Kilpatrick Townsend & Stockton and the Ponemon Institute jointly released a study this week pointing to the vulnerability of many companies’ knowledge assets.
The survey summary notes that research “was conducted to determine whether the publicity-accorded data breeches subject to notification laws and related regulatory requirements has skewed the focus of organizations away from the theft or loss of their most critical information, and to provide helpful practices to reduce the risk.”
U.S. data breach notification laws mandate that companies notify customers or related third parties if data that may cause injury can be compromised, typically customers’ financial and personal identifying information.
The regulatory focus on this information can leave many companies’ most important “knowledge assets,” things like trade secrets and corporate strategy, unprotected or undersecured.
Jon Neiditz, co-leader of Kilpatrick’s cybersecurity, privacy and data governance practice, said that data breach notification laws have really steered what company IT professionals recognize as at-risk data.
“What we see is that what we’ve gotten to know as data breaches really, really come to some extent from data breach notification laws,” Neiditz said.
Data breach laws demand that security professionals and IT specialists attend to the security of specific data, often to the detriment of stricter information governance systems. “The compliance requirements were forcing them towards focusing on the information they’re required to protect,” Neiditz said.
Neiditz noted this was a trend revealed in his work at Kilpatrick on company data breaches. While companies may know how to secure information subject to notification laws, other company knowledge assets often lacked appropriate security or oversight.
Larry Ponemon, chairman and founder of the Ponemon Institute, said that many companies fail to address data vulnerabilities to their most valuable information because a fix would require time and costs that they may not want to spend.
“They’re flying with their heads down because it takes real resources to fix the problems, but they’re real problems. The bad guys are becoming much more surgical in their attacks,” Ponemon noted.
While cyberattacks traditionally have worked to bypass company data security without a specific target data set in mind, Ponemon said that hackers are now more methodical in targeting vulnerable company data. Without appropriate information governance structures in place, companies risk their high value knowledge assets being targeted by these attacks, a cost perhaps far higher than that of protecting the data to begin with.
“A small amount of this high value information in the wrong hands could be maybe more costly,” Ponemon said.
Neiditz said that he hopes the release of this research will encourage IT professionals and company leadership to think more strategically and clearly about the kinds of data they need to focus their resources on, not just the data subject to data breach laws.
“The great opportunity for organizations is to recognize that the most critical data that [an] organization has is in dire need of protection, and that’s in part because the focus of information security programs has been kept away from a focus on the most critical information to organizations,” Neiditz noted.
The study identifies strong data governance, especially as aligned with a centralized control over knowledge assets and an IT security strategy, can help secure data better.
Although many may be tempted to run out and seek new data security software, the two authors say that comprehensive security changes require some strategic planning.
“There are no really quick and fast solutions. Technology is required to achieve a high level of information governance, but you need more than that, you need people who have the right skills, and you need an organizational culture that says, ‘We really do care about this,’” Ponemon noted.
That said, Ponemon noted that there are some basic things that companies can begin with to secure these knowledge assets, many of which they can do easily with tools they may already be using. Ponemon said that companies should consider things like “blocking and tackling tools, things you should have in place anyway.”
“It starts with information at high value should be encrypted or tokenized or redacted in ways that renders the information useless if someone sees the information even by accident,” he added.
Neiditz says that fixes like the ones Ponemon pointed to, and those highlighted in the report, may just require a rethinking of current data security tools and strategies.