Business espionage is an old activity that's gained a high-tech twist. This new "e-spionage" relies on cyber-cunning and remote infiltration to obtain trade secrets without authorization.
The American Society for Industrial Security's 1999 Fortune 1000 survey reported an estimated $45 billion in losses from proprietary information theft. Half of the 600 companies surveyed by the Computer Security Institute estimated a total of more than $60 million in these losses. The exact numbers aren't as important as the growing size of these losses.
The recent theft of Microsoft’s intellectual property brings fresh attention to the dangers of leaving corporate trade secrets unprotected. By legal definition, trade secrets include all forms and types of business, economic, financial, technical, engineering, or scientific information.
The Economic Espionage Act of 1996 (EEA) is the foundation for legal protection in cases such as Microsoft's. Individuals who illegally take, download, receive, or possess trade secret information without authorization from its owners may be prosecuted under EEA guidelines.
But there are two key provisions: the company must have taken reasonable measures to protect its information; and the information must possess economic value by not being generally known. Criminal penalties include up to 15 years in prison for those who conspired to commit the crime, and up to $10 million in fines for organizations involved in a hack.
After a successful data theft, what's the probability that agencies, organizations, or individuals will be successfully extradited, prosecuted, and incarcerated? Dismal. And even with successful prosecution, stolen trade secrets are long gone.
If Microsoft’s trade secrets can be hacked, then what chance does your company have to protect its trade and intellectual property secrets (TIPS)? Actually your chances are as good as, and probably better than, Microsoft’s. But, to state the obvious, first you have to protect your trade secrets.
There are several steps that you can take to better assure the security of your firm’s vital information.
- Isolate TIPS on protected servers, since valuable secrets are tantalizing targets for both outsiders and employees without scruples. Consider restricting access to a central TIPS repository, and encrypt the data thereon.
- Segregate TIPS information by secrecy level (e.g., top secret, secret, confidential) and link these levels to individual authorizations.
- Conduct a "need to know" authorization analysis by reviewing job descriptions, position levels, and official endorsements to establish appropriate TIPS access authorizations.
- RestrictTIPS access to those whose backgrounds you've checked. Officially authorize, in writing, those who can access the data.
- Create a TIPS authorization table, also with access restriction and backup, to control online access authorization.
- Maintain and back up an access log for all TIPS data. Review it daily to confirm authorized access.
- Protect encryption keys for authorized TIPS users on security "hardened" storage media.
Your company must protect its valuable intellectual property or risk surrendering it to organizations trying to take a shortcut around R&D. Law enforcement won't recoup your firm's losses once its intellectual property is already in others' hands, and civil action may exhaust your patience and your funds before you finish tackling geographic jurisdictions and dealing with court delays.
Your best policy is preemptive security. Protecting your firm from hackers is far better than discovering a breach after it transpires.
Dr. Goslar is principal analyst and founder of E-PHD, LLC – a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.