According to the Commission of the Theft of American Intellectual Property, a U.S. advisory group, the theft of intellectual assets is estimated to cost U.S. businesses more than
$300 billion annually.1 Increasingly, American companies are facing persistent threats to the integrity of their business activities and are grappling with how to stem the erosion of their value due to commercial espionage as perpetuated by foreign and domestic actors. In addition to the harm this causes the affected firm, these thefts also contribute to American job loss and a decline of the U.S. economy as captured in GDP terms. In some cases, this has resulted in the permanent ceding of American ingenuity to rivals who are not only stealing the intellectual property (IP), but also counterfeiting and adapting it to foreign markets by focusing on low-cost positioning and mass consumption and subsequently evolving into market disrupters in their own right.
These challenges are consistent and costly. Since 2010,cyber espionage attacks - for the purposes of stealing American intellectual property – have risen 38% with the average cost to the victimized firm representing approximately $8.9 million per year.2 And with an estimated 80% of corporate value tied to these intangible assets,3 the potential for extraordinary loss is evident.
So what should U.S. companies do to protect themselves from this threat? Although investments in defensive measures such as firewalls or anti-virus solutions are popular tools for securing intellectual property, it ignores the fact that vulnerability emanates from other access points into an organization. In an age of growing and sophisticated attacks, particularly as related to the state sponsorship of IP theft through cyber and insider threats, firms must ensure security investments are diversified across their entire business enterprise.
But what does that mean? It is not to say that security investments in specific components of an enterprise do not provide protection. They can. The problem is that a single faceted approach is insufficient and incomplete.
Take for example, security boutiques specializing in cyber defense (and offense). These firms will gladly sell their products and services as the panacea for total security and protection, but vendors specializing in these services tend to offer a reactive approach rather than a proactive one and only focus on domain-specific areas of an organization. Most times, their services are only utilized after a security incident has already occurred and where an erosion of value, innovation, and reputation has already been inflicted. Additionally, introducing additional infrastructure may also create more complexity as well as data that inevitably may be left unanalyzed and uncorrelated to other threats being introduced from other ingress points into the enterprise. Although application behavior, system performance, user actions, malware activity, APT, and other deceptive activity are critical data streams in any post-incident assessment, a cyber-centric approach to security such as this lacks the capability to corroborate vulnerability from elsewhere within the organization, and is devoid of the fundamental philosophy that a proactive and holistic methodology could have prevented an incident from occurring in the first place.
For companies who rely on ‘in-house’ personnel to meet their security needs, the basic problem remains the same. Although some organizations prefer this solution due to a fear of revealing vulnerabilities to outsiders, these personnel tend to focus only on diagnostics, forensics, and security monitoring. Often times – and because of the nature of their employment – these staff members may not be able to offer an objective assessment and lack the true investigative and analysis expertise to ‘connect the dots’ across the entire enterprise.
For this reason, instead of focusing on security solutions in just one component of an enterprise, the more prudent approach to enterprise security is a holistic intelligence program diversified across the entire organization practiced by the right experts. This can offer a trusted way for firms to protect their intellectual assets and other sensitive data in an age of sophisticated threats. “We are suggesting that a ‘big picture’ approach to security is a better way for organizations to understand their threat landscape,” said Mark Lopes, TSC’s Director of Enterprise Security Intelligence.
Holistic Security: A Deeper Look
At TSC, we define holistic security as encompassing six basic functional units and processes of an organization: Mobility, Data Security, Physical Security, Insider Threats, and Internal/External Business Operations, which includes joint venture and supply chain risk management. It is based on the premise that so-called ‘isolated incidents’ of vulnerability occurring in one area of a business should be juxtaposed with structured and unstructured data being produced from other areas as a means to deeper understand and identify threat and possibly corroborate other vulnerabilities and negative trends using similar methodologies. So what can these isolated incidents look like? The below example demonstrates how four separate incidents – when interpreted holistically and proactively - could have assisted skilled experts understand the nature of a threat directed against a company’s valuable data.
Isolated Incident #1:
The IT Department observes Employee #1 trying to gain access to a folder for which he/she lacks permission. This folder contains sensitive information on a prototype development not yet introduced to the market. A week later, this same employee was observed running a scan of the company’s internal network. When IT staff notice this activity, they confront the employee however a reasonable explanation was provided and no subsequent action was taken. This information was not shared with any other department within the company.
Isolated Incident #2:
The office manager notices Employee #1 working late hours, an irregular and seemingly unnecessary activity given this employee’s position and job title. Late one evening, Employee #1 attempts to leave the building with a bag containing folders labeled, “proprietary.” When the office manager questions this activity, the employee offers a frantic apology and a plausible explanation. Accepting this response as legitimate, the office manager does not share this information with anybody else inside the company.
Isolated Incident #3:
A different employee, Employee #2, travels overseas to attend a meeting with a foreign partner on a joint venture (JV) opportunity. During the trip, the employee travels with both his smartphone as well as a company laptop containing proprietary information. This is because the employee’s company did not establish security policies and procedures covering Mobility, which covers Bring Your Own Device (BYOD) and foreign travel. Additionally, on more than one occasion, Employee #2 accesses his company’s network from the partner’s internal network. Not thinking anything of it, Employee #2 does not mention this activity to any of his colleagues upon his return.
Isolated Incident #4:
At lunch on a Monday morning, colleagues learn Employee #1 just returned from a weekend trip overseas. When asked about it in detail, the employee offers a hurried and confusing explanation about a ‘weekend getaway’ that appeared to be in conflict with the established lifestyle pattern of this person. Later that day, colleagues learn that Employee #1 traveled with numerous company thumb-drives and disks – more evidence of unusual behavior for a traveler supposedly on vacation from work. Over time, colleagues begin to notice Employee #1 exhibiting unexplained affluence. For example, they observe him driving a brand new car rather than the more modest vehicle he usually drives. When asked by a colleague, the employee stated sheepishly the car was a gift from a distant relative. Without additional information confirming suspicions, the issue was dropped and this information was not shared with anybody else inside the company.
As individual data points, the preceding incidents could be interpreted as mundane and ordinary. But if these events were documented, and if they were correlated and analyzed proactively by the right experts with information collected from other departments, certain patterns could begin to emerge that would confirm the presence of holistic vulnerability emanating from Insider Threat and Mobility – and possibly prevent the threat from materializing in the first place. Whereas Employee #1 was demonstrating behavior of a classical malicious insider, Employee #2 served as an example of the need for organizations to codify security policies and procedures relating to Mobility and the role employees must play in safeguarding critical information.
“It takes the right professionals with the right backgrounds to be able to correlate, analyze, and investigate the types of complex and disparate data sets that ultimately serve as potential threat indicators to companies,” said Sean Doherty, President of TSC. “This is our core competence.”
TSC Threat Vector Manager ™
As an innovator in enterprise security intelligence, TSC specializes in the protection of intellectual assets and trade secrets using this very unique holistic approach and other innovative techniques. Using its patented Threat Vector Manager ™ (TVM) platform, TSC experts integrate and correlate an array of internal and external data sets from six fundamental domains and provide actionable recommendations to fix problems across an enterprise while delivering ongoing vulnerability protection. Based on the threat vectors being investigated, TVM™ establishes baseline threat and vulnerability metrics and creates a threat assessment review. Actionable recommendations are then created to mitigate identified threats and a plan for delivering ongoing intelligence to prevent future losses is developed.
Some additional benefits of TVM™ include:
- Secure intelligence delivery of holistic threat vectors via a customizable Executive Dashboard based upon desired priorities
- Visualizations to quickly and effectively communicate the level of activity and risk
- Provides an overall assessment of client-specific risk that measures maturity of policy, procedure, and governance supporting on-going defense of clients’ most valuable assets in conjunction with critical business needs
- Streamlines policy and procedure development and focuses on the most impactful areas
- Informs resource allocation based upon risk sensitivity and exposure
In an era of sophisticated threats, intellectual asset and trade secret protection is best achieved through a holistic approach utilizing trusted intelligence methodologies practiced by the right experts. Based on business priorities, available budget, and resources, TSC offers cost-effective and comprehensive security programs necessary to find, fix, and protect critical security vulnerabilities. “Failure to address the challenge of trade secret theft costs industry billions of dollars each year,” said Pamela Passman, President and CEO of CREATe.org, a leading non-profit dedicated to helping companies, suppliers, and business partners reduce piracy, counterfeiting, and trade secret theft. “[It] can have devastating reputational, financial, and legal impacts for individual companies and the global economy as a whole.”
About the Author
Armond is a Senior Threat Specialist at TSC and is based in Washington, D.C. He joined TSC in 2011 and has managed global projects as well as specialized training and awareness programs focusing on threat analysis and intellectual asset protection for both the private and public sector. He holds a Master’s degree from the Fletcher School of Law and Diplomacy at Tufts University and a Bachelor’s degree from the University of New Hampshire.
About Tailored Solutions and Consulting (TSC)
TSC, an innovator in enterprise security intelligence, specializes in the protection of intellectual assets and trade secrets. Employing a holistic approach, TSC identifies and protects organizations’ critical and valuable intellectual assets against insider threats, supply chain risks, cyber security vulnerabilities, mobility, and physical security risks. Using patented methodologies through its Threat Vector Manager™ framework, TSC leverages its analytical and investigative expertise, diverse language skills, and global experience from work in the public and private sectors to provide customized solutions to members of the Fortune 500, innovative start-ups, and the public sector. For more information, please visit us at www.tscadvantage.com.
1. The Securities and Exchange Commission is currently reviewing its guidance to companies on regulatory disclosure obligations, as companies who have been the victims of cyber attacks and other events with potential for value degradation are either not reporting or underreporting their victimhood in their annual filings. Nowhere was this more evident than in the case of Coca-Cola. In this example, the cola giant experienced a significant data breach in 2009 at the hands of Chinese hackers who successfully pilfered intelligence information on the brand’s attempted $2.4 billion acquisition of juice manufacturer China Huiyuan. It was not until years later that Coca-Cola officials publicly revealed this information.
2. Source: Ponemon Institute report entitled, “2012 Cost of Cyber Crime Survey: United States”
3. Source: Tauriq Keraan -Tile Rembrandt in the Corporate Attic: Extracting Maximum Value from Intellectual Assets,” Deloitte, 2010.