By Christopher Burgess and Richard Power

 

Christopher Burgess worked in the clandestine service of the U.S. Central Intelligence Agency (CIA) for 30 years. In the course of his career, he served both as chief of station and senior operations officer. Richard Power, as editorial director for Computer Security Institute (CSI) and then as director of global security intelligence for Deloitte Touche Tohmatsu (DTT), researched cybercrime and economic espionage for more than a decade. This article originally appeared in 2006 in CSO (Chief Security Officer) magazine and is reprinted with permission.

 

What do AOL, Time Warner, Corning, Avery Dennison and SigmaTel have in common? They're just a few of the many companies hit in recent years by trade secret, intellectual property and customer data theft. Allegations last month that a Coca-Cola employee tried to sell proprietary information to Pepsi have brought the issue to light again. Pass along to your CEO these elements of a complete program for protecting your company's lifeblood.

Organization: Where security reports within an organization is perhaps the most vital issue of all. Consider appointing a chief security officer who reports to either the chief executive office or the chief financial officer. This person should hold the reins of personnel security, physical security and information security, and should not be a stranger to the boardroom.

Awareness and education: Provide ongoing education to your workforce on the threats of economic espionage, intellectual property theft, counterfeiting and piracy. Help them understand your expectation that they will protect the enterprise's intellectual property, and by extension, their own livelihood. Provide general education for the entire workforce, and specialized education for executives, managers, technical personnel and so on.

Personnel security: Implement a program that includes both background investigations and termination procedures. You need policies that establish checks and balances, and you need to enforce them. Know the people you are going to hire. Don't lose touch with them while they work for you. Manage the termination process if and when they leave the enterprise.

Information security: Recruit certified information security professionals (for example, CISSP and CISM). Adopt best practices, and establish a baseline. Utilize appropriate information security technologies, such as firewalls, intrusion detection, encryption and strong authentication devices. Pay attention to data retention and data destruction as well as data access.

Physical security: It is pointless to invest in information security or background investigations if agents of an unscrupulous competitor or a foreign government can walk away with what they covet.

Intelligence: You need both business and security intelligence. Know your competition, your partners and your customers. Research the market environment. Keep abreast of the latest trends in hacking, organized crime, financial fraud and state-sponsored economic espionage. You can outsource this expertise. But someone must be looking at both streams of intelligence, with the particulars of your enterprise in mind.

Industry outreach: Actively participate in industry working groups appropriate to your sector and environment. Talk with your peers about the types of attacks or threats they are encountering.

Government liaison: Avail yourself of threat information from law enforcement, foreign ministries, elected officials, regulatory and trade organizations in your enterprise's country, and in those countries where you conduct business.

Legal strategies: Realize that even when right is on your side, a market may be lost to you, and protecting a portion of the global market is sometimes a viable survival strategy. Litigation is not the solution; it is confirmation that intellectual property theft has occurred. Work to protect your intellectual property and avoid the costs associated with litigation. Don't let a small legal mind make decisions about big legal issues. Get expert legal advice on intellectual property issues.