Keep Your Competitive Edge: Intellectual Property makes you a target

Dr Mark Graham, CEO of ZORB Security

Dr. Mark Graham

Most businesses understand and enforce the legal requirements to protect personally identifiable information (PII). Ultimately, PII laws are about protecting people.

 

But it is your company’s intellectual property (IP) that makes your business a data theft target. The sensitive, proprietary business data that makes your business different, has monetary value to others. Today, commonly used business strategies are pushing more and more data outside of the secure network perimeter. Thereby exposing more sensitive data to theft.

 

In this article, we’ll look at:

    • Why protecting PII from data leak, is NOT the same as protecting IP from data theft
    • Why your data theft protection strategy must move from MITIGATE to PREVENT

 

Of key importance is that these two different data types each require a different defence mechanism.

ZORB straight to my inbox

    I agree to receive emails from ZORB Security and I can opt out at any time.

    A pile of intellectual property documents on a table
    Image created by AI

    PII v IP: Two different types of data

    PII is data of a personal nature, held about individuals connected to the company. Staff, clients, contractors, etc. Businesses are legally obliged to protect the privacy of this data through country-defined Data Protection Acts, with mandatory disclosure of a public-domain breach. The most common cause of exposure is from accidental human error, or a misunderstanding of data handling by classification.

     

    IP is the proprietary, sensitive data a company holds about the business – trade secrets, R&D, customer lists, bank accounts, client passwords, etc. Theft is usually deliberate and targeted. With the intention of selling the data for personal gain. Whilst protection is not mandated, it clearly makes competitive sense to prevent disclosure. Increasingly, industry regulation is driving data theft declaration, rather than government legislation.

     

    Breach Risk: PII exposure is NOT the same as IP theft

    Proprietary data has “value”, both to the company and its competitors. The value of core IP and intangible assets can account for as much as 50% or more of a company’s overall worth. This puts it at risk of deliberate, pre-determined theft. Theft is a covert attack. In most cases, the victim is unaware that their data is being monetised on the dark web. Around 40% of breaches are identified by external parties rather than the businesses themselves.

     

    Common business strategies are indirectly contributing to an increase in targeted data theft. The opportunity for theft is increasing from the sheer volume of data these strategies are pushing beyond the secure network perimeter:

      • remote and hybrid working
      • migration of internal services to the cloud
      • more digitally integrated supply chains

     

    On the other hand, PII exposure tends to have less malicious intention. Usually, the staff member lacks awareness of the consequences of a privacy violation, which can lead to identity theft, discrimination, stalking. Although, in some instances, PII exposure can be deliberate. Such as a member of staff member who holds a grudge against the company or an individual.

    Download Your FREE Guide

    ZERO TRUST is at the core of preventing data theft

    Download
    Our free guide explains how zero trust outgoing data security forms a core part of data theft protection, to enforce data compliance.

    Cover page for ZORB's free guide titled

    Factors behind a breach: Protection Strategies

    As was highlighted above, PII data differs to sensitive company data, or IP. Another significant difference comes in how each type of data can be breached.

     

    1) Physical data loss

    Both categories of data are subject to physical loss – the physical removal of data beyond its protected boundary. This can be accidental – loss of an unencrypted device, lack of proper data hygiene when a device is disposed of. Or intentional – data copied to a USB, removal of printed material, etc. When it comes to protecting against physical loss, mitigation is the primary defence. A business should have data handling procedures for all of its different classifications of data sensitivity. All staff members should be aware of the handling requirements, and it should be monitored accordingly. Mitigation can come from device hardening (disable USB ports), printer login credentials to monitor what is printed and by whom, encrypt data at rest.

     

    2) Account related data loss

    If an unauthorised actor gains access to a user account, they may gain access to restricted data. Similarly, if an authorised user has unrestricted access beyond their job function requirements, they may also gain access to restricted data. Risk of insider attacks often feature highly in the top concerns of a CISO. They are difficult and complex to detect. Mitigation tends to be the primary strategy, via a solid AAA framework to authenticate, authorise and account for all users on the network. Multifactor auth, Identity Access Management, least privilege principles, endpoint protection, all form part of a holistic protection strategy.

     

    However, theft from insider attacks can be prevented.

     

    3) PII Protection

    There are some affordable quick wins to mitigate the accidental PII exposure, through good practise of data hygiene. As stated above, accidental exposure typically comes from a user’s lack of awareness of data handling. Or the lack of understanding of possible impacts from undue exposure. User training to understand data classification, acceptable social media and phishing attacks can go a long way to reduce the risk. For businesses with larger budgets, compliance can be met, and risks mitigated, with a DLP solution. For example, Microsoft’s Purview inspects email content and social forum posts for PII disclosure. However, complexity and cost tend to push DLP beyond the reach of smaller businesses.

    4) Data Theft Protection

    The fundamental strategy for the three scenarios above has been ‘mitigation’ – reducing both the likelihood and impact of a breach. Whilst mitigating the risks of data theft may indeed limit data exposure, it does not stop data from being stolen. Protecting against data theft is about PREVENTION – stopping an attack before it becomes a breach. Not simply mitigating the risk of an attack. In MITRE ATT&CK parlance, this starts with ‘detection’.

     

    Many businesses purchase a Data Loss Prevention solution to meet PII compliance requirements of, for example, GDPR. Often, they mistakenly believe this also covers theft detection. Tools such as firewalls and IDS can be deployed to detect data theft. Many firewalls and IDS automatically configure rulesets for incoming data. However, managing the sheer volume of permittable protocols and IP addresses for outbound data becomes resource-intensive, and therefore expensive. Rulesets are also prone to a single misconfiguration potentially exposing the entire network infrastructure. Firewalls, VPNs, and IDS can all be bypassed by a bad actor.

     

    The origins of a data theft attack can often be traced back to a single vulnerability in a device or application. Which makes a robust, automated patching process mandatory. However, this does little to stop zero-day vulnerabilities. With all the will-in-the-world, technicians do make mistakes. A misconfiguration in software or hardware can be as inviting to malware or a hacker, as a vulnerability.

     

    Consider the three common business practices highlighted above. Remote/hybrid working, migration of internal services to the cloud, and more digital integration with supply chains. They all involve sending sensitive data over the Internet. Businesses spend considerable amounts of money to protect against data exposure from these scenarios. Yet data theft continues to increase. This is because most solutions focus only on the HOW.

     

    Often overlooked is “WHERE” is the user’s device attempting to send the application data to? Monitoring and detecting where data is going to help enforce company policy – such as what can be uploaded to which cloud providers. Data theft prevention must start with a zero-trust stance for all outbound data flows. Only when the integrity of the data flow can be proven (i.e. coming from a trusted application, going to a trusted destination) should the data be allowed to be transmitted. Breach of sensitive data could all but be eliminated by challenging the destination of all transmitted data. If the data is not destined to the correct destination IP address – terminate the flow.

    Conclusion

    A data breach has a negative impact on a business. Usually the impact is financial. Not only from the cost to remedy or an imposed compliance breach fine. But also as a byproduct from reputational damage or a violation of an individual’s privacy.

     

    However, the opposite holds true. There is growing evidence to support that customer loyalty is related to a company’s ability to demonstrate proof of data protection, either from frameworks like ISO27001 or certifications like Cyber Essentials.

     

    The key takeaway from this article is that one protection strategy does not fit all. IP and PII are different types of data, with different exposure risks. Each requiring a different protection strategy. In 2023, an estimated 1 trillion data records were stolen. Many businesses are aware of the consequences of PII exposure, but few take action to prevent data theft.

     

    The protection strategy for data theft must be focused on PREVENTION. ZORB Security are data theft prevention specialists. We apply a zero-trust stance for all outbound data flows. Only when the integrity of the data flow can be proven (i.e. coming from a trusted application, going to a trusted destination) is the data be allowed to be transmitted.

    Start your outgoing data security journey TODAY,

    with 5 FREE Licences

    Experience for yourself how ZORB enforces data compliance and protects business data against theft from

    hackers, insider threats, botnets, ransomware, stealers, trojans

    cloud data upload and sync threats,

    malicious application updates

    START for FREE
    No credit card required