Cybersecurity and IP risks are like any other risk your business can face. Whether it be a natural disaster, such as a fire or earthquake, or human error, your company should have the proper plan to safeguard employed. The only difference with a cybersecurity risk is that the asset is digital. Regardless, there needs to exist a set of internal controls that are constantly reviewed and updated, or else you leave your business vulnerable to attacks.
The aftermath of an attack can be devastating. Many businesses face financial loss, IP theft and fraud, and damage to their reputation which may lead to legal exposure. In 2011, an intruder compromised DigiNotar's Certificate Authority (CA) and was able to generate hundreds of seemingly valid certificates for many public domains. These fraudulent certificates would enable the intruder to conduct future attacks by posing as a valid website to unsuspecting users. DigiNotar filed bankruptcy just two months after the attack was discovered.
Here are 5 questions you should ask yourself when evaluating your cybersecurity and IP protection to keep your business safe.
Which information should you protect?
Any confidential information such trade secrets, patents, and customer data is becoming more and more susceptible to attack and vulnerabilities. Your company needs to ensure that your client database, marketing plans, and customer information is threat-proof and secure, or else there are serious consequences to face.
Have you taken inventory of your IP? Do you know where it is and who has access to it?
First, identify and secure confidential e-documents and files. Find out where they are created, who needs them and when. From there, create Information Governance Policies (IG) to manage and monitor access to any sensitive data. Always bolster these policies with extra document security technologies such as data storage, digital signature technology, or encryption.
Like any risk control, you want to test audit your IG program periodically and if possible, from trusted third-party sources. Also ensure you update your security frequently and assess the efficacy of the cybersecurities employed.
Is protection of your IP included in your risk assessment?
It was only 2 years ago that 70 million Target customer’s debit and credit card data was stolen by cyber thieves. Home Depot was attacked a year later, plunging their shares 0.86 percent lower. But even after the most recent attack on Sony, people are already forgetting.
While most companies have business continuity and disaster recovery plans in place, many forget to implement effective cybersecurity measures. 40 percent of IT disasters lead to bankruptcy within a year. The majority are caused by hackers, breaches, and human maliciousness. The likelihood of it happening increases every day.
Companies that cross their fingers naively will feel the full weight of the impact of an attack, especially when they could have done something to prevent it.
How Can I Protect My Business?
For many years, the security industry treated attachers as creatures of opportunity seeking the path of least resistance - if they encountered a secured network, they were likely to move on, looking for a softer target. Today's cybercriminals are highly motivated professionals - often we;;-funded by criminal organizations or nation-states - who are far more patient and persistent in their efforts to break through an organisation's defences. The most common ways to attack your business includes password phishing, social engineering, and malicious programs, or malware, such as Trojan horses, logic bombs, rootkits, bootkits, back-doors, spyware, adware, botnets, or viruses and worms.
Thus, protecting your IP from malicious users depends on three defences - IT Management, Risk Management, and Internal Audits. All three must do their job and work together. But even with defenses in place, it’s important you keep current with relevant technological trends in order to cover any blind spots and silos.
Is your internal audit’s assessment up to specs? Can your company protect its IP?
The audit committee’s responsibility should focus on setting expectations and accountability for management, assessing the adequacy of resources, funding, and focus on cybersecurity activities. It’s important there are dynamic discussions regarding expectations for cybersecurity and risk mitigation.
While, cybersecurity is generally considered an IT issue, it should be a top risk management concern and a regular part of internal audit plans. Executives must clarify what’s important to protect, where it is, and who can access it.