Intellectual Capital Cybercrime Survey: Companies Reluctant To Investigate, Remediate Sensitive Data Breaches

In the face of growing evidence that cybercriminals are increasingly focused on intellectual capital and other proprietary business information, many organizations around the globe are nevertheless unlikely to investigate breaches and/or take remedial action. Only a quarter of organizations conduct forensic analysis of a breach or loss, and only half take steps to remediate and protect systems for the future after a breach or attempted breach, according to survey data in the McAfee-Science Applications International Corp. (SAIC) report "Underground Intellectual Capital and Sensitive Corporate Data Now the Latest in Cybercrime."

The survey asked more than 1,000 senior IT decision makers in the United States, United Kingdom, Japan, China, India, Brazil and the Middle East about their organizations' concerns and practices around protecting sensitive data. "We're seeing a shift in what sophisticated hackers are going after," says Scott Aken, VP for cyberoperations at SAIC. "When we asked particular questions in terms of importance of data, the only thing they talked about was intellectual capital."

More than half of the organizations surveyed have, at some point in their history, decided not to further pursue or investigate a security incident because of the cost. On the other hand, the majority of companies are reporting significant data breaches. More than 70 percent of the companies surveyed--including all of the U.S. and Japanese companies surveyed--either report all data breaches/losses or all except for those that are deemed small or insignificant.

Companies in other countries are more inclined to pick and choose what they report and/or report breaches only when they feel they are under legal obligation. By and large, reporting is a painful exercise for companies, as about half are concerned about reputation damage as their No. 1 concern in the event of a breach. They reported the average cost of a breach at about $1.2 million.

Almost half of respondents reported that they would take particular data off the network in order to protect it from being leaked, choosing security over availability. The respondents said client/supplier data, employee data and trade secrets are the best protected information.The report is framed against the backdrop of recent high-profile breaches, including the Aurora attacks on Google and at least 33 other companies; the Night Dragon attacks against the oil and energy industry; and the recent compromise of RSA's SecurID.

It also places the survey data in the context of other recent research into the value of proprietary corporate information. The report cites Ocean Tomo Intellectual Capital Equity estimates that 81 percent of S&P 500 companies' value is "intangibles," which include, in part, patented technology, trade secrets, proprietary data, business processes and go-to-market plans. The report also quotes a Forrester Research study that proprietary knowledge and company secrets are twice as valuable as custodial data, such as payment card and customer and medical information.

Off-shore data storage is a mixed bag, according to the survey. Most companies (eight of 10) said their decisions to store sensitive data abroad are influenced by lenient privacy laws around breach disclosure, and 70 percent of the respondents store sensitive data in countries that give them more autonomy. Overall, fewer companies are storing sensitive data in other countries compared to a similar survey in 2008, but a third of the respondents said they are considering increasing their offshore data storage.

As in the 2008 survey, most companies consider China, Russia and Pakistan the least safe countries in which to store sensitive data, and the United Kingdom, United States and Germany the safest.

See more on this topic by subscribing to Network Computing Pro Reports Alert: The Long Arm of Database Security (subscription required).