What were some of the lessons learned from your experience in IP protection?
We learned some hard lessons. First, it’s not easy for an IT group to identify all of the “crown jewels” – products, processes and other trade secrets. These live within the business units themselves, very distributed. We spent a hard 6 months just trying to surface all this stuff. Ultimately we were not successful. So we got the business unit leaders involved to help us identify everything. We got our CEO involved to make it an enterprise priority. We came up with a plan to segregate information properly, to restrict actions users could take, to implement access controls, etc. Another thing with learned is that actual usage of our IP differed from what the business thought was happening. For example, it was very common that copies were kept in local file servers and on users’ personal machines.
Is it the responsibility primarily of the CISO to protect a company’s IP, or is it a collective effort, the shared responsibility of all employees? How is that communicated?
It is a shared effort. Bottom line is the asset owner is accountable and responsible for its protection, and typically that falls to someone inside a business unit. IT can provide both tools and education. We can train the business to have greater awareness of the importance of IP protection. Our CEO communicated to the business groups to take IP protection seriously, so it came from the top. One of the first steps is to properly segregate information as necessary to better protect it.
What concrete steps did you take at DuPont to combat potential insider threats? Did you ever suffer an insider incident?
Our efforts started there. At DuPont we were too open and collaborative. Our R&D team wanted to preserve total access to everything by all researchers across all business units. They were afraid to close things off, choke collaboration and therefore stifle innovation. Then a disgruntled researcher left the company. This one guy started collecting tons of data out of our repositories. Terabytes of info was stolen. Luckily we observed this and began investigating it, shutting it down. This made us realize that we needed to control access to information on a “need to know” basis. We put greater controls in place. Like all things security, we took a layered approach – trying not to overkill, but some overlap in technologies is OK. For example, Digital Rights Management controls access and actions (e.g. share, print) that users are allowed to take with a particular asset. A data protection solution was installed across all machines, all repositories, tagging our “crown jewels” and beginning to manage protection with rules.
Tell me about the process of recovery from an IP breach – is it similar to a customer data breach or are there unique steps to take in incident response (such as legal action)?
At DuPont we suffered small breaches – those affecting maybe 100 people. Not multimillion dollar losses. You have to start every incident response with a breach notification process. The objective is always to minimize to impact, to contain the damage and to control the situation quickly. What’s different with an IP breach vs. customer data is you have the luxury of more time – days and weeks – for investigation and follow-up. We took all appropriate action: legal means, law enforcement, prosecution. The IT organization has to look at incident response as the combination of cyber threats and insider cases. One other important aspect of authorized vs. unauthorized disclosures as it relates to publicly traded companies like DuPont is that you have to inform the SEC in the event of a possible material loss from a financial threat.
Are IP protection and insider threats given the attention they deserve in a typical IT security team?
Yes. In manufacturing companies, they can get budget and attention these days. At DuPont, I can’t go into specifics publicly, but a couple of their businesses were significantly weakened, and ultimately had to be restructured, because of damage suffered by the loss of “crown jewel” information. I can assure you that my peers are taking it very seriously.
OK, so then where’s the pain now?
I think the perception is that this is a big, hairy problem with lots of complexities. They are now confronting how significant an effort it is to combat Advanced Persistent Threats (such as industrial espionage). CISOs want to know how to get some “quick wins” around the IP protection problem. Things we learned like segmentation of data, improving authentication, basic user awareness, etc. The key message is: Don’t give up. The challenge is large, but a few sectors have tackled it quite well such as Financial Services and Defense.
