Intellectual property breaches often carry hidden business costs

Cyber thefts can chip away at a company’s reputation and bottom line for years

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Père Fran­cois Xavier d’Entrecolles, a Jesuit priest, trav­eled to Chi­na in 1712 and sent home let­ters reveal­ing secrets of how Chi­nese crafts­man pro­duced beau­ti­ful­ly del­i­cate porce­lain goods.

Clear­ly, indus­tri­al spy­ing is as old as com­pet­i­tive com­merce. Now the dig­i­tal age has made it much eas­i­er to steal intel­lec­tu­al prop­er­ty. Yet data breach­es relat­ed to IP theft rarely make news headlines.

That’s sur­pris­ing, con­sid­er­ing that the loss to the U.S. econ­o­my due to inter­na­tion­al intel­lec­tu­al prop­er­ty theft is esti­mat­ed at $300 bil­lion per year—and cyber theft increas­ing­ly is becom­ing the method of choice.

Relat­ed pod­cast: Why net­work defense has become a core busi­ness concern

Intel­lec­tu­al prop­er­ty is valu­able to orga­ni­za­tions because it cre­ates a com­pet­i­tive dif­fer­en­ti­a­tion in the mar­ket­place, says Don Fanch­er, prin­ci­pal at Deloitte Advi­so­ry and glob­al leader for Deloitte Foren­sics & Inves­ti­ga­tions.

So obvi­ous­ly alert­ing the mar­ket­place of the fact that there’s been a theft of IP would not be in the best inter­est of the cor­po­ra­tion,” he says.

In a recent Deloitte poll of 3,000 pro­fes­sion­als across mul­ti­ple indus­tries, man­ag­ing investor, client and cus­tomer rela­tion­ships was cit­ed as the main chal­lenge relat­ed to IP theft. Of 2,757 respon­dents to the ques­tion, 22.3 per­cent named that as the top chal­lenge, fol­lowed by assess­ment of what IP has been stolen and the impact of the theft (21.8 percent).

Don Fancher, Deloitte Advisory principal and Deloitte Forensics & Investigations global leader
Don Fanch­er, Deloitte Advi­so­ry prin­ci­pal and Deloitte Foren­sics & Inves­ti­ga­tions glob­al leader

Fanch­er says the chal­lenge of defin­ing the extent of the breach may be anoth­er rea­son why IP data breach­es remain under the public’s radar.

Often it’s very dif­fi­cult to ful­ly under­stand what data may have been stolen,” he says.

Per­haps the most sur­pris­ing find­ing from the Deloitte poll was that 20 per­cent of the respon­dents point­ed at employ­ees and oth­er insid­ers as the most like­ly to attempt IP theft. While insid­er threats, in gen­er­al, have been a grow­ing issue in cyber­se­cu­ri­ty, often­times those insid­ers are act­ing unwit­ting­ly or care­less­ly rather than maliciously.

It’s very easy to pick a vil­lain and say it’s some guy in a base­ment some­where prob­ing these net­works. In fact, that’s not always the case,” says Scott Petry, CEO of Authentic8, a vir­tu­al brows­er solu­tion provider.

Don’t under­es­ti­mate insid­er risk 

Petry says orga­ni­za­tions don’t treat inside and out­side risk equal­ly, often putting a dis­pro­por­tion­ate amount of effort into pro­tect­ing from out­side actors.

Scott Petry, Authentic8 CEO
Scott Petry, Authentic8 CEO

It’s crazy because we think about cyber­se­cu­ri­ty in the con­text of putting a big­ger wall around the orga­ni­za­tion in order to keep the bad guys out,” he says.

In an ear­li­er report look­ing at the hid­den impacts on busi­ness­es from cyber attacks, Deloitte iden­ti­fied loss of intel­lec­tu­al prop­er­ty as one of 14 cyber attack factors—and one of sev­en fac­tors that stay beneath the sur­face because of hid­den or less vis­i­ble costs.

Relat­ed info­graph­ic: The hid­den costs of data breaches

While assign­ing val­ue to these kinds of intan­gi­ble loss­es is dif­fi­cult, aware­ness among orga­ni­za­tions seems to be grow­ing. Deloitte’s poll showed that 17 per­cent of orga­ni­za­tions had a strong focus on secur­ing their intel­lec­tu­al prop­er­ty, and anoth­er 36 per­cent were work­ing on improv­ing their pro­to­cols. Addi­tion­al­ly, 58 per­cent of respon­dents believed the num­ber of IP cyber theft inci­dents will go up in the next year.

Adnan Amjad, cyber threat risk man­age­ment leader for Deloitte Advi­so­ry Cyber Risk Ser­vices, says that a few years ago, those num­bers would have been much lower.

IP theft more often on radar

There’s a lot more recog­ni­tion that these things hap­pen,” says Amjad, who also is a part­ner at Deloitte & Touche LLP. “I think there’s an increas­ing aware­ness that IP theft is as big of, if not a big­ger, chal­lenge (than PII theft).”

Anoth­er area of increased aware­ness, he says, is that this is not sim­ply a tech­nol­o­gy prob­lem. More orga­ni­za­tions are real­iz­ing that invest­ing in tech­nol­o­gy is not enough, and they need to enable the process­es around that technology.

Adnan Amjad, Deloitte Advisory Cyber Risk Services cyber threat risk management practice leader
Adnan Amjad, Deloitte Advi­so­ry Cyber Risk Ser­vices cyber threat risk man­age­ment prac­tice leader

Tech­nol­o­gy is an enabler, but this is a busi­ness issue,” Amjad says.

The first rec­om­men­da­tion he makes to clients, he adds, is to deter­mine what needs to be pro­tect­ed because “it’s hard to pro­tect every­thing effectively.”

Fig­ure out what’s real­ly impor­tant from a busi­ness per­spec­tive and work with dif­fer­ent stake­hold­ers across the enter­prise,” Amjad says.

Petry believes the new iter­a­tion of cyber­se­cu­ri­ty threats—targeted, back­door attacks rather than “front-door, bulk attacks” to steal credentials—means the own­er of intel­lec­tu­al prop­er­ty is not the only one who should be con­cerned about pro­tect­ing it. As com­pa­nies out­source every­thing from legal and pay­roll to billing ser­vices, the out­side ven­dors are just as much of a target.

If peo­ple are active­ly try­ing to extract intel­lec­tu­al prop­er­ty, law firms (and oth­er con­sul­tants or con­trac­tors) can be the weak link in the chain,” he says.

Because orga­ni­za­tions are so inter­con­nect­ed with their sup­pli­ers and ven­dors, Amjad expects to see more efforts to address insid­er threat through pro­grams such as behav­ior ana­lyt­ics. These kinds of require­ments already are com­ing down to con­trac­tors doing work for the fed­er­al government.

Even­tu­al­ly, more and more orga­ni­za­tions will require their con­trac­tors and sup­pli­ers to have some sort of ana­lyt­ics for their employ­ee base,” he says. “We see it already hap­pen­ing, espe­cial­ly in indus­tries that are sig­nif­i­cant­ly regulated.”