Compared with more familiar cybercrimes such as the theft of credit card, consumer health, and other personally identifiable information (PII), IP cyber theft has largely remained in the shadows. That‘s a conclusion that surfaced in an article by Deloitte, entitled The hidden costs of an IP breach.
According to Deloitte, most corporate cybercrimes receive little attention, perhaps because the impact to the public is less visible, and considering the potential brand and reputational damage, companies have little incentive to report or publicize such incidents. Unlike PII breaches, IP theft has ramifications that are more difficult to quantify: fewer upfront, direct costs but potential impacts that might fester unnoticed in the background over months and years. Beyond financial loss, IP theft could result in loss of competitive market advantage or even entire lines of business to competitors or counterfeiters, or worse.
In the past, IP theft was typically perpetrated by inside thieves who gained unauthorized access to documents, computers, prototypes, and other physical things that might be considered or contain proprietary trade secrets. In the digital world, however, IP thieves can operate from anywhere via the Internet, dramatically enlarging the attack surface and numbers of malicious actors – current or former employees, competitors, criminal and recreational hackers, and even foreign saboteurs. According to the report, of most value to digital criminals are trade secrets and proprietary business information that can be monetized quickly. Trade secrets can include drug trial data, a paint formula, a manufacturing process, or a 3D print design; proprietary business information might include a geological survey of shale oil deposits, merger plans, or information about business negotiations and strategies. Copyrighted data, such as software code for data analytics, is also now a popular target. With such a broad scope of information of interest to would-be thieves, IP theft is an issue across nearly every industry and market sector.
What is the true cost of an IP breach and how can it be calculated as many of those costs are “hidden” or indirect and therefore difficult to identify and quantify? Deloitte points out that those costs can include not only well-understood cyber incident costs – such as expenses associated with regulatory compliance, public relations, attorneys’ fees, and cybersecurity improvements – but also less visible and often intangible costs that stretch out over months or even years, including devaluation of a trade name, revoked contracts, and lost future opportunities.
As challenging as it may be for executives to assess these longer-term and indirect costs, identifying and quantifying the full gamut of potential IP losses is essential to a company’s ability to prioritize its cyber defense efforts. In the report, Deloitte asserted the importance of developing well-defined cyber risk models that align with the specific nature of the given business. Those models can be broken into 3 specific phases:
Incident triage – in the immediate days or weeks following discovery of the attack, the company analyzes the extent of the breach, plugs any evident gaps in security, implements emergency business continuity measures, and responds to legal and public relations needs.
Impact management – the company takes reactive steps to reduce and address the direct consequence of the incident, including the activities required to repair relationships, IT infrastructure or growing legal challenge.
Business recovery – in the subsequent months and years, the company proactively repairs damage to the business, aims to counter measures by competitors looking to profit from stolen information and shores up their cyber defenses with a focus on longer-term plans.
The report provides many more models and details on how companies can assess the true costs of an IP breach and offers advice on how they can beef up their cybersecurity defenses to protect against such breaches.
When it comes to IP protection, our major concern here at Wibu-Systems is protection of the IP that resides in our customer’s proprietary software and digital assets, which are typically the lifeblood of their companies and representative of countless man-years of development. Today, software is a key technology enabler for most every industry – from healthcare, medical devices, and life sciences to financial, automotive, and multimedia. Software is also a key attack point for theft, counterfeiting, and reverse engineering. In the industrial world, software is driving the PLCs, sensors, and connected embedded systems behind the Industrial Internet of Things. And here again, software must be protected against those who would attack the integrity of these connected systems for malicious and harmful purposes.
Terry Gaul is a sales and business development professional with extensive experience in the software and technology sectors. He has been involved with software protection and licensing technologies for more than 20 years and currently serves as Vice President of Sales at Wibu-Systems USA. When he is not helping customers with software licensing, Terry typically can be found coaching his daughters' soccer teams or camping with his family on the Maine coast.