A new survey released today found that more than half of enterprises believe that the biggest threat to their sensitive information is through the action of malicious or negligent insiders—be they employees, outsourced workers or others working with trusted partners.
The results of the survey were published in an Enterprise Strategy Group brief titled “Intellectual Property Rules” as part of research conducted on behalf of Reconnex. In the report, analyst Eric Ogren noted that the insider threat is a risk not just to personally identifiable information, but also to the myriad of other types of intellectual property (IP) that businesses must protect daily.
“One of the surprises (we found) is how many different forms of IP of there are out there that companies are worried about protecting,” Ogren told SCMagazine.com. “I know that they protect identity stuff differently—because they have to due to disclosure laws—but when we asked about types of IP, identity information came out third. It was financial information and contracts and agreements and sales data that came out as number one.”
The lifeblood of any organisation, IP can also include trade secrets, product schematics and recipes, information gathered about markets and any other data collected or thought up by company employees. The difficulty in protecting this type of asset is not only the wide variety in types of IP out there, but also in the diversity of documents and files it appears in, Ogren said.
“It’s structured in databases, but it is also freeform in spreadsheets, Word documents and fileshares,” said Ogren, who reported that contrary to the previous popular belief that e-mail contains the most stores of sensitive information, the 112 companies surveyed ranked it as the third-most sensitive repository of IP. “So it is a pretty big issue of how do I discover all of this stuff, how do I find it on my network and classify it and control and manage it.”
According to the survey, approximately 70 per cent of companies manually review their IP protection policies on a quarterly or monthly basis. But, Ogren questioned the effectiveness of such audits.
“I don’t know how successful they are doing it manually,” he said. “This sort of screams to be automated.”