Tuesday, May 08, 2007
Running for IP Cover
Running for IP Cover
May 7, 2007
By Lisa Vaas
In the wake of incidents such as the TJX Companies' massive data breach, reported in January, it shouldn't come as a surprise to find that 90 percent of companies plan to plug in new technology to secure electronic copies of intellectual property in the coming year.
The ESG survey—sponsored by information protection company Reconnex—is the first in a quarterly series on the topic.
One of the findings that surprised ESG was how big the IP problem is, according to Eric Ogren, a security analyst for ESG, in Milford, Mass.
Top priorities
Protecting PII(personally identifiable information) such as credit card numbers and Social Security numbers is not actually the top priority with most organizations, Ogren said.
"We asked upfront, 'What do you consider to be intellectual property?'" he said. "What they want to protect is financial information, contracts and agreements. Only after that is PII."
Other IP that companies are looking to protect include—in order of reported priority—source code, competitive intelligence, internal research data, design specifications, customers' PII, trade secrets, CRM (customer relationship management) databases and patent documents.
What's tough about protecting such data is that it comes in so many different forms. Much of it doesn't fit into a neat fixed format, as would Social Security numbers or credit card numbers, for example. Instead, it comes from all over the network).
"If you think e-mail is your only issue, you're only solving 20 percent of the problem," Ogren said.
Tremendous resources are being spent to search for networked IP, Ogren added, in terms of both manual and automated procedures. According to the report, 78 percent of those surveyed search for electronic versions of IP at least once per quarter.
"[This] is a major investment of time and resources," Ogren said. "It's in many different forms, in many different places, communicated with many different protocols."
As for the biggest perceived threat when it comes to data loss, malicious or sloppy insiders scare survey respondents the most.
Twenty-four percent of respondents pointed to malicious insiders as the biggest threat to their IP falling into the wrong hands, while 34 percent feared that the problem lies with negligent insiders— Employees who just want to do their jobs but don't understand the risk of IP stored on their laptops, for example.
Only 20 percent of respondents think that hackers are their biggest threat in this regard. The balance of threats is seen as coming from lack of security oversight (17 percent) or lack of distribution control (5 percent).
The ESG report puts forth four best practices for leakage protection.
First, ESG recommends enterprises define comprehensive requirements for IP and PII at the same time. Protecting against leakage of one protects against leakage of the other, the company maintains.
It's also necessary to segregate IP protection duties, according to ESG. That means empowering security teams to provide independent oversight of operations, including monitoring insider use of information.
ESG also suggests automating discovery of IP, to cut down on the time and money currently being devoted to discovery.
Finally, ESG recommends network-based solutions over distributed endpoint software. "I don't think endpoint software is going to solve it—it can't reside in all the places IP resides," Ogren said.
May 7, 2007
By Lisa Vaas
In the wake of incidents such as the TJX Companies' massive data breach, reported in January, it shouldn't come as a surprise to find that 90 percent of companies plan to plug in new technology to secure electronic copies of intellectual property in the coming year.
The ESG survey—sponsored by information protection company Reconnex—is the first in a quarterly series on the topic.
One of the findings that surprised ESG was how big the IP problem is, according to Eric Ogren, a security analyst for ESG, in Milford, Mass.
Top priorities
Protecting PII(personally identifiable information) such as credit card numbers and Social Security numbers is not actually the top priority with most organizations, Ogren said.
"We asked upfront, 'What do you consider to be intellectual property?'" he said. "What they want to protect is financial information, contracts and agreements. Only after that is PII."
Other IP that companies are looking to protect include—in order of reported priority—source code, competitive intelligence, internal research data, design specifications, customers' PII, trade secrets, CRM (customer relationship management) databases and patent documents.
What's tough about protecting such data is that it comes in so many different forms. Much of it doesn't fit into a neat fixed format, as would Social Security numbers or credit card numbers, for example. Instead, it comes from all over the network).
"If you think e-mail is your only issue, you're only solving 20 percent of the problem," Ogren said.
Tremendous resources are being spent to search for networked IP, Ogren added, in terms of both manual and automated procedures. According to the report, 78 percent of those surveyed search for electronic versions of IP at least once per quarter.
"[This] is a major investment of time and resources," Ogren said. "It's in many different forms, in many different places, communicated with many different protocols."
As for the biggest perceived threat when it comes to data loss, malicious or sloppy insiders scare survey respondents the most.
Twenty-four percent of respondents pointed to malicious insiders as the biggest threat to their IP falling into the wrong hands, while 34 percent feared that the problem lies with negligent insiders— Employees who just want to do their jobs but don't understand the risk of IP stored on their laptops, for example.
Only 20 percent of respondents think that hackers are their biggest threat in this regard. The balance of threats is seen as coming from lack of security oversight (17 percent) or lack of distribution control (5 percent).
The ESG report puts forth four best practices for leakage protection.
First, ESG recommends enterprises define comprehensive requirements for IP and PII at the same time. Protecting against leakage of one protects against leakage of the other, the company maintains.
It's also necessary to segregate IP protection duties, according to ESG. That means empowering security teams to provide independent oversight of operations, including monitoring insider use of information.
ESG also suggests automating discovery of IP, to cut down on the time and money currently being devoted to discovery.
Finally, ESG recommends network-based solutions over distributed endpoint software. "I don't think endpoint software is going to solve it—it can't reside in all the places IP resides," Ogren said.
Labels: TJX Companies Inc.
# posted by raveneye @ 10:50 AM 
