industrial espionage – J. Howard, CDO & CPO

In the span of a week, we’ve see data breaches affecting 600 million people. For perspective, that’s more than every man, woman and child in the US, Russia, Canada, Britain and Australia combined. And the damage may not be done, as scammers and other bad actors frequently take advantage of the widespread confusion that follows these sorts of incidents.

Moreover, as the investigations unfold, we will begin to see the breadth and depth of what went wrong, who did what, and what steps must be taken to prevent this from happening in the future.

The risk manager in me says this will happen again, just as it’s happened before. Data experts know all too well the challenges in implementing controls proportional risk, and counter-balancing every data initiative with the right set of controls — starting with asking whether the proposed data collection or use benefits are worth the downside risk.

So what does this mean to a Chief Data Officer? In a word, everything. Why? Because data is at the center of every breach, and the CDO should be looking at the full picture around both data use and data risk. The emerging role of the CDO in business positions them as a key executive in helping to reduce the risk of breach as well as to navigate the aftermath, protecting the organization’s brand.

Before a Data Incident

In the normal course of business, the CDO should be executing against the company’s data strategy and vision, and maintaining an inventory of critical data assets. The inventory should include key meta-data — ownership, obligations, location, permissions, value, uses, etc — which forms an important part of a periodic risk analysis.

The risk analysis considers threats, vulnerabilities, obligations and relative value of the data to conclude on appropriate protections. The more progressive CDO’s will construct a holistic threat analysis that answers the question, “what could go wrong?” or “how might information be breached?” taking into account behavior of personnel, company culture, key business activities and positioning of the company in the marketplace. Typically, such an analysis covers the spectrum from the seemingly mundane (accidents caused by carelessness or poor judgment), all the way to industrial espionage targeting company data, with a total of 5 or 6 categories in between. This analysis serves as a sounding board to validate the range of control activities, which includes everything from policy, to business practices, to training, to technical controls, and some instances where certain risks have to be accepted, insured against, or perhaps transferred elsewhere.

The CDO should provide business requirements to the CIO and CISO for appropriate technical measures to provide protections, which – depending on the sophistication of the company – could range from providing data classifications, to which the CISO or CIO react, all the way to explicit requirements for, say, encryption and access control.

The inventory shines a light on whether all data on hand is truly necessary, or whether some can be disposed of. Moreover, the CDO’s analysis of business processes using data can also question whether all data being collected is necessary.

The Board of Directors, senior executive leadership and internal audit should – to appropriate degrees – be aware of how the company is using data as well as the CDO’s assessment of risk and mitigating controls. This will allow them to understand the risk/benefit around data use, and weigh in whether the business opportunities related to data use are sufficiently compelling.

The CDO maintains relationships with counsel to understand the legal aspect of obligations, and obtain sign-off on the sufficiency of the compliance programs. The CDO should understand their regulators’ expectations and requirements around handling data, making sure their protection controls meet regulator expectations. These steps are key, because most breaches — especially where regulated data is involved — will result in legal or regulatory exposure, and having transparency with counsel and regulators with streamline investigations.

The CDO should own (or be a key stakeholder in) the data incident management process. This is the process whereby data incidents — data loss, possible breaches or exposures — are logged, analyzed and investigated.

During a Data Incident

Sometimes, a target organization is aware of a data incident as it’s occurring. Many companies have processes to respond in this event, which may focus on containment, interruption, or other priorities (allowing an attack to proceed in a controlled way may help law enforcement with their investigation).

The CDO should be available to help answer questions about the nature and location of data that may be accessed, as well as to begin preparing post-incident planning. Some data owners (e.g., Federal Government) have explicitly defined time frames to report data incidents, the CDO can get ahead of these requirements.

Following a Data Incident

Companies should have a crisis management plan that includes defined procedures to be followed in the event of a cyber attack, data breach or exposure. The details of these plans are tailored to each company, and generally emphasize damage control and protecting the brand — which in itself may follow one or more tracks, based on the nature of the incident.

Stakeholders include senior leadership, legal counsel (sometimes supported by outside counsel), the head of security, the CIO and CISO, and often on-call cyber security consultants. The overall objective is to understand what happened, how it happened, who perpetrated the event, what data was affected, overall impact, and how to repair the damage and prevent the same thing from happening again.

Along these lines, the CDO should help assess the impact of the loss, in terms to cost to the company — defined as asset value, or competitive impact, or brand damage to the organization. The CDO can be a resource to analyze the nature of the data to determine whether external notifications are required, and – in conjunction with counsel – whether there is a regulatory impact. Who owned the data? Do regulators, customers, vendors, partners or clients need to be notified? Is there a timeframe requirement for notification and is there a specific process to be followed? Do affected parties need to be offered – or are they likely to demand – compensation?

The CDO can help analyze what went wrong, by having an understanding of the processes and policy around data use. Was there misuse of data or was it stored, processed or transmitted in ways it shouldn’t be? Was there a control failure, or absence of control?

This analysis concludes with a reassessment and remediation of processes and controls.

Conclusion

Most corporate leaders recognize the near-inevitability of a breach or hack. This is due to a variety of factors, including the increased complexity of information systems, coupled with the expansion of data-rich cognitive and robotics initiatives, many of which rely heavily on data. Data sets themselves are growing at a dramatic pace.

Companies are appointing CDO’s to try and coordinate the activities around the leverage of data, and increasingly, they are assigned responsibility for assessing and managing risk around data. This is not a bad thing at all, since it helps keep risk management activities proportional to risk and the nature of the data.

CDO’s should approach the challenge with a plan, emphasizing transparency and engaging appropriate stakeholders. Whereas today, Boards often look to the CIO and CISO to understand how data handled and protected, going forward they will increasingly look to the CDO.

When one thinks of spies and espionage, our imaginations usually turn to James Bond and Jason Bourne stories. But with the end of the cold war, many former intelligence officers found more lucrative opportunities in the private sector, offering their services to non-government organizations that were perfectly willing to leverage the research and development capabilities of their competitors.

Fast forward to a time where the economic competition between companies affects political tension between nations, where some nations see nothing wrong with applying techniques developed during cold and shooting wars to provide their own companies with ill-gotten advantages – even at the expense of political allies.

Politico recently published this article that discusses how companies in the Bay Area have become targets for industrial espionage originating from China, Russia and other nation-states. The article touches on the breadth and depth of the problem, including making a very interesting point that many companies choose not to prosecute espionage cases. Its remarkable that even when faced with irrefutable evidence, many corporate leaders choose to ignore the facts and fail to notify stakeholders, for fear of how it will reflect on them or affect share price.

There is no doubt that building defenses against industrial espionage is a complicated task, made harder because (1) information has to remain available and usable by the organization, and (2) the organization has to anticipate a wide range of attack “vectors” whereas the intruder only needs one to work. And if this wasn’t complicated enough already, industrial spies don’t just target computer systems, they target people. If truly successful, the organization won’t know they’ve been hit until they see a foreign version of their new product, far too similar to the original to be coincidence.

This is not an IT problem

Most organizational leaders equate information to technology, conclude this is an IT problem, and assign responsibility to the CISO to implement appropriate protections. This logic is flawed for many reasons, not the least of which is the CISO typically has little to no ability to enforce security policies for systems not “owned” by the CIO, nor have the organizational scope to address the behaviors of people.

Although information theft frequently include IT and cyber vectors, people are often near or at the epicenter of an espionage case. People enable the theft either by actively participating, or by carelessly allowing it to happen. Professionals who study espionage have determined that people are motivated to betray their employer (or country) for one of 4 reasons, using the acronym “MICE”:

Money – the actor either sees this as a way to get rich, or are financially distressed (in debt, recently divorced, have a gambling problem, etc).
Ideology – the actor believes the organization is somehow evil, and betrayal is a way for the actor to cause harm or suffering, thinking it was deserved,
Coercion (or Compromise) – the actor has a secret that makes them vulnerable to extortion, or are threatened with physical harm to themselves or their loved ones,
Ego – the actor thinks they are smarter than the organization, and can get way with it, or are enticed to spy believing it makes them more important.

None of these touch the ways in which people through their actions, innocently permit espionage to occur. People are helpful and hold the door for others – especially if their hands are full. Or take calls wanting to assist the caller (who they assume are authorized to ask what they are asking). People are reluctant to challenge strangers in the hallways, and a startling number of companies don’t require employees and visitors to display ID badges while on-site. Doors and drawers are left unlocked and clean-desk policies are seen as burdensome. There is widespread belief that “it can’t happen to us.”

Where does the CDO fit in?

Industrial spies seek to steal information to gain economic or competitive advantage, and work tirelessly on creative ways to get it.

In basic economic terms, its worth stealing information if theft is cheaper than developing it — assuming ethics aren’t an issue, and the risk of getting discovered is acceptable. So defending against the theft can be thought of as making it more expensive to steal information than it is to develop or acquire it through other means.

The CDO fits in because they are at the intersection of information use, protection and quality. They should be in the best position to understand what information is most valuable, or put another way, what information, if lost or stolen, would cause what degree of harm to the organization. And by understanding where and how information is stored and processed, they are in a good position to provide input on how to protect it.

The CDO’s strategy includes elements that are helpful to guard against industrial espionage. Some steps the CDO can take include

Classify information as an asset (even if informally, and not captured in the financial statements), and assign economic value, so that protections can be developed that are proportional to the value.
Inventory information and work with the Data Governance Council to identify those broad categories that are most vulnerable and attractive to a spy. They might include the obvious — patents, methods, formulas, algorithms — as well as some less obvious — executive contacts information, network diagrams, or even payroll information (knowing how much people are paid help know who may be vulnerable to financial pressure).
Liaise with corporate security to gain an understanding of how they are working to protect the organization. Many of these leaders are former law enforcement professionals, often don’t have an appreciation of the relative value of information within the organization, and will welcome allies on the “business side” to help raise awareness and improve corporate posture.
There is no doubt that nowadays, cyber is a vector frequently exploited to steal information. Liaise with the CISO to convey proper information protection requirements that need to be reflected in IT systems, proportional to the value of the information in question.
Again, working with the CISO and compliance groups, adjust data loss prevention (DLP) tools to monitor for exfiltration of the most sensitive information. These procedures need to include investigative and response processes, and may already exist (e.g., privacy rules often include requirements for breach management procedures, and these are very leverageable for this purpose).
A significant part of a risk mitigation plan includes raising awareness among the organization’s people — employees as well as contractors and third-parties. The CDO can spearhead this themselves, or collaborate with the group responsible for promulgating policy and procedures covering actions and behavior.
Some spies have figured out that if their primary target (say, a high-tech company) is too hard to penetrate, they will instead shift focus to the target’s advisors (legal, auditors, consultants, professional services), since they are trusted by the primary target, but are often more vulnerable and may have weaker controls. The CDO should understand what business partners and third parties have access or custody of information and — and along with the TPO (Third Party Oversight) function — can mitigate the relative information risk associated with them.

Protecting an organization against industrial espionage is very difficult for a wide range of reasons. And since the asset sought after by the spies is information, the CDO is central to implementing protections and managing risk. Success can’t be measure in absolute terms, but instead in increments — implementing small steps puts the organization in a better position than not having the small steps.

Contact me at james@jhoward.us

Tag: industrial espionage

CDO’s Role in Managing Data Breaches