Do You Know Who’s Driving Away With Your IP? You Otto Know.

The key to delivering effective information security is taking a more data-centric approach. If we really want to future-proof security, an organization must be able to secure data through its entire life cycle, no matter who has access or where it’s stored.

Mnet 191858 Cybersecurity 1
Ajay AroraAjay Arora

If you think you have control of your information, you’re wrong. Earlier this year, an accidentally cc’d email lead to a shocking revelation. Waymo, the self-driving car company owned by Google, sued Uber and its self-driving truck acquisition, Otto. Why? The former technical lead from Google’s autonomous car division allegedly stole trade secrets by way of 14,000 highly confidential blueprints, hardware designs, and other technical information before walking out the door to start Otto.

Could this be the lawsuit that wrecks Uber?

It’s unclear how Uber will try steer the ship, but one thing’s certain: every organization that has a digital presence (that’s basically everyone), must flip their current information security strategy on its head and make profound changes if they’re going to protect against insider threats, phishing attacks, and other breaches.

And I’m not proposing reverting back to fax machines. Successful businesses are built on the ability to share, communicate, and collaborate with coworkers, outside contractors, and third party vendors; and we should continue doing so. But we need to stop allowing our most valuable data to travel without being encrypted, tracked, and secured directly.

Like it or Not, Your IP is Leaking

Once upon a time, it was difficult to remove sensitive information from the enterprise. The typical enterprise consisted of a fixed set of access points, a single network, and a locked down ecosystem with a few privileged logins. And with a hierarchical management structure that isolated critical data to a few key, trusted leaders, keeping data secure and preventing unwanted viewers wasn’t a challenge.

Fast forward to today. Employees’ access to sensitive information, and their ability to quickly copy, move, and share it long ago outpaced IT’s ability to patch the perimeter, block or quarantine information, and stop confidential data from leaving the enterprise’s control. With thousands of vectors for trade secrets to leave the enterprise — email, shared links, managed and unmanaged mobile devices, messaging platforms — businesses need a new security strategy to operate in today’s porous enterprise.

Data is the vital stuff of business, but to protect our crown jewels, we must start protecting what really matters: the data.

60 percent of businesses mistakenly send out sensitive documents

Don’t get me started on disgruntled insiders. According to a recent study by the Business Performance Innovation (BPI) Network, some 43 percent of organizations say they lack widely understood policies for securing internal documents. That’s a recipe for disaster, and a huge gap that enterprises have to close. Immediately.

And while competition should be fueled by innovation in the labs and on the roads, not through unlawful actions, there is enough money, opportunity, and appetite in highly competitive markets to give people the incentive to act against their ethical mores.

Here’s the Good News: Information can be Protected

It’s not a small problem, especially in IP-centric industries like design, technology, and manufacturing. Confidential product designs, manufacturing specifications, and supplier contracts are critical to maintaining an organization’s competitive edge. But, to ship successful products businesses have to collaborate with vendors throughout the global supply chain, which means there isn’t control over the entire process. A clear and granular chain of audit over trade secrets’ life cycle enables organizations to understand the legal liability — where it starts and where it ends.

So What can You do About it?

My analogy is simple: what’s the first thing you just before you start your car? You ‘buckle up for safety.’ It’s automatic. It would be careless (not to mention negligent) to drive without basic protections in place. The same goes for protecting your data.

The moment you start to exchange information, whether through email, and external file share, or through a collaboration app, you’re exposing that data to countless vulnerabilities — like unwanted sharing and forwarding — unless you encrypt it first. Encrypting a document before sending (like hearing the click of your seat belt) will ensure the content arrives safely, and will stay safe until the person you’ve shared the information with has proved their identity, and rights to the file.

Done right, encryption, access controls, and other data protections can enable the trusted exchange of information. But without it, our technology and communications networks are susceptible to damaging attacks.

Confidential Communications can be Controlled

Most security teams today are balancing between two competing demands: securing intellectual property and enabling high-speed, high-quality production. Managers are hyper focused on protecting the business’ competitive edge and R&D — product designs, manufacturing specifications and supplier contracts — yet to ship successful products, the business must share highly confidential information throughout the supply chain and to employees who may not necessarily be with your company forever.

With multiple stakeholders and shifting production schedules, organizations must control everything from the supply chain all the way down to the confidential IP and trade secrets they share. And, they need full visibility into how partners are accessing and sharing that information. Most IT and security team’s current security tool box is limited in one critical way: once employees or third parties get access to proprietary information, all bets are off.

The Future is Data-Centric

So what’s the answer? The key to delivering effective information security is taking a more data-centric approach. If we really want to future-proof security, an organization must be able to secure data through its entire life cycle, no matter who has access or where it’s stored. Today, possession of data does not equal the right to access it.

The good news is that our ability to protect data directly has finally caught up with our ability (and need) to share data widely. And we can do it in a way that improves trust and reduces friction across the ecosystem of enterprises, applications, and business relationships we all maintain.

Ajay Arora is CEO of Vera

More in Cybersecurity