Firms must do more to protect intellectual property

More emphasis needs to be placed on protecting intellectual property and data

Companies are concentrating too many resources on the threat of data loss, and are failing to protect other equally important business information, according to a new survey by Forrester Consulting.

The Value of Corporate Secrets study, carried out on behalf of RSA and Microsoft, surveyed 305 IT security decision makers and found that, although many protect against data theft, few apply the same controls to trade secrets and other information.

Ninety per cent of companies comply with data laws, breach regulations and security policies, but weight them against "custodial data", when they should be protecting secrets.

"Companies are spending money to protect customer, medical and payment card information, as they should, but more emphasis needs to be placed on protecting the intellectual property and data that has intrinsic value to an organisation, " said Sam Curry, chief technology officer for marketing at RSA.

"The loss of intellectual property can cause long-term competitive harm to an organisation. The recent and highly sophisticated attacks targeting intellectual property at large multinational companies are examples of this type of loss."

The survey also found that companies focus on protecting against accidental loss, but warned that theft from employees or "trusted outsiders" can be more costly.

Forrester explained that employee theft of sensitive information is 10 times costlier than accidental loss, because it leads to losses in the hundreds of thousands, as opposed to tens of thousands.

"Insider risk is a real and growing threat, and the modern enterprise environment of collaboration with a variety of outside parties creates more opportunities for leakage and theft," said John Chirapurath, senior director of the Identity and Security Business group at Microsoft.

"This data illustrates that the more a company has to lose in terms of information value, the more criminal activity it will face."

The report makes a number of recommendations to help firms redress this balance, including identifying the most valuable information, creating a database of risks to prepare for any possible incident, and assessing and reprioritising the balance of IT security programmes.