The title of this blog is intended to foster debate and controversy but it is hard to dispute the idea. Over the past 10 years state, federal, and industry regulation of protected information has increased exponentially. Companies now need to be familiar and comply with 44 separate state data breach notification and data security laws, federal laws related to personal information, and industry regulation such as PCI DSS. Companies now need to understand cardholder data, numerous definitions of Personally Identifiable Information (PII), Non Public Information (NPI), Protected Health Information (PHI), and so on. This post is not suggesting that these laws and regulations are not important or necessary; rather it is intended to highlight the reality of business today. Companies are required to expend so much time, energy, finances and other resources protecting personal information that they often lose sight of their own sensitive corporate data. This point is not lost on data thieves.
While the criminal pursuit of financial data continue unabated, data thieves and organized criminal groups are increasingly beginning to target corporate intellectual property. While organized groups such as the Russian Business Network and political activist groups such as Anonymous are frightening enough, the real threat is the growing specter of state sponsored cyber espionage. In 2011, U.S. Office of the National Counterintelligence Executive (ONCIX) released a report titled: "Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011" The report identified China as the “… most active and persistent perpetrator of economic espionage.”The report further states that China views economic espionage as an "essential tool in achieving national security and economic prosperity," The report continues with a frightening example of what US, and European companies are facing today. As stated in the report: "An emblematic program in this drive is Project 863, which provides funding and guidance for efforts to clandestinely acquire U.S. technology and sensitive economic information."
While China is certainly not the only country that is reported to sponsor cyber espionage, it serves as a good example of the new challenges facing companies today. Not only is personal and financial information being aggressively targeted by cyber thieves but now intellectual property is being aggressively targeted, as well. It is important for all organizations to understand that they have critical information that needs to be protected. Whether personal information, financial data, or intellectual property, companies need to take inventory of what they have and ensure they take steps to protect their data.
When considering a data security strategy, it is important to take a ‘data centric’ approach. Occasionally, companies will start from the perimeter of their infrastructure and focus on firewalls, intrusion detection systems, and other perimeter controls while ignoring the critical data assets. This is what is frequently referred to within the security arena as having a ‘hard shell and a soft chewy center’. To protect data it is important that you have an understanding of the “What, who, where, why, when, and how” of data within your company. What data assets does your company have? Who has access to the assets (people, applications, and services), Where does the critical data reside? Why does your company retain sensitive data and why do those with access need access?, When is access to the critical data needed (certain hours, days?), and how should access be achieved? By focusing on these questions as the basis of a data inventory, your company can begin to gain a deep view into your organization’s data storage.
Next, it is important to classify the data according to its sensitivity. An example might be that a company has public information, sensitive information, and critical information. Public information is that information that provides no risk to the company if it is released. Information in this category might include press releases, marketing materials, and sales presentations. It requires the lowest level of protection. Sensitive information is that which you would prefer to keep confidential, but may not provide too much difficulty if it is released. Lastly, confidential information may include customer data, product roadmaps, financial statements and similar information that are critical to the running of the company and could expose the organization to significant harm if exposed. Intellectual property certainly falls into that category, yet is often overshadowed by the very public exposure of a data breach involving consumer information.
The current economic, political and regulatory environment has certainly put significant pressure on companies. Protecting sensitive data has never been more important, especially as we are now witnessing state-sponsored corporate espionage and organized data theft rings that operate like businesses. It is advisable for companies to consider their sensitive corporate information when creating a data security strategy. That will help ensure that all sensitive information, either customer or corporate, is afforded the appropriate level of protection.