Blog

Image shows a screenshot (top left), Hillary Fehr (GE), and Chris Babie (GE) of the IP Protection Fireside Chat: Fasoo's Ron ArdenHow to stop intellectual property leakage and theft in manufacturing?

That was the topic of a discussion hosted by Fasoo at the 2021 Apex Assembly Tech Leaders Northeast Summit. CTO Ron Arden spoke with Hillary Fehr, Senior Cyber Security Researcher with GE Gas Power, and Chris Babie, Staff Cyber Security Researcher with GE Gas Power, about the challenges of IP protection in the manufacturing enterprise. 

In Part 1 of this conversation, IP Protection: “We need a tool with a wider scope”, we focused on how to protect sensitive CAD files, 3D-PDFs and other PDF file formats, in addition to the wide variety of Microsoft Office and other documents typically found in innovation-driven manufacturing companies.

In this post, Ron, Hillary and Chris zoom in on additional insider threats and risks introduced through the rise of the cloud and the rapid shift to work-from-home due to COVID-19.

What advice do the GE security researchers have for IT leaders in manufacturing companies looking to update their document protection program? Find out in Part 2 of the conversation:

*

Ron Arden: With everybody being remote, all of a sudden new threat vectors are appearing. There are things you didn’t even think about before. Somebody is going to copy something to their private OneDrive or their Dropbox account because it’s convenient. It’s easy to move stuff around. We all used to copy things to our USB drives, but now it’s just as easy to go to a cloud service. You know employees are just working along, and they’re not really worried about all of this.

Chris Babie: Exactly. Most of it is amiss on our [the IT security] side. If we told [engineers] the proper running rules, they wouldn’t perform that risky activity. People want to back up their data. Right now, there’s no help desk for them. I think people don’t want their productivity to dip. That’s a perfect example of the “I need to make sure my data is safe, hey, let me move it to my desktop” kind of thing. We need an answer for that now.

“A ton of new risk has bubbled up”

Hillary Fehr: And engineering machines, which typically were in a lab environment in the business before, now are in somebody’s home. That’s a whole other layer of risk that was never there. 

Chris Babie: We kind of knew that our “walls” in the manufacturing environment were okay. Now you’re worried about “does a virus now get on that machine?”, “is the home network protected?” It’s not even a data protection issue alone anymore. It’s also a home networking issue. A ton of new risk has bubbled up.

Ron Arden: Chris, what was your experience with other solutions that you use to protect and control sensitive documents?

Chris Babie: I think one thing that every solution struggles with in our world is scale. If you think about 300,000 folks, millions of transactions every single day, all these different mediums for transacting data. We already touched on the complex file types [see Part 1, IP Protection: “We need a tool with a wider scope”].

Our value is not driven by the standard stuff. It’s more in part files, CAD drawings. We were finding certain populations really love mobile. That’s just how they work. They’re very busy, they’re traveling, and it would work great on the endpoint. And then it would fall down.

We cover all these different complex workflows. Finding a solution that works everywhere is very challenging. It worked well when it was a standard workflow, very cookie-cutter. But we don’t do cookie-cutter at GE. 

This image announces a Fireside Chat on IP Protection in Manufacturing, with Fasoo CTO Ron Arden and GE Gas Power security researchers Hillary Fehr and Chris Babie

I talked about our vast network. I need a solution that works if it gets sent to an organization with 500,000 people and a supplier with three folks, and they’re more of like a mom-and-pop shop. We have a whole spectrum. We kind of cover everything, in terms of file types, network entity types… 

How do you find something that works everywhere? It’s a challenge.

Wanted: IP protection that “works everywhere”

Hillary Fehr: It’s got to be adaptable, especially with business requirements and environments. We know how quickly those can change. Last year was a big indicator of your ability to really pivot and adjust your priorities and approach, based on new risks that come up in the business.

Chris Babie: We touched on user experience. That’s literally everything —the main bucket. If the user experience wasn’t there… – people do not like change. They just don’t. 

We need to make sure that however they are working today, the technology works. That’s getting really hard to find with all these new solutions, cloud storage… It’s critical if we’re going to bring anything in-house.

Ron Arden: As you said, we all hate change. If we initiate the change, that’s different, but when the change is brought down on us – no. You got a job to do. The person who is creating the next generation of turbines has to focus on that. They cannot waste their time learning a new tool and completely changing their workflow.

And like you said, Chris: If you go out to GE’s smaller suppliers, they work the way they work. I mean, you might be able to impose some things on them. Still, they want to work the way they want to work. Mobile is extremely important today. Working with a flexible solution is key.

Adaptability is key, because the tool should adapt to you. You shouldn’t have to force yourself to adapt to the tool because that never works. People just get annoyed, and they don’t use it. 

I’d like to wrap up with one last item. Hillary, what advice would you give to people listening in?

Hillary Fehr: I would say you need to know where your data is. You need to have a strong process for identifying your data, tracking it, understanding the movement, how that data is used.

Until you have that, you really don’t know where you have sensitive data and how to protect it. Once you have a good understanding of what that data movement looks like and where that data is, you can start to build your approach to data protection.

Data protection is about auditability, too

Like we mentioned before, it’s also important to listen to the business because things are changing all the time. So you need to understand the business processes and be adaptable as they change and as the business priorities change.

You need to have standards and best practices in place. Not only to outline the do’s and don’ts for your end users, but also from an auditability perspective. It gives you legs to stand on.

Ron Arden: Chris, your advice? 

Chris Babie: We touched on it – communication and education. In the insider threat space, we wouldn’t see a dominant portion of the [insider threat] activity if we were simply upfront with them on how people are supposed to work, and how data is supposed to transact.

To anyone implementing a solution, I would say: Try to get really close to the business. Do you understand all the different use cases you’re going to encounter? 

At least in our world, there’s all this function overlap. If you’re going to implement anything, it cannot be in a silo. There needs to be a major partnership with the business. Everyone has to have a seat at the table before we go in any direction.

Hillary Fehr: That’s a good point, Chris. I think relationship management is a big part of getting their buy-in, too, and building out your process – because your data owners are the ones that understand your data and can help you to identify the best approach to protecting it.

Chris Babie: Having some of these basic “101” items – assets inventory, knowing your environment – gives you a head start, especially at our scale. It can be very challenging, as you can imagine.

Hillary Fehr: You have churn of employees and contractors, and people who may have known where the data was – years ago – are no longer with the company. That’s where you need to partner with the business and the functional areas to get to the heart of where things are and what they do with them.

Ron Arden: In essence, what you’ve been saying is that you need a solution that is location agnostic, because you have a lot of systems. Some would be legacy; some might be brand new. In the cloud, on people’s phones, home devices, engineering workstations…

So you can’t rely on a perimeter. There’s no perimeter anymore. It’s everywhere. I’m guessing you probably even have storage assets that you don’t even know about because somebody put a server somewhere in a room and nobody remembers what’s there, and then all of a sudden you find out something of value is sitting on that device.

Hillary Fehr: Or an endpoint in their bottom drawer of their desk.

Chris Babie (chuckles): I can confirm that our data is everywhere. Most organizations need to shift towards that [location agnostic] model. There’s zero perimeter today. Our data is all over the world, in every system imaginable. How do we make sure it’s protected wherever it goes? 

“Shift towards location-agnostic model” of data protection

Ron Arden: We have some customers with scenarios where they have to feed the data to machines. Those systems tend to be older, because of the cost of those types of machines. So you might even have a Windows XP machine that’s connected to one of these devices with important process information on it. 

It’s sensitive information. If you’ve got a contractor or a person who just ups and leaves the business and says, “Hey, this might be really cool for me to take to my next company,” you’re never going to know that, and something very important walks out of the door.

*

Do the scenarios mentioned in this conversation sound familiar? Most innovation-driven manufacturing companies face similar challenges, due to remote work demands under COVID. This explains why manufacturers increasingly rely on a file-centric approach to protecting intellectual property.

Fasoo Enterprise DRM comes with centralized policy management and granular controls baked in that can be adjusted flexibly by the data owner. This approach enables large organizations to provide maximum protection – across the enterprise and its supply chain – against insider threats and IP exfiltration at scale, while maintaining workflows and productivity.

Watch Ron Arden’s complete Apex Summit Fireside Chat with GE Gas Power’s Hillary Fehr and Chris Babie here

###

 

The transcript of this conversation has been shortened and edited for clarity and the blog format.

World IP Day 2021 Image - Technology

Did you know April 26th is World IP Day? It was designated by the member states of WIPO, the IP forum of the United Nations, to increase the general understanding of intellectual property and how it enables technological innovation.

Let’s celebrate with a roundup post. Perhaps you enjoyed the recent discussion on this blog with GE Gas Power cybersecurity researchers Hillary Fehr and Chris Babie of the challenges involved with protecting IP in manufacturing? Or the insights shared by Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems division, into IP theft and IP protection of CAD files in the automotive industry?

We know we did. For this World IP Day post, we asked more IP protection thought leaders what they think the biggest challenge is for manufacturers battling IP theft. Read their responses below:

“Fair is where you take your kids to eat cotton candy”

G. Mark Hardy, President, National Security Corporation

Photo shows G. Mark HardyFor manufacturing companies, the fight against IP theft is complicated by:

  •  lack of uniform laws throughout the world
  • governments that “borrow” IP and control their own courts
  • the expense of onshore manufacturing in the US

There is no “international patent.” To protect IP, one must file separately in each jurisdiction. Fees, different processes, and delays consume years while market opportunity erodes. Further, few comprehend the expenses and logistics involved in defending a patent overseas. Holding a patent only conveys the right to make a lawyer wealthy. It is no guarantee against unethical behavior.

Allegations of nation-states “borrowing” technology are well-founded. SolarWinds, Hafnium, and next week’s breach-to-be-discovered combine to yield varying estimates in the hundreds of billions of dollars.

Yet few executives invest in defenses against a phalanx of professional uniformed hackers. Contractors to the US Department of Defense (DoD) are getting religion in 2021, as failure to properly implement NIST SP 800-171 will result in sudden revenue loss. DoD realizes that wars are won on battlefields, not courtrooms. Denying unauthorized access to IP is the best form of offense.

Why not just manufacture everything domestically? In a word, cost. Salaries, benefits, regulation, liability, and lawsuits all encourage taking on the risk of overseas manufacturing. This creates a vicious cycle of race-to-the-bottom cost to beat out foreign competitors in a global market, who are enabled to achieve low cost without R&D expense through IP theft. Tariff wars offer temporary sanctuary but ultimately have adverse secondary effects.

Bottom line — don’t expect others to be fair. Fair is where you take your kids to eat cotton candy. The best offense is a powerful defense. Protect leading-edge IP like your life depended on it and relegate the other 95% to cheap manufacture. 

Combine your protected, domestically managed IP at final assembly, and build in anti-tampering / anti-theft to drive up the cost of theft as much as possible. 

You can’t totally prevent IP theft, but you can make the other guy have to work damn hard to earn a paycheck.

 About the author:

G. Mark Hardy (LinkedIn profile) is founder and president of National Security Corporation, providing cyber security expertise to government, military, and commercial clients for over 35 years. A retired U.S. Navy Captain, he was entrusted with nine command tours throughout his career. A co-host of the CISO Tradecraft podcast, Mr. Hardy has presented at hundreds of events worldwide, providing thought leadership over a range of security fields. A graduate of Northwestern University, he holds a BS in computer science, a BA in mathematics, a master’s in business administration, a master’s in strategic studies, and holds the CISSP, CISM, GSLC, and CISA certifications.

*

From trusted employee to thief: When did they flip?

Josh Linder, Principal Value Consultant at OpenText

The photo shows Josh Linder (OpenText)


The “biggest challenge” when battling IP theft? It’s really three things that come together in the end.

The first challenge is knowing where content exists. You can’t protect what you don’t know. With a greater focus on electronic tools and the cloud, information is everywhere, and normally poorly classified and secured. The irony is that employees and trusted parties often struggle to find data, and then are much more haphazard than attackers, who clean up nicely and cover their tracks.

Second, detecting insider threats poses a particular challenge. Organizations struggle to determine who “flipped” from being trusted to thief now (and when did they “flip”?). The reasons for insider theft (of intellectual property) are many. They tend to result from selfish motives (profit, vandalism, or, as a growing vector, disagreement with corporate social justice positions).

The final challenge is the one which people most often jump to first – blocking external threat actors. However, the work of external adversaries is not a single challenge – it is the culmination of inadequate protections against IP theft, rather than the root cause.

Tracing external threat actors to their origin is nearly impossible. Stopping them – taking action – is even harder. China, India, and Russia are cited as the most common origins of illegal IP usage, but talented, well-funded thieves are spread across the globe.

Many foreign countries are ripe for theft, since they give little credit to intellectual property rights and patents, with difficult legal systems favoring local firms over companies from abroad. Stealing and using recipes, plans, and fabrications is profitable and benefits everyone but the rightful owner.

In summary – the three parts of the challenge are: 1) knowing where the IP lives, 2) understanding internal threats, and 3) guarding against external risks.

About the author:

Josh Linder (LinkedIn profile) is a principal value consultant at OpenText, the leader in information discovery. He has over 20 years in cyber security, information management, marketing and business strategy. Josh previously advised security startups in the areas of marketing, business development, sales, and architecture.

*

“IP risks don’t get no respect “

The photo shows Paul Rohmeyer, Stevens Institute of Technology

Paul Rohmeyer, Stevens Institute of Technology School of Business

Large-scale consumer data breaches are regularly chronicled by business media. However, risks to intellectual property don’t seem to get the same attention and scrutiny. Despite IP’s high intangible business value, this may be one of the most significant inhibitors to securing IP.

IP and consumer data are both intangible assets. Without proper monitoring, leakage of either can go unnoticed. In both cases, data owners and custodians are victimized without their knowledge, as neither are deprived of their respective data assets in a breach (exception: ransomware attacks). 

Manufacturing organizations, by nature, are built upon foundations of innovation. They are the product of sustained focus on research and development as well as obtaining new IP via business acquisitions. It is hard to overstate the importance of protecting the IP base accumulated by most manufacturing enterprises, because the impact from IP theft can be substantial. 

Lost business opportunities, disrupted customer relationships, and reputational damage can have catastrophic effects on an enterprise in the long term. The immediate dangers are considerable as well. One example is a reduction in company value. This could influence merger and acquisition discussions, as well as stock valuation.

So why does battling IP theft still present such a challenge? The answer lies in the complexities of our interconnected IT and supply chain environments. This may also be why IP theft doesn’t get the same media attention as, say, major ransomware attacks.

Starting with a data inventory may be fundamental in theory. In practice, it proves uniquely challenging for many manufacturers and often requires specialized technical capabilities. Ideally, the identification of IP assets that need protection stretches across the increasingly complex supply chains to account for third-party risks.

Knowing where IP resides allows organizations to focus their IP protection and IP theft prevention resources more precisely on the most valuable assets. To accomplish this, organizations can rely on fundamental risk management techniques, starting with identification of IP in all forms and locations, both logical and physical.

The clear threats to IP, commonly known cyber risks, and substantial consequences of IP breaches need to guide the creation of an appropriate controls architecture. On the operational level, this will enable more active monitoring for signs of an attempted breach. Deployed strategically, its capabilities provide a critical basis for periodic re-evaluations of specific risks to IP.

About the author:

Paul Rohmeyer (LinkedIn profile) is an Associate Teaching Professor at the Stevens Institute of Technology School of Business in Hoboken, New Jersey.

*

“Growing focus on regulatory compliance”

Dr. Emma Bickerstaffe, Senior Research Analyst, Information Security Forum (ISF)

Photo shows Dr. Emily Bickerstaffe

Manufacturers have long been aware of the need to protect intellectual property, as it is often information of great value to the business that would cause a major impact if compromised.

However, efforts to secure IP have recently come under intense regulatory scrutiny, with a host of legal obligations that manufacturers must now adhere to as their IP traverses a tangled web of suppliers.

Legislative reform has meant that manufacturers are not only subject to stringent data protection laws, but must also comply with legislation that specifically governs the protection of trade secrets – a form of IP.

In the European Union, for instance, member states have all enacted legislation to implement the EU Trade Secret Directive into domestic law. In several jurisdictions, this marked the introduction of the first statutory definition of a trade secret, imposing strict legal requirements for confidential business information to qualify as a trade secret and benefit from legal protection.

This growing focus on regulatory compliance has compelled manufacturers to put in place technical, organizational, and contractual measures to safeguard their IP against cyber theft, corporate espionage, and misappropriation.

While a hefty challenge in itself, the real challenge lies in making sure IP receives the same level of protection when it is shared with third parties, such as business partners, suppliers and customers. Identifying exactly who has access to this sensitive data and how it is handled is a vital first step for manufacturers to protect their IP from adversaries and maintain their competitive advantage.

About the author: 

Emma Bickerstaffe (LinkedIn profile) is a Senior Analyst at the Information Security Forum, leading its research on cyber insurance, information security laws and regulation, data leakage prevention and building successful SOCs. Prior to joining the ISF, Emma worked for the New Zealand Government, providing policy advice on defense and security issues. Emma holds a PhD in international law from the University of Cambridge.

*

For more information on document protection and enterprise digital rights management, and to learn about the steps manufacturing companies take to counter IP theft, check out IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat on this blog.

Would you like to be included in Fasoo’s next IP protection-related roundup post? Drop us an email !

Image shows a screenshot (top left), Hillary Fehr (GE), and Chris Babie (GE) of the IP Protection Fireside Chat: Fasoo's Ron Arden

At the 2021 Apex Assembly Tech Leaders Northeast Summit in March, Fasoo hosted a discussion on IP protection in manufacturing. CTO Ron Arden spoke with GE Gas Power cybersecurity researchers Hillary Fehr and Chris Babie about protecting R&D, product designs, specifications, and other sensitive intellectual property (IP). 

*

The typical person in a business creates and interacts with about 50 files a day. Most of this information is sensitive unstructured data or data contained in documents like CAD drawings, MS Office files, PDFs, and images.

Let’s look at an organization of 3,000 people, for example. You could see how quickly the numbers grow in a single day. Extrapolate this to a year, and you’re looking at a massive amount of files to manage. 

Image: Progression of Unstructured Data in the Enterprise (Infographic)

Security is crucial to prevent the leaking of critical information. Employees share CAD files and other documents throughout the supply chain and with other employees or contractors who may not be with your company forever. The most significant risk to a manufacturing company are insider threats.

That insider threat could be someone with malicious intent who wants to steal your data. More commonly, it is someone who accidentally emails a file to the wrong person or puts a file into the wrong folder in your cloud sharing app.

Intellectual property (IP) loss results in competitive disadvantages that cost you time, money, and your reputation as a company. How can you securely share proprietary information through email, collaboration platforms, and mobile devices throughout your supply chain?

Defining the security perimeter in a large organization has become a major challenge, especially with so many people working from home. Your company may have employees or contractors using company-owned PCs connected to personal devices. 

Data may go back and forth between them for convenience. Somebody copies a file from their work PC to a personal computer and prints it. That may be convenient for them, but you lose all track of that sensitive data as a business.

 

IP Protection Challenges in Manufacturing

Enterprise-level IP protection requires file-centric security to ensure business continuity. How exactly do you protect your intellectual property inside a manufacturing environment?

This image announces a Fireside Chat on IP Protection in Manufacturing, with Fasoo CTO Ron Arden and GE Gas Power security researchers Hillary Fehr and Chris Babie

At the 2021 Apex Assembly Tech Leaders Northeast Summit, Fasoo CTO Ron Arden discussed this and related questions with Hillary Fehr, Senior Cyber Security Researcher with GE Gas Power, and Chris Babie, Staff Cyber Security Researcher with GE Gas Power.

Ron Arden: Hillary, what are the specific challenges in protecting your IP with solutions that only focus on standard Office documents? 

Hillary Fehr: I think Office files are a good example. We see a lot of sensitive information, whether it’s PII – Personal Identifiable Information – or other personal data in documents that HR, Finance, Legal departments may use.

Specifically in a manufacturing environment, when you start peeling back the onion layers, you realize that there’s a lot of sensitive data in other file types we maintain: CAD drawings are one example. We also have 3D PDFs. And even source code can contain potentially sensitive information.

So it’s important that we have a tool that has a wider scope, to allow us to protect any format of data that the business may find worth protecting. One of the challenges you face, though, when you focus specifically on Office, may be compatibility issues.

A Windows-based application works well on a Windows machine, but we also have a lot of Mac users. The user experience may be different. The level of protection or usability may not be the same that you would find on a traditional Windows-based machine.

You’ll also face challenges with external sharing. As a manufacturing business, we share with our suppliers and a lot of third-party vendors. They may not necessarily use the same toolset as we do.

That means you lock yourselves into one particular software package when you focus your IP protection specifically on your own toolset. For document protection, we want to have the flexibility to have a tool that works with various files and can be used for other software out there.

Image: Think file-centric document protection (Fasoo Enterprise DRM Infographic)

 

Ron Arden: The different file formats I mentioned earlier get converted to other formats, too. It’s not just one type through the whole workflow. Instead, a supplier may need it in a special format, so you need that flexibility to be able to manipulate your data and provide it in a usable format.

Speaking of workflows – Chris, what is your biggest concern about meeting data protection needs of such a large organization when different divisions can implement their own solutions?

Chris Babie: My biggest concern with an organization of our size is the volume of data we have to protect. We’re talking about millions of different files here. As Hillary said, very complex file types – it’s not just your standard Office-type documents.

 

“Not just your standard Office-type documents”

With an organization of our size, think about its vast network. That means I not only have to protect transactions within my walls. It’s also about how many hundreds of suppliers, customers we’re dealing with. Millions of transactions are happening every day. How do you protect all of those workflows?

The workflows themselves are going to be complex. If you think about the engineering space – how many different software packages are used, or different systems of data storage? How do you make sure your security solutions can scale?

As for the second part of your question, Ron – different divisions implementing their own solutions – that’s really a non-starter in our world. We need to have a unified vision and be consistent in what tools we’re going to use.

That’s because of the amount of data we share and how we’re all intertwined in this one ecosystem. If somebody were to go rogue and build something else, it’s bound to fall down once data moves over into another part of the business.

So we need to make sure that we partner across all these different functions, all these other businesses, and have a common vision of the solution that we’re going to implement.

Hillary Fehr: I would say common guidelines, too. The toolset is one thing. But also having similar standards that we all use to set that baseline for our users is important.

Ron Arden: It sounds like you don’t want even different divisions within your business to be acting as external partners, like your supply chain? They’re all part of the same company, so you need to share data internally. 

I understand it’s important to share with your supply chain. But you also need a set of common standards. Even at the level of a PC – if everybody was not using the same application, if I used Word and you used something completely different – all of a sudden we’re going to have obvious incompatibilities.

If you tried to create a unique data protection infrastructure under such circumstances, it’s going to be a nightmare.

Chris Babie: Yes, especially in this climate with its particular cost challenges. We need to make sure that there’s compatibility, or else we’ll have major productivity issues, and all of a sudden someone’s workflow totally breaks down.

We need to make sure that people can deliver the most value during these times. I think everyone’s in that cost-conscious setting. 

Hillary Fehr: The other thing worth adding is that we have many functions driven by Corporate. So Corporate not only touches their functional area, but also provides services to all these different [internal] businesses.

That means they need to have the same user experience for each business by having that consistency across the enterprise.

Ron Arden: And I can imagine, if you have engineers who just move between divisions, and somebody moved to a different division, and it’s a completely different regime… – that can create productivity issues, as you said, Chris, and even training issues.

One thing I know about engineers is that they get used to a certain toolset, and that’s what they want to work with. So you can’t simply change the security infrastructure all of a sudden. That’s like pulling the rug out from under them. 

 

“Pulling the rug out” is not an option

Because then, they’re going to complain, and your productivity is going to suffer. Hillary, given that engineers help the company generate a lot of revenue through their work – how do you minimize impact on their workflow while protecting your IP?

Hillary Fehr: That’s a good question. It starts with educating our end users, getting their buy-in. For engineers to make the business money, you really need them to understand the “why.” 

Sometimes, it’s a matter of creating a shock factor, helping them understand the impact on the business if our sensitive data got outside our walls. Once you establish that and they understand the impact their data could have outside the business, then it’s a matter of slowly and incrementally working with them to build data protection into their already existing processes.

As Chris mentioned – we don’t want to interrupt workflows. We don’t want to stop business continuity. It’s important that we slowly get their buy-in and then work with them to identify key pockets of data and implement our solution.

That solution does have to align with current processes; they can’t overlay and cause them to have to change the way they do things. Otherwise, they won’t do it. Ultimately, it has to have a strong user experience, because if you have a tool that doesn’t work, they’re not going to use it.

Ron Arden: When you said “shock factor,” what you mean is proving to an engineer the impact it has if something leaves the business?

Hillary Fehr: Exactly. It could be our competitive edge, the financial impact, reputation – all of those different things. The data leakage doesn’t necessarily have to be caused with malicious intent. You need people to think about the criticality of what they’re working on, and if that were to egress outside of the business, what people could do with it.

Ron Arden: That’s a really interesting point you brought up – most of the time it’s not malicious. When something leaves the business, it’s usually what I’d call an “oops” situation, such as accidentally emailing the wrong file to somebody. Or I thought I was sending to Hillary, and I wound up sending to Hugh, who happens to be a competitor who’s in my address book.

The other point, as Chris mentioned, are issues with work from home. People are moving things around for convenience. Maybe they’re moving it to a personal device, which is never good… – and accidentally, something happens, and your intellectual property goes out the door.

 

IP protection and work-from-home: communicate and educate

Hillary Fehr: That’s true in other functional areas outside Engineering, too, where team members aren’t security experts. You’ve got Financial, you’ve got Legal, you’ve got Sourcing – they interact with data all the time that they send out to suppliers to get bids.

They’re not thinking about what happens to that data. So you have to educate them on why it’s important that they take an extra step or do a certain task to preserve that data and make sure that it’s maintained.

Chris Babie: Ron, to your point – in this new remote world, organizations need to focus on communication and education. I can confirm, people don’t know the running rules of remote work – yet. 

They have all these digital assets that were never next to their company-issued endpoints. And now there are these new risks. They’re not malicious. They just need to know what’s okay and what’s not. 

We would prevent many problematic activities if we were more proactive about data sharing, data storage, about: how should data move in this new world?

This remote arrangement is pretty permanent for a lot of folks. Organizations need to take the proper steps to learn how to protect their data within it.

Hillary Fehr: And it’s our job to educate them about what they can and cannot do, because these are new times. People don’t really know what the guidelines and guardrails are. 

*

Read Part 2 of this conversation here: IP Protection Over Workflows? “People don’t want their productivity to dip”

*

Is your company dealing with similar challenges? Encrypting and controlling sensitive data at the point of creation reduces insider risks and helps protect your intellectual property. When employees or contractors change jobs, for instance, you need to be able to immediately revoke their access to sensitive files.

Rather than focusing on protecting location – like a cloud or file server – the flexible and future-proof solution is securing the file itself with file-centric, enterprise-wide Digital Rights Management (DRM). 

Watch Ron Arden’s full Apex Summit Fireside Chat with GE Gas Power’s Hillary Fehr and Chris Babie here

*

 

The transcript of this conversation has been shortened and edited for clarity and the blog format.

 

Photo: Federal Courthouse in Portland, OR

Global manufacturers in innovation-driven industries are ramping up their document protection against intellectual property theft.

Can you guess what tops their priority list when selecting or expanding enterprise-wide digital rights management (DRM)? Here’s a hint.

But first, a quick look at the court dockets. Did you hear about that lawsuit filed by Intel in February against a former employee who joined Microsoft?

Talk about an IP theft textbook case. Intel accuses [PDF] a former product marketing engineer of exfiltrating “highly confidential, proprietary, and trade secret information” on his way out the door – to Microsoft.

So far, so common. That’s true even in the most security-conscious companies, as this most recent example shows. It highlights how a combination of three factors poses mounting risks to the IP of many tech and manufacturing companies: 

  • blurred IT and security perimeters with a plethora of unmanaged (storage) devices,
  • increasing competition, coopetition, and fluctuation of engineers and other key personnel with access to trade secrets between competitors,
  • the inability to centrally monitor, control, and police how employees access sensitive documents, especially when they leave the company.

It’s at that point where the IP protection capability mentioned in the title of this post can make all the difference; we’ll get to that in a minute. But first, let’s look at what allegedly happened when the Intel engineer left the company after ten years in January 2020.

What did he allegedly do, and how? The company alleges that on his last day on the job, the employee downloaded roughly 3,900 files from a company computer “to a personal Seagate FreeAgent GoFlex USB drive.”

Bar chart image with IT Security Alert Fatigue research results
Insider threats: How can almost 4,000 sensitive files get downloaded from a company-issued computer to an unmanaged device without anyone noticing? One possible – and common – explanation is alert fatigue. Data Source: Cloud Security Alliance

 

3,900 confidential files walk out the door at Intel

Hm, what? And he walked out the door with it where, and why? Fast forward to February 2021:

In the federal court filing [PDF], the plaintiff claims that the defendant – now Principal of Strategic Planning in Microsoft’s Cloud and Artificial Intelligence department – “used the confidential information and trade secrets he misappropriated […] in head-to-head negotiations with Intel concerning customized product design and pricing for significant volumes of Xeon processors.”

Ouch. Yes, these are only allegations so far. They yet have to be proven in court. 

But however the jury finds in the end, the court filing is remarkable for what it reveals between the lines. Intel’s lawyers credit Microsoft and its forensic investigators for helping to unearth the “full breadth” of the alleged deeds.

Which gets us to the main point of this post: 

 

Was this IP protection failure preventable?

Granted, hindsight is 20/20. Yet from an IP protection perspective,  one could argue that all of this would have been entirely preventable. 

How do we know, you ask? Coming right up, it’s all laid out right there in the court filing. Intel, if we believe the lawyers, had insufficient visibility into and no control over an (ex-) employee’s access and use of sensitive proprietary files. And indirectly, the company admits as much. 

For example, the lawsuit alleges that once at Microsoft, the former Intel employee “accessed, viewed, opened or otherwise interacted with more than one-hundred documents taken from Intel […] at least 114 times” from his company-issued Microsoft Surface laptop.

Mind you, Microsoft’s helpful forensic investigators unearthed these (incomplete) insights only after the fact, according to Intel’s grateful lawyers.

Had the individual files been encrypted and their use governed by centralized policy management from the get-go, the engineer’s access would have ended with his tenure at Intel.

 

The case for DRM with centralized policy management

Cases like this should not come as a surprise. We’ve seen a rising wave of similar insider-related incidents over the past three years. The tech and mobility industries are bearing the brunt of the attacks.

The threat has caused more IT leaders to deploy enterprise DRM (also known as Information Rights Management, IRM). This file-centric, people-centric, and platform-agnostic approach enables organizations to protect unstructured data at rest, in transit, and in use.

Think MS Office documents, PDF files, images, or CAD designs, for instance. They are encrypted at the point of creation. The protection applies wherever a file is stored or moves to, inside or outside the organization’s perimeter.

File use can be monitored, access policies and permission levels centrally managed by IT, risk officers, and HR, and flexibly adjusted on a granular level by the data owner.

Let’s take a product design file protected by Fasoo Enterprise DRM, for example. It will check back in the background with a central Fasoo server when someone tries to access it. Does this user still have the proper authorization to open, copy, download, or print the document?

If not, it doesn’t matter if a former employee took it home on a portable hard drive or USB stick – IP protection is ensured. The document is worthless for whatever that person wants to do with it, locked with FIPS 140-2 level encryption that meets the requirements of the Cryptographic Module Validation Program (CMVP) of the US government. 

 

Nothing to see here after HR and IT flip the switch

In summary, file-centric document protection makes IP “misappropriation,” as alleged in the case brought by Intel, impossible.

Overview image: File-centric encryption and control with Fasoo Enterprise DRM

Centralized yet flexible and painless policy and exception management are among the top priorities for document protection program leaders when choosing an enterprise DRM solution, they tell us. Fasoo Enterprise DRM empowers IT, in coordination with HR, to set and change document use policies in sync with users’ employment lifecycle, from onboarding to the last day at work.

One global technology manufacturer that is leveraging enterprise DRM to protect its IP is Fasoo customer ZF Group. This automotive industry supplier with 240 locations in 41 countries now deploys Fasoo Enterprise DRM to secure critical IP, such as CAD drawings and process information, across its global tech centers.

“Before, we had a few incidents where engineers with years of insider knowledge and access to documents left and joined a competitor,” said Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems division in Livonia, Michigan.

“As a company, you spend years training engineers in the ways you do things, and they get access to your most intimate know-how and process knowledge,” he explained. “You cannot just block them; they need it. But you also need to be able to quickly adjust access privileges on a granular level, without delay.”

“It’s a fine line to walk,” Markus told us. “You have to find the right balance between maximum IP protection on one side, and productivity on the other. Fasoo helps us maintain this balance.”

*

To learn more about how to prevent intellectual property theft and leakage in manufacturing and supply chain environments while maintaining a competitive edge, watch our Fireside Chat at Apex Assembly Tech Leaders Northeast Summit on March 30th, 2021 with GE Gas Power cybersecurity researchers Hillary Fehr and Christopher Babie.

Protect CAD drawingsThe rising wave of industrial espionage and intellectual property theft has manufacturers on edge. Are you tasked with finding the right Enterprise Digital Rights Management (EDRM) solution for your company?

Check out these five tips from IP protection experts in manufacturing. 

*

Are you looking into EDRM solutions to ramp up your organization’s IP protection?  Congratulations, buckle up and hold on for the ride. 

Because this is mission-critical to your company’s future, it’s only natural that you feel the pressure to dot all the I’s and cross all the T’s. The tips below will help you zoom in on the essentials quickly. The good news is that you’re not alone.  Due to the recent surge in IP theft cases in the automotive industry, defense, and aerospace, or other tech sectors, the heat is on for manufacturers.  US and EU authorities are urging companies to ramp up their IP protection.

The response on the ground has been slow, but as an industry insider, you already know: it’s not for lack of threat awareness anymore.  Most have read the memo: 

  • We know who’s behind it.  In more than 1,000 IP theft cases worked by the FBI in 2020, federal agencies found a connection with China.  Officials warn that China’s theft of trade secrets costs the US almost $500 billion a year.
  • We also know who does most of the actual stealing or often unintentionally facilitates it: insiders.  Manufacturing companies suffered more incidents attributed to malicious or negligent employees or contractors than any other industry except the healthcare sector (Verizon 2020 Data Breach investigations Report).
  • The question many manufacturers keep grappling with: How to effectively stop IP theft without putting the brakes on workflows and productivity?

Most acknowledge that (E)DRM, also referred to as Information Rights Management (IRM), holds the key to IP protection.  It enables companies to encrypt and keep tabs on their unstructured data, such as text documents, spreadsheets, images, or CAD/CAE files.

EDRM’s main advantage is its file-centric approach.  This model lets organizations safeguard the information itself, at rest, in transit, or use, rather than relying on – often unreliable – perimeter and device security. 

That’s the theory.  What about the practice?

 

How to Find a Manufacturing EDRM Solution That Supports Your Workflow

It’s the trenches of IP protection where things get murky.  The differences between various EDRM solutions even in the same field could not be starker.

The EDRM field is void of standards.  Many products are plagued by performance issues at scale.

Another problem is that even some larger EDRM vendors struggle to keep pace with application and document format updates, which renders their software ineffective and leaves their customers vulnerable to exploitation. 

In practice, this means that many EDRM offerings keep adding to the category’s historical reputation of being complex to deploy and manage.  That compounds the pressure on those tasked with identifying and evaluating EDRM software for their organization.

Protect manufacturing IP using Fasoo Enterprise DRM
In manufacturing, you’ll find plenty of EDRM vendors to choose from.  The downside: IT leaders and EDRM project managers tasked with evaluating, comparing, or upgrading an existing digital rights management package have to pick their way through a crowded field.

The offerings range from specialized niche packages for engineering studios to information protection modules tacked on by software giants to support their proprietary document ecosystems. 

 

Balance Between Security and Productivity is Key

Some boast only a few brand name deployments.  Others may have a broad installed base across various verticals. 

Fasoo Enterprise DRM, for example, is known for its ability to secure information across global organizations without compromising performance.  Our flagship installation serves more than 170,000 internal users and more than 700,000 users at the customer’s affiliates and partners worldwide.

Our customers in the manufacturing sector tell us the main challenge for them was finding a future-proof ERDM solution that strikes the right balance between IP protection and productivity. 

What do you have to look for in EDRM to ensure it will facilitate your company’s particular information workflow, without putting disproportional strains on IT and budgets? 

With the recent shift to remote work, finding the answer has become more urgent, likely in your organization as well.  How can manufacturers secure, control, and track sensitive information accessed by employees from their work-from-home WiFi networks? 

Which EDRM system can guarantee maximum IP protection and interoperability with the broadest range of applications and document formats used in your company and its digital supply chain?

 

5 Tips on How to Choose Enterprise DRM in Manufacturing

We asked our customers and other conversation partners in the manufacturing sector what IT leaders and program managers should keep in mind when selecting EDRM. They shared valuable tips that can help you save time and avoid costly mistakes:

 

1.  Ensure that your EDRM provides full support for the broadest range of CAD/CAE applications and CAD file formats possible.

Why? Because the digital blueprints, design files, and computer-aided manufacturing instructions hold your company’s most valuable intellectual property and the keys to its future.  While your company’s design or engineering team may only use two or three of these tools, this can change tomorrow due to an acquisition or outsourcing partnership. 

Yes, out-of-the-box EDRM support for file formats rendered by Microsoft Office, Adobe Reader, business graphics applications, Geographic Information System (GIS), and software development tools is essential, too.  As a rule of thumb, the EDRM system should support the 200 most common file formats at a minimum.

Yet, it’s the range of relevant CAD file formats the EDRM system can protect, control, and track that makes it viable and future-safe for deployment in manufacturing.  In the automotive sector, for example, this means support for applications such as AutoCAD, Autodesk Inventor, PTC Creo, CATIA, NX-CAD, and SolidWorks, to name a few.

 

2.  Make EDRM exception management easy and straightforward.

If it holds things up and puts additional burdens on the data owner or IT, it will not serve your company well.

Many manufacturers have engineers working from home and plan to bring on new team members even during the pandemic that will need to get up to speed fast.  IT has its hands full with accommodating and securing remote work.

Does the EDRM software under evaluation require team members to file a ticket with support and hope for the best each time they need access to a document that’s necessary to get the job done?

Expect additional burdens on IT and productivity slowdowns.  Plus, beware of users finding “creative” shortcuts (like sharing access credentials for an account with higher privileges) that put your IP at more risk than it was before.

 

3. Centralized policy management = better IP protection

If EDRM requires data owners to become security experts and check a confusing list of boxes without fully grasping what they mean and the implications, overall security suffers.  A centralized EDRM security policy management that plays nice with all leading federated authentication systems ensures maximum protection with minimum disruption.

This way, EDRM improves oversight, ensures smooth workflow changes, employee moves to other departments or roles, and onboarding/offboarding.  It minimizes the risk of sensitive information left open to access by employees who have left the company. 

 

4.  Ask (if applicable): Can the EDRM deploy self-contained on-premise?

SaaS is great but doesn’t always make sense for manufacturing companies who have to protect their investments in ERP and on-premise document systems.  If yours is one of them, make sure the EDRM package you pick can fit right in with your IT environment.

 

5. Select an EDRM solution that supports any backend infrastructure.

In a sector known for its prolonged backend IT lifecycles, the enterprise DRM software you select should be ready for seamless integration with your existing backend IT infrastructure – and prepared for changes that may incorporate the cloud and SaaS.

 

These five tips for DRM considerations in the manufacturing enterprise should enable you to speed up the selection process and find the most effective and efficient digital rights management software to keep your company’s sensitive information safe. 

Intellectual property theft is costing America’s manufacturing companies billions of dollars.  To provide appropriate IP protection and prevent your organization from becoming just another FBI statistic, the EDRM tools you choose for your fast-changing manufacturing environment need to ensure maximum IP protection without making productivity suffer.

To be effective, the new EDRM package should support all relevant CAD/CAE tools, workflows, and IT infrastructure, now and in the future.

Want to find out more?  Read in this case study why an international automotive parts manufacturer selected Fasoo Enterprise DRM [PDF] to protect its designs and process information for conventional and autonomous vehicles.

For further information, contact our team here. 

Go Beyond Compliance to Protect Sensitive DataData breaches make headlines every day and companies across the globe struggle to meet changing privacy regulations, such as the California Consumer Privacy Act (CCPA), the upcoming California Privacy Rights Act (CPRA) and of course, the General Data Protection Regulation (GDPR).

Data security is very high on the list of corporate priorities with most concentrating on protecting databases containing personally identifiable information (PII). Sensitive information subject to privacy or industry regulations is not found or stored solely in structured databases, but in unstructured files like Microsoft Office documents, PDFs, images, and computer-aided design (CAD) drawings.

Companies create far more unstructured data and the same security controls used to protect structured databases are ineffective. This data contains not only PII, but Intellectual Property (IP) that in the wrong hands, could cost a business its reputation, competitive advantage, lead to financial losses, and even litigation. Most organizations do not focus on this constantly growing invisible and largely unprotected area.

Trusted insiders have overtaken cyber-attacks as the greatest threat to business. You trust the people you hire to do their job, but mistakes happen. The trust model is no longer sufficient to protect sensitive data especially with the increase in working from home becoming more common.

How do you fix this? By taking the guesswork out of the equation and automatically encrypting files containing sensitive data. Doing so ensures that even if a file is accidentally sent to the wrong person, it is protected.

A recent report by the Aite Group, Sensitive Data Everywhere: Find It, Classify It, Manage It, and Protect It, discusses how quickly and easily unstructured data in files grows, and why it’s so important to include it as part of a data governance strategy.  The report includes a case study of a global financial services organization that recognized the liability of not understanding and protecting its unstructured data inventory. The Impact Brief also provides guidance and recommendations based on the author’s findings after interviews with ten (10) technology providers of data discovery, classification and protection solutions.

To read the entire report, click here.

Streamline and Operationalize Security and Privacy InitiativesStreamline and Operationalize Security and Privacy Initiatives

Leading organizations are discovering how a protect first, file-centric approach fortifies data security and enhances data visibility to comply with privacy…

Read More

 

Data Visibility for Privacy and SecurityData Visibility for Privacy and Security

The best approach is a self-reporting file method, one that automatically traces, gathers and records all document interactions without reliance on disparate network, application, and device logs…

Read More

 

Protect-First Approach To Data-Centric SecurityProtect-First Approach To Data-Centric Security

There are three predominant methods in the market today to prevent loss and unauthorized access to sensitive unstructured data. Each is different and the best way to compare and contrast…

Read More

 

Fix these six vulnerabilities in your data security architectureSix Vulnerable Points in Your Data Security Architecture and How You Can Protect Them

It’s time to do a quick check of key vulnerabilities impacting sensitive unstructured data that may arise…

Read More

 

What Unstructured Data is Sensitive?What Unstructured Data is Sensitive?

Your organization’s sensitive unstructured data is a rapidly growing threat surface increasingly targeted by threat actors.

It poses unique security challenges, many that are not addressed by the majority…

Read More

Protect Trade Secrets against Insider ThreatsInsider threat has been an issue for many years, but the consequences of these events have a strong and long-term impact on your business.

If competitive advantage isn’t enough reason to protect sensitive data, how about the legal costs?

The risk posed by insiders is again, in the spotlight as Anthony Levandowski, a founding engineer at Google’s autonomous vehicle project, now known as Waymo after it was spun off in 2016, is convicted and sentenced to 18 months in prison. After 3 long years of legal proceedings where Levandowski was charged with stealing trade secrets by downloading 9.7 GB of confidential files, he was sentenced to 18 months in prison and ordered to pay over $178 million in fines to Google.

Justice Served for Trade Secret Laws, But Levandowski’s Actions Have Significant Collateral Damage

Levandowski founded Otto, another autonomous vehicle technology company, after leaving Google, which was acquired shortly thereafter by Uber. A year-long legal battle ensued with Waymo claiming damages of $1.9 billion. A guilty verdict against Uber could have delayed its own self-driving initiatives for years.

Surprisingly, five days into the high-profile trial, the companies settled for relatively small payment by Uber to Google of $245 million. The back story for the small settlement is that Google is an early investor in Uber, both recognized the damage to their brand reputation, and the cost of an extended trial was not appealing.

And It’s Not Over Yet

In an article by TechCrunch the apology by Levandowski is noted, but a lawsuit by Levandowski against Uber for $4 billion to cover his legal fees has now been filed.   Uber allegedly promised indemnity to Mr. Levandowski in anticipation that Google would sue him for entering a relationship with a competitor. The trickle-down effect means potentially more payout and certainly more litigation fees affecting an additional company, Uber.

Insider Threats Come In Many Forms

Insider threats don’t all have the high profile of Levandowski nor the same origins. In his case, it was malicious and seemingly not for any real personal gain. Insider threat often involves documents emailed to private email accounts, using USB and other storage devices and copied onto personal devices.

According to InfoSecurity Magazine, employee errors represent over 60% of the insider incidents, and in today’s climate with remote workforces, innocent errors are more likely to occur.

Most Breaches Involve Documents In The Form of Unstructured Data

The information Levandowski had taken was in unstructured document format; blueprints, design files, and testing documentation. He did not steal information from structured databases where most businesses emphasize security.

Stop Insider Threat with Strong Protection and Behavior Analytics

IP that you just can’t afford to lose needs strong protection. It’s not good enough to simply prevent it from leaking through data loss prevention, because it can still get out. You need granular access control over the files, where they are encrypted and access is controlled. This is best done with enterprise digital rights management tools.

And you will generally want to have behavior monitoring in place as well so that you can identify any anomalies and identify someone who may be attempting to take information for malicious use or as a career move.

Never has there been a better litmus test for seeing how agile your business is than responding to a pandemic. A recent survey by leading research firm Gartner confirmed that most businesses will shift some employees to remote work permanently as a result of COVID-19. Even from home, employees need to collaborate securely with colleagues, partners and customers to stay productive and meet deadlines and goals. While video chat and instant messaging lets you communicate, a lot of collaboration is through documents. Ideally you want to easily share documents, make sure everyone is working on the most recent version, and be able to securely manage all your projects. With the major shift to working at home, the time to double down on data security is now.

Deploying a collaboration environment on the fly is not something you can do overnight, since it costs both time and money. The fastest way to hit the ground running and share files without losing valuable time is to use a cloud-based system with a web interface. This keeps projects on track with minimal disruption.

A key ingredient to secure collaboration is not burdening your employees or third parties with making security decisions. Wrapsody eCo is a secure and reliable collaboration platform that encrypts all shared files and makes it easy to collaborate securely. By configuring workgroups with built-in policies and permission management, your employees continue to work without worrying if decisions don’t follow policy. You can also set an expiration date for your projects  or revoke access to documents immediately, which simplifies security for users. They have a job to do and don’t need to worry about setting security policies.

Users can easily create a workgroup for a project and define security parameters, like permissions on downloaded files or view access to a document in a browser. Project managers can invite employees, partners and customers to the workgroup with a few clicks. As project members upload documents, they are automatically shared with the workgroup. Each workgroup has a centralized policy making it easier to enforce security on all documents.

As people work from home, they may fall into bad habits like downloading documents from protected cloud applications to work on locally. This is especially true if they do it out of frustration because the internet is slow or they are having problems with their VPNs. That could also lead to emailing files, only exacerbating unsafe data handling practices.   Secure in the Wrapsody eCo environment, downloading documents locally is a non-issue. When a user downloads a file, they can only open it if they have access permissions. If someone accidentally sends the file to an unauthorized user, it is still protected because the unauthorized user will not be able to view the contents.

The other challenge with collaboration is ensuring project members are working on the latest document. If you are updating a financial spreadsheet, for example, you can’t work on an old version. With Wrapsody eCo, you always work on the current version. As soon as you update the file and close it, it automatically syncs to a central location. The next time you open it, you get the latest version, secure in the knowledge that your data is protected and only available to authorized users.

Working remotely may become standard for a lot people. Collaborating securely and effectively can ease the burden and ensure your data security controls protect your most sensitive information. And that should give you peace of mind.

Photo Credit: Graeme Butler

 

Protect data on laptops from terminated employees I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word).  Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them?  It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on.  These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

It reminded me of a webinar we did in 2019, Close the Gap on Insider Threat: Granular Access Controls and Behavior Analytics, where we focused on the best way to protect and control unstructured data without having to think about where it is located, who is accessing it or how it is being used.  It’s part of a 3-part series, so check out the other two.

In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do.  But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.

I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information.  The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.

Contact us if you want to talk about any of this and in the meantime, stay safe and healthy!

 

Photo credit Ian Sane

 

Overnight, companies across the globe were forced into a fully remote workforce.  If you are prepared, under the best of circumstances, it can still be a challenge, but if you are not, the challenges are even greater and some things can potentially fall through the cracks.  People working from home can lead to a few unintended bad habits. With business continuity being the priority, data is even more at risk as hackers and thieves see opportunity when your guard is down.

For companies that don’t have tools in place, and for that matter, those that don’t have the right tools in place, here are some things you can do while ensuring the health of your employees, and your business stays on track.

  • Reiterate document handling policies – remind workers creating documents of data classification schemes and to encrypt whenever possible for sensitive data.  When in doubt, encrypt.
  • Remind your work-at-home staff of your security awareness training (SAT) (if you have a program in place) – there have been lots of reports of phishing and other types of scams going on because bad people will take advantage of the population when vulnerable.  Ensure your employees know how to identify these things, whether you have programs in place or not.
  • Data sharing across email – it is always a best practice to remind workers that care be taken when sending an email with unprotected documents attached – double-check who is in the “To” and that appropriate protection is applied to what is sent.
  • Working in cloud applications –  the clogged and slow internet may have some workers pulling documents out of the application to work on locally.  And for the sake of expedience, some of these documents may be sent through email (see the previous comment), shared on a Zoom or Teams video conference, or remain on a local drive or in a folder, exposed to theft from outsiders.
  • Ensure your Wifi has a strong password and that your computers have anti-virus software installed – for the unprepared, some workers may be working on their personal laptops or desktops, may not have a VPN, may not have renewed the free anti-virus software installed, because “that will never happen to me”, and may not have created a strong Wifi password when first setting up their internet connection.  Now might be the time to ask them to change passwords and check licenses on security software.
  • Printing – discourage printing sensitive information on home printers. While there isn’t much you can do to prevent this and foster secure printing, discouraging workers from printing sensitive documents locally and encouraging them to work in the applications.  Besides, it is good for the environment (save a tree).

While all of these might seem like motherhood and apple pie, they are just good reminders at a time when things happen so fast.

Photo by Kate

steal this passwordHow many times have you seen passwords attached to monitors on sticky notes?  How about people who use the password “password” or “123456”?  With a lot of us having to work from home because of COVID-19, data security and privacy has become more important than ever, since we are not in the protective confines of an office and many of us may have to use our home computers.

In 2020 we have a lot of great technology to access our computers, tablets and phones.  You can access my phone with my face and your laptop with your thumb, but they are all still based on an initial password.  We’ve all read stories about using strong passwords and how easy it is to guess people’s passwords.  The fatal flaw in the system is that we need something that isn’t obvious, but something that we can remember.  Some of the simplest methods of creating a more complex password is to use upper and lower case alphanumerics plus a symbol.

There is a great site that can help you understand this.  Go to http://howsecureismypassword.net/ and type in combinations of letters, numbers and symbols to see what it tells you.  Another great site to help generate a stronger password is https://www.safetydetectives.com/password-meter/.  These are not foolproof methods of choosing a password, but will give you a good idea of what is secure and what’s not.

Here are a few examples.  If you use “password”, a person or program will crack my password and access my information in seconds.  If you add some symbols into it and use “pa$$word”, it would take a desktop PC about 3 minutes to crack it using a brute force attack.  If you add a capital letter, a few symbols and a phrase  after it to make it “Pa$$wordiseasy123”, it will take more time to crack than the history of the universe.  You can see by adding some simple variety the job of stealing your password becomes harder.

Here are a few easy to remember tips for passwords:

  1. Don’t use a simple word or phrase, like password or 123456
  2. Use at least 10 characters, but preferably 12 or more
  3. Use upper & lower case letters, numbers and symbols in your password
  4. Use something that you can remember, so you aren’t tempted to write it down
  5. Don’t write your password on a sticky note and put it on your monitor

There are many systems, such as biometrics, smart cards and single sign on systems based on SAML and OAuth, that are more sophisticated than using passwords, but many of these still use passwords as the basis for them.  Fortunately these are becoming more ubiquitous across computer systems and websites, but the simple password still rules.

Until we come up with another authentication system as simple and ubiquitous as the password, we are stuck with them.  Make sure you use a little common sense when choosing yours.  Here are some more tips on choosing a strong password.

Categories
Book a meeting