IP protection, which goes beyond just securing private records, has become such a priority that 90 percent of companies queried plan to deploy new technologies to secure their IP in the next 12 months. The epicenter of risk continues to be insiders who either act with malicious intent or are negligent.
"Intellectual Property Rules," which is based on a survey of personnel at enterprises that have from 1,000 to more than 20,000 employees worldwide, reveals some key findings:
- One-third of organizations surveyed acknowledged data losses in the last 12 months.
- Fifty-eight percent believe the biggest threat to their data is from the inside out, from malicious or negligent insiders.
- One-third of companies' sensitive data and IP exists in application databases where it can be centrally secured and managed. An additional 28 percent resides in file system. This is contrary to past reports that indicated e-mail is the number one source of confidential data.
- About 70 percent of organizations review their data protection policies on a quarterly or monthly basis.
The biggest threat to companies' data is overwhelmingly internal, due either to malicious or negligent insiders or to faulty controls and oversight (80 percent). While physical loss of laptops and USB devices-and the data they contain-remains a concern, this actually represents only a portion of total risk. Many organizations believe that IP is likely to leak via traffic on the network such as e-mail or the Web. Ironically, there are still some organizations that do not inspect such obvious and well-documented leak points as Web-mail and IM communications.
IP assets are a challenge to protect because they are dynamic; companies continually add to and evolve their IP and other sensitive data during the course of doing business. The 'set-and-forget' policies often used for monitoring PII and finding fixed-format data such as credit card numbers are ineffective for protecting the broader moving target of IP. As a result, according to the survey, about 70 percent of companies manually review their IP protection policies on a quarterly or monthly basis.
The ability to automate the detection of sensitive data in files, e-mails, databases, and shared servers is the first step to reducing the constant reviews of IP protection policies. And since manual IP review is expensive, time consuming, and error prone, automated IP discovery will save money, free IT staff to perform other tasks, and be more accurate. Many organizations surveyed feel that an automated IP protection solution must address both data at rest (resident in user directories or servers), as well as data in motion (as it traverses the network).
"Intellectual property permeates even the furthest corners of the corporate network. Security teams using manual procedures to protect the business against the leakage of IP are challenged finding cost-effective approaches to discover, classify, and protect IP," said Eric Ogren, security analyst with the Enterprise Strategy Group. "The overwhelming risk of insider abuse, and the expense of manual procedures, screams for technology administered by an independent security/audit staff."
