Knowledge assets are confidential information critical to a company’s core business – other than personal information that would trigger notice requirements under law – including trade secrets and corporate confidential information such as product design, development or pricing; other non-public information about the organization, its plans or relationships; or other crucial customer information.
What is the risk to knowledge assets?
A new Kilpatrick Townsend & Stockton and Ponemon Institute study was conducted to determine the extent of the risk and organizational effectiveness in safeguarding such data, to assess whether the widespread publicity accorded data breaches subject to notification laws and related regulatory requirements have skewed organizations away from a focus on theft or loss of their most critical information, and to compile and provide helpful practices.
More than 600 individuals familiar with their companies’ approach to managing knowledge assets and involved in the management process were surveyed.
Theft is rampant
Seventy-four percent of respondents say it is likely that their company failed to detect a data breach involving the loss or theft of knowledge assets, and 60 percent state it is likely one or more pieces of their company’s knowledge assets are now in the hands of a competitor.
Companies don’t know what they need to protect, or how to protect it
Only 31 percent of respondents say their company has a classification system that segments information assets based on value or priority to the organization. Merely 28 percent rate the ability of their companies to mitigate the loss or theft of knowledge assets by insiders and external attackers as effective. The great majority who rate their programs as not effective cite as the primary reasons a lack of in-house expertise (67 percent), lack of clear leadership (59 percent), and lack of collaboration between different job functions (56 percent).
Executives and boards aren’t focused on the issue and its resolution
A data breach involving knowledge assets would impact a company’s ability to continue as a going concern according to 59 percent of respondents, but 53 percent replied that senior management is more concerned about a data breach involving credit card information or Social Security numbers than the leakage of knowledge assets. Only 32 percent of respondents say their companies’ senior management understands the risk caused by unprotected knowledge assets, and 69 percent believe that senior management does not make the protection of knowledge assets a priority. The board of directors is often even more in the dark. Merely 23 percent of respondents say the board is made aware of all breaches involving the loss or theft of knowledge assets, and only 37 percent state that the board requires assurances that knowledge assets are managed and safeguarded appropriately.
The main motivations of attackers who steal a company’s knowledge assets
The cost is high, and it may not be covered
The average cost to remediate attacks against knowledge assets in the past 12 months was $5.4 million, with nearly 7 out of 10 respondents saying that the maximum cost estimates for such attacks would top more than $100 million and almost 5 out of 10 assessing the cost at more than $250 million. On average, only 35 percent of the losses resulting from the theft of knowledge assets are believed by respondents to be covered by their company’s current insurance.
Careless employees and unchecked cloud providers are key risk areas
The most likely root cause of a data breach involving knowledge assets is the careless employee, but employee access to knowledge assets is not often adequately controlled. Fifty percent of respondents replied that both privileged and ordinary users have access to the company’s knowledge assets. Likewise, 63 percent of respondents state that their company stores knowledge assets in the cloud, but only 33 percent say their companies carefully vet the cloud providers storing those assets.
“Companies face a serious challenge in the protection of their knowledge assets. The good news is there are steps to take to reduce the risk,” said Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute. “First of all, understand the knowledge assets critical to your company and ensure they are secured. Make sure the protection of knowledge assets, especially when sharing with third parties, is an integral part of your security strategy, including incident response plans. To address the employee negligence problem, ensure training programs specifically address employee negligence when handling sensitive and high value data.”