This article originally appeared on Medium.
In 1975, intangible assets such as intellectual property and goodwill represented less than 20% of the market value of the S&P 500 companies. Today, this situation has completely flipped, with intangible assets now representing 80% of more of the S&P 500 and other competitive companies’ value.
So how are companies protecting trade secrets, intellectual property and other confidential information? In our work, we find that organizations are spending a lot of time and money improving information technology (IT) security, however the protection of valuable information is often still ad hoc, siloed and riddled with gaps. There is a better way, and the good news is that it is already part of how companies do business today. Enterprise risk management (ERM), properly applied, can help to protect valuable business information in a much more systematic and effective way.
Company value rests heavily on confidential information
A substantial part of the intangible assets of successful companies includes not only brand value and other traditional intellectual property, but also valuable confidential information including business and technology trade secrets. Whether one thinks of the Google search engine algorithm, SunTrust Bank’s customer data, or even McDonald’s “secret sauce,” it is obvious that many companies’ business models rely heavily on the confidentiality and security of valuable information.
Companies are also managing an increasing amount of their customers’ own confidential information, including via apps and cloud services, and are facing growing requirements to protect individuals’ “personally identifiable information” (PII) that the business collects and uses.
Theft and loss of confidential information is on the rise
New reports of the loss or theft of confidential business, technical and personal information appear almost every day. These can involve internal or external culprits, cybertheft or non-IT mechanisms, and deliberate theft or careless losses. Consider the following recent examples:
- Customer theft. The Sinovel Wind Group, a Chinese wind turbine manufacturer, last year was found guilty of stealing confidential and proprietary wind turbine technology from its former supplier AMSC, rather than paying AMSC for more than $800 million in products and services that Sinovel had agreed to purchase. AMSC had lost nearly 50% of its market value as a result.
- Employee risks. Apple’s work to develop self-driving car technology has seen the separate arrests of two ex-employees on allegations of theft of confidential information on the project. Reports of the arrests and charges include claims that ex-employees had copied thousands of confidential files onto non-company computers, taken hundreds of photographs, and removed equipment from the Apple campus. (The ex-employees deny these claims.)
- Technology problems, careless practices. Reports following the cyber theft of millions of individuals’ personal details from credit-reporting company Equifax revealed not only server security flaws, but also the careless use of such easily guessed username and password combinations as “admin” / “admin.” Indeed, it seems that weak and stolen passwords are the cause of 81% of computer hacks—with users in their millions continuing to set up such easily guessed passwords as “123456,” “qwerty” and “password.”
Efforts to protect confidential information can be unfocused and ad hoc
Many companies are spending quite a bit of money and time improving their computer and network systems against cyberattacks, phishing and other such risks, but as the International Standards Organization (ISO) has noted, information security systems can only reflect the company’s identified needs and objectives. If these objectives do not specifically identify and address protection of particular types of confidential information, unidentified gaps in protection and risks to that information may still exist.
IT security breaches are also just one of many ways that a company’s valuable confidential information can be lost or stolen. Physical security lapses, employee disclosure or carelessness, third-party mismanagement, and inadequate policies or agreements are other common ways in which such information can be misappropriated. Even the best-designed IT security system cannot address the full range of such enterprise-wide risks; these are still managed in an ad hoc and siloed way at many companies.
Enterprise risk management is a valuable tool for protecting confidential information
The Center for Responsible Enterprise and Trade has explained that companies are increasingly implementing enterprise risk management (ERM) to help identify and assess a wide variety of risks that their businesses face, including those related to trade secrets and other information assets, and are implementing plans to manage these specific types of corporate risks in an integrated way.
In the words of PWC, this “provides companies with a means to identify potential gaps or exposures in their [ ] protection strategies and ideas to further their ability to safeguard their investment and mitigate future losses. It also provides critical information that enables companies to better understand the return on investment of improved trade secret protection and how to strategically allocate resources.”
Manage – Mitigate – Measure
Enterprise risk management for protection of confidential information consists of several steps in risk assessment—identifying the information to be protected and assessing the particular risks to such information; taking risk-management steps to protect such information more effectively; and carrying out ongoing measurement and improvement of such protections on a regular basis. This can be summarized as “manage, mitigate and measure”:
- Manage. ERM with respect to confidential information needs to start with a specific assessment of what the company’s most valuable and vulnerable bits of confidential information are, who and where in the company or among third parties such information resides and is used, what risks are posed (vulnerabilities and threat actors) to such information, and the likelihood and economic impact of such risks occurring. These all help to identify and prioritize the risks to the information that need to be managed.
- Mitigate. On the basis of such risk assessment, specific risk-management steps should be implemented in relevant areas throughout the company and with third parties. These may include improved policies and procedures, contracts, physical or IT security, third-party management practices, or other specific steps. Knowing what needs to be protected and the relative risks and consequences of data loss or theft will help to implement such mitigation steps in a targeted and cost-effective way.
- Measure. Protection of confidential information, akin to the management of other corporate risks, is not a one-shot project. Regular assessment, measurement and improvement of risk management is vital, and is best managed by a cross-functional team that carries out ERM with respect to these and other risks across all relevant areas of the company.
Protecting confidential information under various trade secret, cybersecurity, securities and data protection rules and standards not only requires “reasonable steps” to keep the information confidential, but increasingly requires assessment and management of the specific risks to such data. ERM not only helps with such compliance, but even more importantly can provide practical, effective ways of actually reducing the risk that a company’s valuable data will be lost or stolen.
Pamela Passman is President and CEO of the Center for Responsible Enterprise and Trade (CREATe.org). Prior to founding CREATe in October 2011, Passman was the Corporate Vice President and Deputy General Counsel, Global Corporate and Regulatory Affairs, Microsoft Corporation. From 2002, Passman led Microsoft’s regulatory compliance work across a range of issues. She first joined Microsoft in 1996 and until 2002, led the Legal and Corporate Affairs organization in Asia, based in Tokyo, with a focus on Japan, Korea and the People’s Republic of China. Prior to joining Microsoft, Ms. Passman practiced law with Covington & Burling in Washington, D.C. and Nagashima & Ohno in Tokyo, Japan.