Intellectual property theft - detection is the best prevention
Intellectual property theft - detection is the best prevention

Intellectual property (IP) is no longer safe and businesses are losing their competitive edge as a result.

Many CIOs are facing pressure today to keep their companies business critical IP under wraps, particularly as the past few months have seen a tidal wave of revelations about the security of IP.

The department of Business, Innovation and Skills commissioned a report on information security breaches in 2013 that found that 78 per cent of large organisations were attacked by an unauthorised outsider in the past year, demonstrating that all organisations are under fire.

Despite modern firewalls, and what was believed to be adequate protection, the stories of espionage and data loss are mounting. The important question of how we monitor, manage and control outgoing as well as incoming data has become all the more relevant.

Theft of IP is predicated by common attack methods such as bribery of employees, spear phishing of specific executives or whole departments, and zero-day exploits. With the most important part of defending against an attack being detection, we have pulled together some recommended steps to ensure a successful approach to data protection of your IP.

1. User profiling

It is difficult to detect an attack but automated solutions can now be implemented to identify malicious behaviour within the network. Employees ‘typical' behaviour on the system is analysed and profiles created so that any irregular activity and deviations inside the network can be identified and effectively managed.

If a user profile indicates that an employee accesses certain systems and a certain amount of information and suddenly this behaviour changed, then they may have been compromised. This approach can help organisations on detecting activity that can indicate an insider threat or an external attack.

2. Handling malicious links

A common method for hacking into a company is the use of malicious links via a spear phishing attack. Spear phishing emails attempt to target a specific organisation or people in an organisation, seeking unlawful access to its confidential data. Spear phishing attackers by-pass defences, as they learned that some solutions will only check links inside emails when the email enters into the system; therefore they load the attack on the website later (a few minutes or hours) to avoid detection.

Dynamic threats such as spear phishing target the likes of confidential IP data and are an effective tool for hackers. However, this can be proactively prevented by employing real-time web analytics, isolating and sandboxing suspicious emails for further analysis and educating employees to spot phishing attacks as they happen.

3. Tracking outgoing data

Far too many companies focus on protecting themselves from incoming malicious links and think that makes them secure. Tracking outgoing data is also important however, as it requires the acceptance by the management team that despite your best efforts people will gain access to the network.

If a nation state, for example, with its vast resources wanted to access your systems, there is little that any IT team could do to stop them. It is also important to stress that even if an attacker can succeed in getting into the system, when and how they take data out can expose them if the right systems are in place.

It is possible to expose and track data leaving the system and record where it goes, however this requires the implementation of an effective data loss prevention (DLP) system. If data is categorised, and separate networks and levels of access are established, then it is possible to not only track what data is moving where but also who is doing the moving.

Often a hacker will want to encrypt data they are sending out of the system, and this provides another opportunity to detect them. A policy can be deployed that tracks unnatural types of encryption – that is encryption that is not natural to your network.

To limit the chances of an attacker getting access to truly critical IP data, an offline intranet could be established on a physical separated and controlled network. The intranet would be completely without access to the internet or the commercial network, only allowing access from within certain areas within a building, and all access to this system could be tracked by cameras and user profiles.

4. An emergency plan

If the management of a company has accepted the realisation that no matter how secure their system is there may be a time when a breach is discovered, it is important they implement a response plan.

A designated response team, which includes management, IT, legal, business, marketing/PR and other critical departments, needs to be set up so that the business can act in a quick and coordinated way when dealing with a breach.

Predetermined processes and best practice guidelines will have been set in place so that each department can effectively deal with the situation proactively, allowing the business to continue functioning and preventing the potential internal ‘blame game' should the response fail.

Employ a security consultancy to provide support, and if you have a properly managed DLP system, the destination of your data and the source of the leak can be discovered that can lead you to the next phase of action, which will vary depending on the originating nation-state and whether you have hope of legal recourse.

After the recent news stories about companies that have been hacked consistently for years and did not know, every company that has sensitive IP information – and all companies have some sensitive information – should take steps to ensure its information is monitored and secured.

By implementing some of these guidelines you go from having an intangible potential leak to a measurable threat that can be responded to and dealt with proactively. 

Lior Arbel is the CTO of Performanta UK