Keep Your Competitive Edge: Intellectual Property makes you a target

Breach: The risk goes beyond data

Targeted theft of company data is on the increase. Changes in business practices mean that a UK SMB is 43% likely to have a data breach in 2024.  This increase is down to TWO factors.

1) business reliance on online storage and cloud-based services are pushing more data beyond a business’s protection boundary.

2) changes in work practices mean users want 24×7 access to sensitive data, and they want access to this data from anywhere.

 

Intellectual Property (IP): Business data containing proprietary business information

Proprietary data is the lifeblood of most businesses. The value of core IP and intangible assets can account for 50% or more of a company’s overall worth.

Commonly targeted data includes:

• • Intellectual property: trade secrets, patents, copyrights, source code, design, algorithms, R&D.
  • Client data: names, contact information, purchase history, demographics, customer lists, marketing data, price lists.
  • Financial data: bank account details, credit card information, financial statements, invoices
  • Employee data: salary information, benefits, performance reviews, etc.
  • Internal communications data: information and notes from confidential meetings.

 

The potential consequences of stolen business data can include:

• • Financial loss: lost business opportunities, lost competitive advantage, fraud, or extortion such as holding information to ransom.
  • Reputational damage: public relations mitigation, loss of customer trust, loss of shareholder trust.
  • Legal implications: regulatory compliance violations can incur fines or lawsuits.

 

Personally Identifiable Information (PII): Business data containing information about an individual

A business cannot operate without staff or customers. Businesses are legally obliged to prevent unauthorised exposure of any data they hold on individuals. Commonly exposed data includes:

• • Identity data: names, addresses, phone numbers, email addresses, ethnicity, gender, religion.
  • Daily-life data: social security numbers, driver’s license numbers, passport information, medical records, financial records, online browsing history.
  • Account data: login details, passwords, credit cards.
  • Biometric data: fingerprints, facial recognition, etc.

 

There is a global movement towards tightening data sovereignty (DS). DS aims to protect an individual’s data and privacy, and refers to the regulatory and policy governance at a global or regional level. This includes frameworks like GDPR and legislation like the Data Protection Act. The potential consequences of exposed business data can include:

• • Identity theft: criminals use this information to open accounts or make purchases.
  • Financial loss: in many cases, the victims are liable for any fraudulent charges.
  • Personal damage: such as an individual’s reputation or credit score.
  • Emotional distress: privacy violation, deliberate discrimination, job denial, stalking, etc.

 

Breach: PII exposure is NOT the same as IP theft

It is important to understand the distinction between data theft and data leakage. When it comes to prevention, the strategies are very different. Many businesses make the mistake of purchasing Data Loss Prevention because of compliance requirements (GDPR) and either omit, or think DLP covers, strategies to prevent data theft.

Factors driving data breach

Proprietary data is a risk of deliberate and intentional theft. Where the motivation is to gain an advantage – typically a financial advantage such as a market share. Increasingly we are seeing theft for nation-state advantage, such as espionage, ransom and interruption of critical infrastructure.

 

As the motivation is to gain an “advantage”, theft is more likely to be covert. In most cases, the victim is unaware that their data is being monetised on the dark web. Around 40% of breaches are identified by external parties rather than the businesses themselves. There is no obligation to disclose data theft, which makes it difficult to put a firm figure on the global cost of data theft. Increasing it is industry regulation, rather than government legislation, driving data theft declaration.

 

PII is less intentional theft and more accidental exposure of data to the public domain. Such as a staff member accidentally sending PII in an email or posting it to a social forum. Behind this lies a lack of awareness of the consequences of privacy violation – identity theft, discrimination, stalking. Hence PII protection is strongly mandated. Each country has its own Data Protection Laws. In the UK we have the Data Protection Act, which includes the UK GDPR framework.

Financial impact

Whilst PII protection is more heavily regulated, interestingly the repercussions are financially less. Exposure of PII is most likely to result in a regulatory or compliance fine, or compensation for a user and often proportional to the severity of the breach. The largest PII fine to date is $5b imposed on Facebook for allowing Cambridge Analytica improper access to data of millions of users. Two examples of GDPR breaches are more about data transfer than data exposure. However, Facebook (now Meta) was fined $1.3B by the Irish Data Protection Commission for violating GDPR when they transferred user data to the US. Didi Global, a Chinese ride-hailing business was fined $1.2B also for transferring data overseas.

 

The financial impact of data theft is difficult to quantify due to the lack of mandatory disclosure. However, the impact can considerably outweigh that of PII exposure. The average cost of recovery from a data theft attempt for a UK business is about £20,000. When reputational damage is factored in, this jumps to a staggering average of $5million. The loss of clients, abnormal customer turnover (average of 13.7% increase on churn), and damage to brand equity potentially account for 40-50% of the $5M figure. The truth is, that following a data breach, 60% of people would contemplate severing their ties with a business. The Harvard Business Review estimates a 7.5% decline in stock levels post-breach.

 

These figures pale into insignificance when an estimated 60% of small businesses close within 6 months of an attack.

 

Organisations of any size are at risk from data theft. The Metropolitan Police Force fell victim to data theft involving the theft of officers’ names, rank and photos.  A month later 47,000 police officers and staff details including undercover and counterterrorism cops we accidentally exposed. This breach was close on the heels of a breach in the Northern Irish Police Force. The UK Electoral Commission also revealed a data theft involving 40M UK voters.

Reasons for risk

Both categories of data are subject to physical theft – the physical removal of data beyond its protective boundary. This can occur from the loss of an unencrypted device, data copied to USB, loss through printed material, or lack of data hygiene when a device is disposed of.

 

PII exposure is usually due to a lack of awareness of the classification of the data or the consequences of exposure. Such as posting data to social or responding to a phishing email.

 

IP theft usually originates via a vulnerability in a device or application. Made easier by a lack of policy enforcement – such as preventing users from uploading data to personal cloud storage, or lack of user least privilege enforcement, or account access management.

 

No matter how much protection a business provides to its data, data is still at risk from third parties as more data is entrusted to external entities within the supply chain.  The attack on MoveIT is estimated to have impacted 600 different organisations.

 

Actionable Advice

Eliminating the risk of data breach is beyond this article, but we cover data theft prevention techniques in more detail elsewhere on our site.

 

The key takeaway is that one size does not fit all – IP and PII have different protection strategies.  PII is about mitigation to prevent exposure through good practise of data hygiene. Protecting IP is about prevention, as mitigation sits late in a cyber kill chain.

 

Data theft prevention must come from a zero-trust stance for all outbound data flows. Only when the integrity of the data flow can be proven (i.e. coming from a trusted application, going to a trusted destination) should the data be allowed to be transmitted.

 

Conclusion

A data breach will harm a business, whether it is PII exposure or IP theft. This impact is usually financial, as a byproduct of reputational damage or a violation of an individual’s privacy. However, the opposite holds true – that customer loyalty is proportional to demonstrable proof of data protection. An estimated 1 trillion data records were stolen in 2023. Many businesses are aware of the consequences of PII exposure, but few take action to prevent data theft.

 

Our motivation at ZORB is to make data theft prevention affordable to all businesses, regardless of their size.