Gajus - Fotolia
Most organisations understand the need to protect intellectual property (IP), but many struggle to identify it, according to Stephane Charbonneau, chief technology officer at security firm Titus.
“Many seek to plug a black box into the network that will magically flag sensitive data that needs extra protection such as encryption, but that is hard for machines to do,” he told Computer Weekly.
The nature of intellectual property makes it difficult for purely automated systems to recognise it, which means employees need to be able to recognise, classify and protect IP.
“Protecting intellectual property depends on employees understanding what types of data are important to the business,” said Charbonneau.
Only once data is classified can IT systems identify risks associated with IP, such as when that data is being sent outside the organisation, sent to unauthorised recipients, or linked to unusual activity.
“Data classification can enable organisations to get more value out of other security systems, such as encryption, data loss prevention, document management, security information and event management, and email gateway systems,” said Charbonneau.
Tagging data and guiding users
Titus seeks to address the problem of employees accidentally leaking IP by helping them to recognise intellectual property and making it easy to tag data accordingly.
“Tagging data makes it possible to automate things like encryption, access control and identifying unusual behaviour such as a user attempting to print large amounts of IP data or suddenly downgrading the classification of data on a regular basis,” said Charbonneau.
Read more about data classification
- Information classification and data mapping are essential first steps to e-discovery strategy.
- A compliance-ready data classification program can assist governance of relevant regulatory or proprietary information.
- The best data classification programs are simple and easy to use.
- Enterprises revisit data classification and protection strategies after rocky 2014.
The ability to track user behaviour regarding IP data is useful in blocking rogue insiders as well as external attackers using stolen credentials, he said.
Titus tackles classification by enabling users to tag data simply by clicking the appropriate classification button that pops up in applications used to create documents, such as emails.
“Hovering over the various classification buttons that are specific to the organisation provides tips to help users decide which is the most appropriate based on policy,” said Charbonneau.
Providing tool tips not only guides users, he said, but at the same time helps educate them about company policy on protecting IP and how to apply it.
“Providing alerts and guidance as people work provides a constant reminder of security policies, which is far more effective at keeping security training up to date than an annual security awareness video followed by three quick questions,” he said.
Organisations also have the option of logging user responses to identify trends over time and set a baseline to enable the technology to identify any deviations from usual behaviour patterns.
According to Charbonneau, it is important to provide education around the need to classify IP before the technology even hits the desktop, and then to back that up with guidance as it is being used.
“Users should be made aware that such technology is to be introduced, they should be asked for their input, and they should understand why they are being asked to be part of the security solution and why it is important for them to classify data as accurately as possible as they create it,” he said.
Automated data classification
Another way of helping to make classification easier is by using expression-matching technology to provide some automatic classification based on an employee’s role and the content of a document.
“If a document is being created by someone in HR and contains a name and social security number, it can be tagged automatically as confidential for use by the HR department only,” said Charbonneau.
A third approach to easier classification is to suggest a classification, but give the employee who is creating the document the option to choose another classification they think is more appropriate.
“Organisations can choose which approach or combination of approaches to apply to the whole organisation or specific departments within an organisation,” said Charbonneau.
The key to a successful deployment of this type of technology, he said, is for organisations to come up with a relatively small set of relevant classifications that are meaningful for users.
Moving beyond classification, Charbonneau said it is important for organisations to inform users how they are expected to handle data or documents that are classified in a particular way.
“Again, technology can help guide users by automatically marking documents as ‘confidential’ and as being for the use of a particular individual or department only,” he said.
This helps prevent accidental or inadvertent leakage of IP, which accounts for around 95% of internal IP leaks, according to Charbonneau.
“By looking at the intended recipient of an email, sensitive IP data can also be blocked if someone in product development responds unwittingly to a phishing email sent by someone in sales,” he said.
Similarly, technology driven by data classification can block any attempts by employees to take IP data with them when they leave the organisation.
Help staff understand the importance of IP
Once organisations understand the benefits of a data classification-driven approach, Charbonneau said they should not underestimate the importance of getting their users on board as well.
“In addition to preparing users for the new technology in advance, organisations should consider introducing it in a phased way rather than introducing all the changes and policies on blocking and encrypting all at once,” he said.
According to Charbonneau, this is an effective way to get staff used to classifying data, as well as getting their input on classification types.
Because loss of IP is a growing concern for all businesses from small to large enterprises, Titus has adopted a per-user licensing model that is also based on the level of functionality required.
Titus is also looking at how best to meet the needs of small organisations that may have fewer than 100 employees but work in or supply industries such as aerospace with highly sensitive IP.
Stephane Charbonneau is to join Morpho CIO Laurent Porracchia to discuss overcoming insider threats to intellectual property at Infosecurity Europe 2015 from 2-4 June in London.