IT security professionals continue to be hard-pressed to stay ahead of malicious hackers, but at least they’re growing more aware of the risks to their companies’ knowledge assets.
A large majority of them acknowledge it’s likely that high-value assets of their companies have been breached. Eighty-two percent of security practitioners said so in the second annual study on the topic by law firm Kilpatrick Townsend and the Ponemon Institute, conducted last December. That was up from 74% in the first study a year earlier.
Further, the proportion of respondents saying it’s likely that company knowledge assets are in the hands of a competitor rose to 65% from 60%.
Reported costs to recover from a breach rose sharply last year, to an average of $6.8 million, from $5.4 million in 2016.
According to the study, “knowledge assets” include profiles of high-value customers; information about product design, development, and pricing; pre-release financial reports; strategic plans; confidential information about existing relationships or contemplated transactions; source code; and research-and-development secrets.
Most respondents (84%) said the maximum loss their organizations could experience resulting from a material breach of knowledge assets exceeded $100 million, compared with 67% who said so in the prior study.
Companies are taking many actions that underscore their growing awareness of risks to knowledge assets.
For instance, boards of directors are increasingly requiring assurances that such assets are managed and safeguarded appropriately — 58% of survey participants said that’s the case at their company, up from 50% in the first study.
Also, 73% of respondents are focusing training and awareness programs on decreasing employee errors in the handling of sensitive and confidential information.
Further, there is greater recognition that third-party access to a company’s knowledge assets is a significant risk. More companies are requiring proof that third parties meet generally accepted security requirements (41% in the new study, compared with 31% a year earlier).
More companies, too, are aware that nation-state attackers are targeting corporate knowledge assets (61% of respondents, up from 50% in 2016).
Ponemon did a special analysis of 89 respondents who rated their organizations’ effectiveness at protecting knowledge assets as very high (a 9 or 10 rating on a 10-point scale). More than other organizations, these high-performing ones tend to:
- Restrict employee access to knowledge assets based on need to know.
- Conduct audits to ensure adherence to practices and policies that safeguard knowledge assets, and have such audits performed by third parties.
- Conduct regular training and awareness programs, as well as audits and assessments of areas most vulnerable to employee negligence.
- Determine employees’ understanding of what they learned in such programs and ensure they are able to apply what they learned to their work.
- Use certain technologies and processes specifically designed to protect knowledge assets; these include identity and access management, privileged user management, access governance, and data loss prevention.
- Be at a mature level of digital transformation, having deployed many transformation activities across the enterprise and balanced the security of high-value assets with the free flow of information and an open business model.
- Be faster at both identifying and containing a data breach involving knowledge assets caused by a malicious outsider or careless insider.