Do you know who’s driving away with your IP? You Otto know.
Protecting trade secrets shouldn’t only be possible, it should be easy.
It’s a classic information security fallacy: If you think you have complete control over your sensitive intellectual property, you’re wrong. And, if you think you have partial control of that data, you’re still wrong. It’s playing out again in the world of tech giants. Earlier this year, an accidentally cc’d email lead to a shocking (but in hindsight, not that surprising) revelation: the former technical lead of Google’s autonomous car division, Waymo, may have abdicated with over 9GB of trade secrets while walking out the door to start Otto.
(If you want to read more of the proceedings, Kate Conger at Techcrunch is curating the authoritative, unofficial story behind the suit here.)
But, by way of these 14,000 highly confidential blueprints, hardware designs, and other technical specifications, Google is suing Uber and its self-driving truck acquisition, Otto. Could this be the lawsuit that wrecks Uber?
It may be months or years before the full story is told, but one thing’s certain: every organization that has a digital presence (that’s basically everyone) must flip their current information security strategy on its head and make profound changes if they’re going to protect against insider threats, phishing attacks, and other breaches.
Successful businesses are built on the ability to share, communicate, and collaborate with coworkers, outside contractors, and third parties; and we should continue doing so. But we need to stop allowing our most valuable data to travel without being encrypted, tracked, and secured directly.
Like it or not, your IP is leaking
Once upon a time, it was difficult to remove sensitive information from the enterprise. The typical enterprise consisted of a fixed set of access points, a single network, and a locked down ecosystem with a few privileged logins. And with a hierarchical management structure that isolated critical data to a few key, trusted leaders, keeping data secure and preventing unwanted viewers wasn’t a challenge.
Compare that with today. Employees’ access to sensitive information, and their ability to quickly duplicate, move, and share it long ago outpaced IT’s ability to patch the perimeter, block or quarantine information, and stop confidential data from leaving the enterprise’s control. With thousands of vectors for trade secrets to leave the enterprise — email, shared links, managed and unmanaged mobile devices, messaging platforms — businesses need a new security strategy to operate in today’s porous enterprise.
Data is the vital stuff of business, but to protect our crown jewels, we must start protecting what really matters: the data.
60% of businesses mistakenly send out sensitive documents
Don’t get me started on disgruntled insiders. According to a recent study by the Business Performance Innovation (BPI) Network, some 43% of organizations say they lack widely understood policies for securing internal documents. That’s a recipe for disaster, and a huge gap that enterprises have to close. Now.
And while competition should be fueled by innovation in the labs and on the roads, not through unlawful actions, there is enough money, opportunity, and appetite in highly competitive markets to give people the incentive to act against their ethical mores.
Here’s the good news: Data can be protected
It’s not a small problem, especially in IP-centric industries like design, technology, and manufacturing. Confidential product designs, manufacturing specifications, and supplier contracts are critical to maintaining an organization’s competitive edge. But, to ship successful products businesses have to collaborate with vendors throughout the global supply chain, which means there isn’t control over the entire process. A clear and granular chain of audit over trade secrets’ life cycle enables organizations to understand the legal liability — where it starts and where it ends.
So what can we do about it?
My analogy is simple: what’s the first thing you do just before you start your car? You ‘buckle up for safety.’ It’s automatic. It would be careless (not to mention negligent) to drive without basic protections in place. The same goes for protecting your data.
The moment you start to exchange information, whether through email, and external file share, or through a collaboration app, you’re exposing that data to countless vulnerabilities — like unwanted sharing and forwarding — unless you encrypt it first. Encrypting a document before sending (like hearing the click of your seat belt) will ensure the content arrives safely, and will stay safe until the person you’ve shared the information with has proved their identity, and rights to the file.
Done right, encryption, access controls, and other data protections can enable the trusted exchange of information. But without it, our technology and communications networks are susceptible to damaging attacks.
Confidential communications can be controlled
Most security teams today are balancing between two competing demands: securing intellectual property and enabling high-speed, high-quality production. Managers are hyper focused on protecting the business’ competitive edge and R&D — product designs, manufacturing specifications and supplier contracts — yet to ship successful products, the business must share highly confidential information throughout the supply chain and to employees who may not necessarily be with your company forever.
With multiple stakeholders and shifting production schedules, organizations must control everything from the supply chain all the way down to the confidential IP and trade secrets they share. And, they need full visibility into how partners are accessing and sharing that information. Most IT and security team’s current security tool box is limited in one critical way: once employees or third parties get access to proprietary information, all bets are off.
The future is data-centric
So what’s the answer? The key to delivering effective information security is taking a more data-centric approach. If we really want to future-proof security, an organization must be able to secure data through its entire life cycle, no matter who has access or where it’s stored. Today, possession of data does not equal the right to access it.
The good news is that our ability to protect data directly has finally caught up with our ability (and need) to share data widely. And we can do it in a way that improves trust and reduces friction across the ecosystem of enterprises, applications, and business relationships we all maintain.
I’d love to hear your thoughts on this challenge, and where you see opportunities to eliminate the friction in applying encryption and data-centric protection uniformly across industries. Comment below, or send me a note on Twitter @grantshirk.