To Cybercriminals, The Size of a Company No Longer Matters

Gone are the days when it was thought that size of the company matters to the cybercriminals.  The latest PwC Information Security Breaches Survey 2013 shows that there has been a significant rise in the number of small businesses that were attacked by an unauthorized outsider in the last year – up by 22%.  Interestingly large organizations only went up by 5%.  The cybercriminal has moved on to stealing intellectual property or corporate secrets as that’s where the real money is and small companies become easy targets as many do not have the resources or budgets to fully protect their information.

It’s time to understand the differences between corporate secrets and custodial data.

Secrets refer to information that the enterprise creates and wishes to keep under wraps. They tend to be messily and abstractly described in Word documents, embedded in presentations, and enshrined in application-specific formats like CAD. Secrets that have intrinsic value to the firm are  almost always specific to the enterprise’s business context — where an interested party could cause long-term competitive harm if this information is obtained. Keeping proprietary knowledge away from competitors is essential to maintaining market advantage.

Typically, companies in knowledge-intensive industries such as aerospace and defense, electronics, and consulting generate large amounts of confidential intellectual property that present barriers to entry for competitors. Unlike with toxic data spills, failures to protect secrets are almost never made public.

By contrast, legislation, regulation, and contracts compel enterprises to protect custodial data. Mandates that oblige enterprises to be good custodians include contractual obligations like the Payment Card Industry Data Security Standard (PCI-DSS) and data breach and privacy laws. Custodial data has little intrinsic value in and of itself, but  when it is obtained by an unauthorized party, misused, lost or stolen, it changes state.Data that is ordinarily benign transforms into something harmful.

When custodial data is spilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints. Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data also accrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity. Examples of custodial data include customer personally identifiable information (PII) attributes like name, address, email, and phone number; government identifiers; payment card details like credit card numbers and expiry dates; and medical records and government identifiers like passport numbers. Many well-known companies have graced the front pages of major newspapers with toxic data spills.

Interestingly, enterprises in highly knowledge-intensive industries like manufacturing, information services, professional, scientific and technical services, and transportation have between 70-80% of their information portfolio value from secrets while healthcare firms and governmental entities are nearly exactly the opposite, most of the value of their information assets are custodial data assets.

Data security incidents related to accidental losses and mistakes are common but cause little quantifiable damage. By contrast, employee theft of sensitive information is costlier on a per-incident basis than any single incident caused by accidents.

Unfortunately, compliance drives spending on security for all companies and smaller ones have a difficult choice to make.  “Compliance” in all its forms has helped CISO’s buy more gear, but it has distracted IT security from its traditional focus, keeping company secrets secure. All companies, large and small really need to do a better job of understanding the value of their corporate secrets.

Read my next blog for some recommendations on achieving the right balance.