Business espionage is an old activity that's gained a high-tech twist. This new "e-spionage" relies on cyber-cunning and remote infiltration to obtain trade secrets without authorisation.
The American Society for Industrial Security's 1999 Fortune 1000 survey reported an estimated US$45 billion in losses from proprietary information theft. Half of the 600 companies surveyed by the Computer Security Institute estimated a total of more than US$60 million in these losses. The exact numbers aren't as important as the growing size of these losses.
The recent theft of Microsoft's intellectual property brings fresh attention to the dangers of leaving corporate trade secrets unprotected. By legal definition, trade secrets include all forms and types of business, economic, financial, technical, engineering, or scientific information.
The Economic Espionage Act of 1996 (EEA) is the foundation for legal protection in cases such as Microsoft's. Individuals who illegally take, download, receive, or possess trade secret information without authorisation from its owners may be prosecuted under EEA guidelines.
But there are two key provisions: the company must have taken reasonable measures to protect its information; and the information must possess economic value by not being generally known. Criminal penalties include up to 15 years in prison for those who conspired to commit the crime, and up to US$10 million in fines for organisations involved in a hack.
After a successful data theft, what's the probability that agencies, organizations, or individuals will be successfully extradited, prosecuted, and incarcerated? Dismal. And even with successful prosecution, stolen trade secrets are long gone.
If Microsoft's trade secrets can be hacked, then what chance does your company have to protect its trade and intellectual property secrets (TIPS)? Actually your chances are as good as, and probably better than, Microsoft's. But, to state the obvious, first you have to protect your trade secrets. There are several steps that you can take to better assure the security of your firm's vital information.
- Isolate TIPS on protected servers, since valuable secrets are tantalising targets for both outsiders and employees without scruples. Consider restricting access to a central TIPS repository, and encrypt the data thereon.
- Segregate TIPS information by secrecy level (e.g., top secret, secret, confidential) and link these levels to individual authorisations.
- Conduct a "need to know" authorisation analysis by reviewing job descriptions, position levels, and official endorsements to establish appropriate TIPS access authorisations.
- Restrict TIPS access to those whose backgrounds you've checked. Officially authorise, in writing, those who can access the data.
- Create a TIPS authorisation table, also with access restriction and backup, to control online access authorisation.
- Maintain and back up an access log for all TIPS data. Review it daily to confirm authorised access.
- Protect encryption keys for authorised TIPS users on security "hardened" storage media.
Protecting your firm from hackers is far better than discovering a breach after it transpires.
