The term intellectual property (IP) is strongly associated with legal notions of patents, trademarks, copyrights and trade secrets, but it's likely that your enterprise's data represents a significant percentage of its IP and for the typical organization, theres a lot of it. A discernible shift from attacks on records to attacks targeting enterprise IP combined with the ease with which an enterprise's sensitive data can be created, published, distributed and consumed calls out for an increased focus on identifying, classifying, and protecting your enterprise's intellectual property.
May 2012
Analyst Insight Aberdeens Analyst Insights provide the analyst perspective of the research as drawn from an aggregated view of surveys, interviews, analysis, and industry experience. A Trend Toward Attacks on IP Public reports of data breaches which focus on the sheer number of records or the average cost per record tend to overshadow a discernible shift in target towards intellectual property, e.g.,: Breaches involving sensitive organizational data (11%), intellectual property (5%) and classified information (3%) represented about 1 of every 5 incidents in the Verizon Business 2011 Data Breach Investigations Report The 2011 attack on sensitive authentication information at RSA, The Security Division of EMC was an interim means to a broader end, as evidenced by subsequent disclosures of related attacks on RSA customers such as Lockheed Martin The 2011 disclosure of a breach of the Nasdaq OMX Director's Desk Board Portal application a communications and collaboration service for senior executives and boards of directors compromised the confidential information of hundreds of publicly traded companies
This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc.
end systems that it doesn't control, through networks that it doesn't control, to endpoints and end-users that it doesn't control.
It's easy to see that even this very simple model can be implemented in a wide variety of ways; for example: At the Aberdeen Group, research content creation and modification is the responsibility of the analyst; final review and approval is carried out by the editor-in-chief; publication is carried out by a team of research associates; distribution, archival and retirement are managed by a web services group; and consumption is by registered readers of Aberdeen or its content licensees. In a Microsoft SharePoint environment, one or more authors leverage the capabilities of the SharePoint platform to create, modify, review, approve and publish content; one or more administrators (who may or may not be the same individuals as the authors) leverage the capabilities of the SharePoint platform to distribute, archive and retire content; and one or more authorized collaborators leverage the capabilities of the SharePoint platform to consume content. In a social media environment such as Twitter, a single individual typically leverages the underlying social media platform to manage all aspects of creation, publication and distribution, for consumption by their self-subscribed followers.
By now it should be clear that securing your organization's sensitive data and intellectual property particularly that which is created, published, distributed and consumed in digital form is a task that calls out for closer
2012 Aberdeen Group. www.aberdeen.com Telephone: 617 854 5200 Fax: 617 723 7897
alignment and coordination between traditional legal protections and traditional IT Security protections. High-level questions at hand for those conversations will probably include the following: Does your organization have an accurate, up-to-date inventory of its intellectual property? Does your organization have processes in place to identify and protect intellectual property that belongs to others? The trend towards increased collaboration, for example, may involve nondisclosure agreements which commonly call for the same standard of care for your business partner's confidential information as for that of your own organization. Does your organization have a process to prioritize the intellectual property that is worth protecting? Not all of this information has the same value to the organization and therefore different classes of information represent different risks with respect to confidentiality, integrity and availability. Knowing what it is, where it is, and how valuable it is provides the foundation for taking such a risk-based approach. Does your organization involve its information creators in the classification of data, as part of its way of doing business? Data classification technologies can be a very useful means to this end, and those that involve the user (e.g., an auto-suggest feature at the time of creation) rather than short-circuit the user are more likely not only to reinforce policy but also to create a sustainable corporate culture regarding data protection over time.
Definitions Confidentiality or privacy refers to information being unintelligible except to authorized entities Integrity refers to information being unaltered or unchanged except by authorized entities Availability refers to information being available in a timely way, when and where it is needed
Fortunately, proven solutions for identifying and classifying your enterprise data are readily available to help address these questions, and Aberdeen's research shows that they provide capabilities which are consistently correlated with top performance, as recently described in Does Your Enterprise Classify Its Data? (January 2012).
Classifications should apply regardless of the format of the information (e.g., electronic, paper, recordings, applications) Classifications should be unique and distinct (no overlaps) Classifications should be neither too many (which is likely to be confusing) nor too few (which may give the impression of being of too little importance or consequence)
Additional details, along with a summary of best practices found over five years of Aberdeen's benchmark research, are provided in the next section.
Best Practices: Aberdeen's Research Findings in the Classification of Sensitive Data and Enterprise IP
In six separate studies on data protection conducted over five consecutive years, Aberdeen's research has shown that data classification is a capability which is consistently correlated with the achievement of top performance (Figure 2). Compared to the lagging performers, the leading performers in each study are between 1.5-times to 3-times more likely to indicate that data classification is a current capability. Figure 1: Data Classification as a Current Enterprise Capability, by Maturity Class, in Six Independent Studies Between 2007-2012
Aberdeen's Maturity Classes To distinguish Best-in-Class (top 20%) companies from Industry Average (middle 50%) and Laggard (bottom 30%) organizations in the area of data loss prevention, Aberdeen uses performance criteria such as the estimated number of the following incidents actually experienced in the last 12 months, along with the estimated year-overyear change: unauthorized access, audit deficiencies, and data loss or exposure. For full details, see each respective benchmark study.
Across all six studies, however, the percentage of all respondents who have implemented data classification is still less than half. Stated another way, the leading performers are significantly more likely than the lagging performers to have implemented data classification but in general, the use of data classification is still in an emerging / early adoption phase. Given the trends toward enterprise IP as a target for attackers and the ease and speed at which digital content can be created, published, distributed and consumed by the enterprise and its business partners some of the top drivers for increased adoption of data classification are already firmly in place.
2012 Aberdeen Group. www.aberdeen.com Telephone: 617 854 5200 Fax: 617 723 7897
Documentation for exceptions to any of the above Definition of responsibilities, e.g., o o o Data owner, who assigns the appropriate classification Data custodian, who maintains the data and associated controls Processes for transferring responsibilities from one owner or custodian to another
Periodic audits of classification and ownership, and processes for remediation in the case of errors or inconsistencies Ongoing documentation, awareness and training for all information users, to make them aware of their responsibilities for handling data at each level of classification
we have to worry about the protection of our intellectual assets. In many cases, we have to deal with export control restrictions as well." Any data protection initiative that might introduce barriers to collaboration and information-sharing among Dows scientific communities would be met with fierce resistance. Specifically at Dow Corning, policies and standards were developed that require information assets (most typically, documents) to be classified and labeled, but these protocols were initially difficult to enforce. "Without consistent facilitation, our testing showed many failures of employees to implement the corporate security classification strategy properly," noted a project leader at Dow Corning. "We needed this consistency to drive a number of information security protocols that ultimately support and deliver the business value we were looking for." Initially, Dow Corning developed its own solution for data classification and labeling, but migrated in 2008 to commercial solutions from TITUS (formerly known as Titus Labs), based in Ottawa, Canada. "We considered many other vendors and approaches to information management, but at that time found only TITUS in the security classification space." The TITUS solution was found to be simple for end-users, easily integrated with existing systems, and able to deliver to the standards that Dow Corning wanted to support, including an integrated online help capability to support the company's users in making the correct classification. Today, "documents are 100% assured to be classified," he explained. "We are currently working on options to achieve the same level with tagging, but there are other priorities for the business that we will be addressing first." Asked about words of wisdom from their experience with a large data classification initiative to be shared with others, the project leader noted that the technical aspects are relatively easy to achieve more profound are "the cultural behaviors that it can drive, and the continuous improvement barriers that otherwise could not be overcome, without classification being integrated seamlessly into everyday workflow."
Aberdeen's research indicates that enterprise initiatives that combine the highest accuracy in identification and classification on the front-end, and the
2012 Aberdeen Group. www.aberdeen.com Telephone: 617 854 5200 Fax: 617 723 7897
broadest flexibility for remediation on the back-end thus putting the "P" in data loss prevention are generally the ones that realize the top results. Said another way, the companies achieving top results in preventing the loss or exposure of sensitive data successfully use data identification and classification tools to prioritize what content is worth protecting, content monitoring / filtering technologies to identify and evaluate content in real-time across multiple channels, and complementary, endpoint-oriented technologies (such as device / port controls, encryption and secure file sharing) to enforce their established security policies.
For more information on this or other research topics, please visit www.aberdeen.com.
Related Research
Enabling Access to Big Data; April 2012 Encryption, Without Tears ; March 2012 Data Classification Meets Collaboration: Cross-Domain Monitoring and Filtering ; February 2012 Does Your Enterprise Classify Its Data? ; January 2012 Left to Their Own Devices: Does Your Enterprise Have a "Dropbox Problem"? ; January 2012 Email and Web Security, Differentiated: Protecting Content is King ; November 2011 DLP, the Ideal Referee: Let the Game Go On! ; October 2011 Secure / Managed File Transfer: Why You Should Be Looking More Closely Right Now; August 2011 Why Don't More Enterprises Adopt Endpoint Encryption?; March 2011 Putting the P in DLP ; July 2010 Content-Aware: The 2010 Data Loss Prevention Report; June 2010 The Case for Enterprise Key Management: Higher Complexity and Scale at Lower Cost ; June 2010 Web Security in the Cloud ; May 2010 Email Security in the Cloud ; April 2010 Laptop Lost or Stolen? Five Questions to Ask and Answer; February 2010 Enterprise Rights Management: Persistence Pays Off ; August 2009 Microsoft SharePoint: The Comedy (and Tragedy) of the Commons; July 2009 The Cost-Based Business Case for DLP ; June 2009 Securing Unstructured Data ; June 2009 Data Loss Prevention: Little Leaks Sink the Ship; June 2008
Author: Derek E. Brink, Vice President and Research Fellow, IT Security (Derek.Brink@aberdeen.com)
For more than two decades, Aberdeen's research has been helping corporations worldwide become Best-in-Class. Having benchmarked the performance of more than 644,000 companies, Aberdeen is uniquely positioned to provide organizations with the facts that matter the facts that enable companies to get ahead and drive results. That's why our research is relied on by more than 2.5 million readers in over 40 countries, 90% of the Fortune 1,000, and 93% of the Technology 500. As a Harte-Hanks Company, Aberdeens research provides insight and analysis to the Harte-Hanks community of local, regional, national and international marketing executives. Combined, we help our customers leverage the power of insight to deliver innovative multichannel marketing programs that drive business-changing results. For additional information, visit Aberdeen http://www.aberdeen.com or call (617) 854-5200, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com. This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc. (2012a)