New survey results from the Ponemon Institute are likely to send shivers down the spines of IT auditors, cybersecurity professionals, and risk managers. The alarming results say companies are losing the battle to protect digital assets and intellectual property from hackers and online thieves.
Here’s the lowlights: A whopping 82 percent of the IT security professionals the research firm surveyed say it’s either “likely” or “very likely” that their organizations failed to detect a security breach involving knowledge assets, up from 74 percent when the study was first conducted in 2016. It gets worse: The percentage of respondents who say it is likely that their company’s knowledge assets are in the hands of competitors increased from 60 percent in 2016 to 65 percent now.
“Despite the increased awareness and action, there is still a great deal of work to be done around knowledge asset security and protection,” warns Larry Ponemon, chairman and founder of the Ponemon Institute, which conducted the “Cybersecurity Risk to Knowledge Assets” survey of more than 600 IT security practitioners along with Kilpatrick Townsend, a law firm that specializes in IP protection.
The Higher Cost of Failure
The cost of a security breach involving knowledge assets also continues to climb. The average total cost incurred by organizations represented in the research due to the loss, misuse, or theft of knowledge assets over the past 12 months increased 26 percent from $5.4 million to $6.8 million.
Knowledge assets are defined in the study as confidential information critical to the development, performance, and marketing of a company’s core business that would trigger notice requirements under law. They include, for example, trade secrets; confidential information on product design, development, or pricing; and other sensitive non-public information about the organization.
According to the study, the most common vulnerability lies in the personal communications of company leaders, including e-mails, texts, social media correspondence, and other communications. Respondents ranked such communications as the most valuable knowledge assets, but also among the most poorly secured. Just 16 percent of respondents say these knowledge assets are appropriately secured, and 72 percent of respondents say these communications are among the most difficult to secure.
“Protection of information—whether the information of individuals or organizations, and whether from threats to its confidentiality, availability, or integrity or to the rights to own and use it—has become one of the greatest needs and challenges for all of our clients,” says Jon Neiditz, co-leader of Kilpatrick Townsend’s Cybersecurity, Privacy & Data Governance Practice.
A Few Bright Spots
Although the study revealed little good news on cybersecurity progress, there were a few bright spots. One is that companies have made progress on elevating the concerns about protection of digital knowledge assets up the ranks of executives to more often include senior management and the board. For example, 58 percent of respondents say their company’s board of directors is requiring assurances that knowledge assets are managed and safeguarded appropriately, up from 50 percent of respondents who said so in 2016.
Another positive development is that there is greater recognition that third party access to a company’s knowledge assets is a significant risk. As a result, more companies are requiring proof that the vendors and other third parties they do business with meet generally accepted security requirements (an increase from 31 percent of respondents in 2016 to 41 percent in this year’s study) and proof that the third parties adhere to compliance mandates (an increase from 25 percent of respondents in 2016 to 34 percent in this year’s study).
Companies are also doing more to address the risk of employee carelessness in the handling of knowledge assets. Specifically, they are requiring training and awareness programs focused on decreasing employee errors in the handling of sensitive and confidential information (73 percent of respondents) and confirming employees’ understanding and ability to apply what they learn to their work (68 percent of respondents).
The Cybersecurity To-Do List
The Ponemon study looked specifically at actions that high-performing companies are taking to prevent breaches that involve knowledge assets and encourages other companies to adopt such practices.
Those actions include:
- Greater attention from the board and senior management on the threats and risks of breaches that involve knowledge assets, and “buy-in” on prevention methods and other defensive measures.
- Restriction of employee access to knowledge assets based on their need to know and need to access such information to carry out their responsibilities.
- Audits to ensure adherence to practices and policies that safeguard knowledge assets. High-performing organizations are also significantly more likely to require independent audits by third parties.
- Regular training and awareness programs, as well as audits and assessments of areas most vulnerable to employee negligence.
- The use of certain technologies and processes specifically designed to protect knowledge assets, including identity and access management, privileged user management, access governance, and data loss prevention tools.
- Deployment of many digital transformation activities across the enterprise. Emphasis on a balance of the security of high-value assets while enabling the free flow of information and an open business model.
- Faster identification and containment of data breaches involving knowledge assets caused by a malicious outsider or careless insider.
While Ponemon’s latest study on the threats to knowledge assets indicates that a greater number of IT security practitioners acknowledge higher risk, companies that take such steps may find a better success rate in battling attempts to compromise online IP and knowledge assets. Certainly, we can only hope. It seems with each study and report on cybersecuriy, companies appear to be losing the battle to secure their digital assets. 
Joseph McCafferty is editor & publisher of Internal Audit 360°
Did you enjoy this article? Consider making a small donation to support independent business journalism at Internal Audit 360°. Click Here!
And much thanks to all of those who have already donated. Our success depends on it.