Corporate espionage may be all about the money

7 Apr 2010

The business of trading in corporate secrets is bigger and more lucrative than ever, a Forrester study commissioned by Microsoft, RSA and EMC has found, with tech companies in particular targeted for theft.

Most people associate espionage with war and politics. In the tech-centric 21st century, the trading of secrets for cash is where the game is at and most enterprises are overly focused on compliance and not enough on protecting their secrets.

The study, which centred on 305 in-depth surveys with IT security decision makers, found that corporate secrets include product plans, earnings forecasts and trade secrets. Custodial data including customer, medical and payment card information becomes “toxic” when spilled or stolen.

Secrets comprise two-thirds of the value of firms’ information portfolios. Proprietary knowledge and company secrets are considered twice as valuable as the custodial data and are targets for theft.

What security budgets are used for

Enterprises devote 80pc of their security budgets to two priorities, compliance and securing sensitive information.

But secrets comprise 62pc of the overall information portfolio’s value while compliance-related custodial data comprises just 38pc, suggesting investments are strongly weighted toward compliance.

While firms focus on preventing accidents, theft is where the money is. Data security incidents related to accidental losses and mistakes are common but cause little quantifiable damage.

By contrast, employee theft of sensitive information is 10 times costlier on a per-incident basis than any single incident caused by accidents – hundreds of thousands of dollars versus tens of thousands.

The more valuable a firm’s information, the more incidents it will have. The “portfolio value” of the information managed by the top quartile of enterprises was 20 times higher than the bottom quartile.

These high-value enterprises had four times as many security incidents as low-value firms. High-value firms are not sufficiently protecting data from theft and abuse by third parties.

They had six times more data security incidents due to outside parties than low-value firms, even though the number of third parties they work with is only 60pc greater.

Chief information security officers (CISOs) do not know how effective their security controls actually are. Regardless of information, asset value, spending, or number of incidents observed, nearly every company rated its security controls to be equally effective — even though the number and cost of incidents varied widely.

Even enterprises with a high number of incidents are still likely to imagine that their programs are “very effective.”

The study concluded that most enterprises do not actually know whether their data security programs work or not.

By John Kennedy

Photo: Most companies aren’t focused enough on protecting their secrets, a Forrester study has shown

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years