, build success and then expand. The task of securing all your data at once is insurmountable, but doing it one byte at a time is the key to success. Each organization has common-use data dumping grounds. Start with a few of the smaller ones and work your way up.
  2. Locate data repositories. Information is everywhere, and you will ultimately need the right tools to find both structured and unstructured information. Starting small allows you to manually create business requirements for the tools you will need to do it on a larger scale and a continuous basis.
  3. Identify data owners and custodians. Every piece of data needs an owner and/or custodian to determine its importance to the business, who needs access to it, how it should be handled and where it should be stored. These are the people responsible for creating policies around the data. Security and IT departments merely implement the policies and should not be held responsible for determining what policies apply to which pieces of data.
  4. Learn how to classify and tag data. This part of the process helps the organization understand the various types of data it has and which data is most important. This creates the foundation for the risk profile and security policies for each type.
  5. Map data flows in processes and applications. These two exercises are related, but not exactly the same. A process may use an application, and thus a handoff is mapped. But information owners should also know what all the applications in their environments are doing with the data for processing, storage and transport.
  6. Create a risk profile for data. Now that information is located, access is understood, and workflows and processes are mapped, risk profiles can be created for the information.
  7. Adjust the information security policies for data. Once the risk profiles are known, the data owners must work with IT and security teams to create the new policies for the data. Identify which applications and users no longer need access and which business processes need to be updated.
  8. Appropriately adjust access, business processes and application flows. Now that policies are complete, the projects to make changes should be created and prioritized based on the risk levels of each identified issue. A key to this is to intersperse the short- and long-term projects to create a few quick wins upfront. This creates an initial positive impression that will help management understand the importance of the program and operations personnel maintain momentum to complete the larger and longer-term projects.

As organizations become savvier in their data-centric risk management programs, business leaders need timely information to gain visibility into the data. Only with accurate insights can efficient controls be created to protect organizations from very real security risks. These insights cannot be gained by a manual effort.

To accomplish both the intelligence gathering and the data security project implementation, security professionals should look to adopt a toolset that will meet the project’s goals and requirements. An effective tool should have the capability to:

  • Locate data across internal and external repositories.
  • Provide continuous visibility into data repositories.
  • Create early visibility into potential risks to sensitive data.
  • Identify specific, high-value, sensitive data at risk from internal or external threats.
  • Provide a complete view of sensitive data in terms of processes, procedures, application access, compliance and ownership.
  • Deliver easy-to-understand dashboards to facilitate conversations, improve business processes and mitigate risks.

Protect Your Crown Jewels

The road to a data-centric risk management program is not easy, but it is well worth the effort. Creating a programmatic approach to data risk means that the practicing organization will have, at minimum, better-protected data as well as an overall reduction in redundant data and business risks. The projects will surely uncover multiple problems in human and application workflows, ranging from fairly small issues needing only incremental improvement to systems that require major overhauls. Such an intellectual property security program can help organizations streamline processes to fend off data thieves and protect their crown jewels.

Download the executive guide: Protecting your company’s most critical information

 |  |  |  |  |  |  | 
David Monahan
Managing Research Director for Security and Risk Management, Enterprise Management Associates

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature