Running for IP Cover

In the wake of data breaches, a new survey notes plans to protect intellectual property.

In the wake of incidents such as the TJX Companies massive data breach, reported in January, it shouldnt come as a surprise to find that 90 percent of companies plan to plug in new technology to secure electronic copies of intellectual property in the coming year.

That was one finding of a report issued on March 5 from Enterprise Strategy Group titled "Intellectual Property Rules." ESG surveyed 112 organizations, each with more than 1,000 employees, for the report.

The ESG survey—sponsored by information protection company Reconnex—is the first in a quarterly series on the topic.

One of the findings that surprised ESG was how big the IP problem is, according to Eric Ogren, a security analyst for ESG, in Milford, Mass.

Top priorities

Protecting PII(personally identifiable information) such as credit card numbers and Social Security numbers is not actually the top priority with most organizations, Ogren said.

"We asked upfront, What do you consider to be intellectual property?" he said. "What they want to protect is financial information, contracts and agreements. Only after that is PII."

Other IP that companies are looking to protect include—in order of reported priority—source code, competitive intelligence, internal research data, design specifications, customers PII, trade secrets, CRM (customer relationship management) databases and patent documents.

Whats tough about protecting such data is that it comes in so many different forms. Much of it doesnt fit into a neat fixed format, as would Social Security numbers or credit card numbers, for example. Instead, it comes from all over the network).

"If you think e-mail is your only issue, youre only solving 20 percent of the problem," Ogren said.

Tremendous resources are being spent to search for networked IP, Ogren added, in terms of both manual and automated procedures. According to the report, 78 percent of those surveyed search for electronic versions of IP at least once per quarter.

"[This] is a major investment of time and resources," Ogren said. "Its in many different forms, in many different places, communicated with many different protocols."

As for the biggest perceived threat when it comes to data loss, malicious or sloppy insiders scare survey respondents the most.

Twenty-four percent of respondents pointed to malicious insiders as the biggest threat to their IP falling into the wrong hands, while 34 percent feared that the problem lies with negligent insiders— Employees who just want to do their jobs but dont understand the risk of IP stored on their laptops, for example.

Only 20 percent of respondents think that hackers are their biggest threat in this regard. The balance of threats is seen as coming from lack of security oversight (17 percent) or lack of distribution control (5 percent).

The ESG report puts forth four best practices for leakage protection.

First, ESG recommends enterprises define comprehensive requirements for IP and PII at the same time. Protecting against leakage of one protects against leakage of the other, the company maintains.

Its also necessary to segregate IP protection duties, according to ESG. That means empowering security teams to provide independent oversight of operations, including monitoring insider use of information.

ESG also suggests automating discovery of IP, to cut down on the time and money currently being devoted to discovery.

Finally, ESG recommends network-based solutions over distributed endpoint software. "I dont think endpoint software is going to solve it—it cant reside in all the places IP resides," Ogren said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.