I recently completed a cyber risk consulting engagement at a major industrial company, applying the FAIR model through the RiskLens platform to determine the value of their intellectual property and the ROI of their control efforts. (For the details, download my case study Manufacturing Co. CISO Justifies Project to Protect IP from Cyber Theft.)
For manufacturing companies or any other organizations that heavily depend on processes or designs, a theft of intellectual property could be devastating, perhaps more of a long-term threat to the organization than the large-scale data breaches of personal information we hear about so often.
And in some important ways, IP theft is a different problem to tackle from more common data thefts—but nothing the FAIR model can’t handle. (For you FAIR fans, the analysis here is mostly on the Loss Magnitude side of the FAIR on a Page chart).
Here are some of my key takeaways about IP and cyber risk from the manufacturing company engagement:
The threat actors would most likely be operating on behalf of a competing product line – they will know specifically what they want and they will keep looking till they find it. For analysis purposes, a loss of all IP would not be probable and that helps with realistic risk measurement. The clients had a pretty good idea of what IP criminals would steal if they got in.
Intellectual property content tends to be scattered around large organizations in different functional departments and on different servers, depending on where, when and how the IP was developed, acquired or used. Part of securing IP is to identify and consolidate IP by type and value.
With data, you can go to public sources to research value – the value of a PCI record is a known quantity, for instance. The value of IP is likely to be unique to the organization, and it won’t be so simple as lost product sales – at this company, any one product is based on several different bits of intellectual content.
As FAIR analysts, we look for one or more of six forms of loss, and for intellectual property, competitive advantage loss is the best fit. This manufacturing company thought through the problem this way:
The client’s process to value IP assets was not as methodological as we’d like, but it was completely validated when they showed their results around the organization. Nobody said, “Where’d you get those numbers?” There’s no standard, and ultimately your analysis will have to be a communication tool that everyone agrees makes sense.
For more on how the manufacturing company CISO justified a project to protect intellectual property from cyber theft, read the case study.