We are some twelve years into what should probably be called the Great Information Security Crisis. It started as a siege, with hackers and other cyber criminals grabbing whatever information they could (sometime poorly protected, sometimes not protected at all) for the purpose of making a score.
Those quaint days are long gone where a rash of identity theft was the endgame from an information security shortfall. While the cost of a breach according to the 2016 Ponemon Institute Cost of Breach Study is about $4 million (something many enterprises can absorb), the same carelessness applied to the security of trade secrets could be a game-ender.
Corporate espionage and trade secrets, once the McGuffins of Hollywood blockbuster movies, are increasingly in the crosshairs of hackers--independents and state-sponsored--looking to get a leg up in new and old corporate sectors alike. Then, of course, there are the bad players out to make a quick buck with a ransomware attack. These are real things that have happened or may well happen.
The response on the part of the private sector has been underwhelming. Yet the attacks have been stunning.
In December 2016, it was announced that the steel production and manufacturing plant design divisions of ThyssenKrupp AG (TKAG.DE) had been the target of cyberattacks. Trade secrets were stolen and sites at locations all over the world were affected. The company did not report the attack until it's people were able to disinfect all systems and implement new protocols and protections to ensure that an attack would not be so easy the next time.
The U.S. International Trade Commission received a complaint in April 2016 from U.S. Steel about another suspected attack from the same global neighborhood. The complaint included a serious charge. "The Chinese industry has used its government to steal U.S. Steel's closely guarded trade secrets, and uses those trade secrets to produce advanced steel products it could not make on its own."
Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin after the hospital's computer systems were seized with a hacker stating that they would only regain access when the money was paid.
DuPont's closely guarded formula for the various white colors that it produces may have been hacked last year as well. The list is endless.
The theft of trade secrets is nothing new, but the way they are being stolen is. Security was never a more valuable asset.
It's All About Security
I'd wager most CEOs don't know how their most valuable information is protected, because if they did, and they understood the endless vulnerabilities, things would change fast.
While the federal government explores the possibility of a universal identifier--and privacy hawks fight those ideas tooth and nail, enterprise needs solutions.
It's worth noting that the same measures that protect trade secrets cannot be offered to clients and customers, though were some of the biometric security solutions used to protect trade secrets to be offered to the public--if people could purchase their own biometric scanners that were supported on the receiving end--I am certain that route would quickly become popular as scanners became more affordable as a result of the new paradigm spreading.
So, what are the best ways? Air gapping information that doesn't need to available on a network is a good idea. There should be no connection between your most valuable data and the outside world. Proprietary information is best kept to a tight circle, with very few people allowed into it. Credential only those who absolutely need access, require 2-factor authentication and then have strict rules about how information travels--if it is allowed to do so at all.
"When I was in the Air Force, there were certain facilities where my identity was positively verified with two pieces of information," Eric Hodge, director of consulting for my company CyberScout told me when I asked about physical security measures. "I would enter a small room alone. My iris was scanned by a device mounted on the wall. At the same time, the floor of the room was calibrated to measure my weight. Together, my weight and iris scan positively identified me."
People talk about three different modalities of authenticating identity: something you have (like an ID card or a token generator), something you know (like a password or a phrase), and something you are (biometric identifiers like iris scans and fingerprints). Strong authentication is considered to be two different identifiers, each of which fits one of these modalities. Weighing in and scanning your iris are two identifiers from the "something you are" category. This would be very difficult to fake.
When it comes to protecting trade secrets, the U.S. Air Force's protocol might be an important starting point for what your company needs. If it seems like the security of the future, let me assure you that the future is now.