South African companies are generally well aware of the dangers of external hacking attacks but often overlook the threat of internal data leaks – whether malicious or accidental. Companies in mining and construction tend be more vulnerable than they realise, and should waste no time in tightening up their data protection mechanisms.
“There is a perception that only financial services companies or businesses with large retail customer bases need to protect their intellectual property. Companies in industries such as mining and construction are often less cautious as they do not think their data is as critical or as damaging if compromised,” says Christabell Maziriri, senior manager at BDO Audit and IT Services.
“However, many of these companies have intellectual property that could be extremely useful to competitors – and even to criminals.”
In the construction sector, for example, plans of constructed buildings could be invaluable to criminals planning break-ins and looking for easy access and exit points into buildings being targeted. Similarly, mine maps showing where minerals are being prospected or extracted could be useful to criminals and competitors alike.
“Less dramatically, there are many kinds of business information that give companies their competitive edge,” Maziriri says. “When this information finds its way outside the company, it can lose that edge. Imagine thinking you are going to win a tender and then finding out that a competitor has won on the basis of a tender uncannily similar to yours.”
Hence, other intellectual property that companies need to guard jealously includes technical drawings and designs, architectural plans, suppliers’ prices, performance information, order books, exploration and extraction research, and the associated costs.
“This kind of information is often relatively easy to access from inside the organisation,” says Maziriri, adding that “excess access” to information is one of the most common weaknesses in companies’ data protection strategies.
Excess access occurs when companies are less than discerning about giving employees’ access to their intellectual property.
“People tend to dump things on a server to which almost everyone has access after going through basic security controls. Typically, once you have logged on, you can gain access to almost any folder on the server,” she says.
Maziriri’s advice is to restrict server access to job function so that employees can only obtain information if they actually need it to do their jobs. She also recommends introducing group access techniques, where groups are created by task, function or service. Employees are then given access to information according to the group they belong to.
Another common weakness in data protection is the use of public platforms to transfer large files. “Being public platforms, their security standards tend to be lower and users do not always formulate strong enough passwords,” says Maziriri. “Further, users sometimes create access loopholes by forgetting to go back and delete the files they have just exchanged on a public platform.”
Companies should also be aware of the risk of inappropriate information disclosure through employees using the social media. Employers should ensure they have proper policies in place to govern social media usage and to educate employees about the risks.
Yet another way that companies expose themselves to data leaks is by outsourcing IT functions and then leaving governance to the service provider.
“This introduces considerable vulnerabilities to data protection,” Maziriri says.
“For instance, it is very common that testing of IT implementations is done on real information that can be traceable to competitive intelligence but is left electronically at the disposal of third parties.”
The greatest challenge facing companies seeking to protect their intellectual property is to strike a balance between sufficient protection and business efficiency, she says.
“You cannot have a situation where things are not done because people do not have access to the information they needed. Equally, you cannot allow your information assets to be compromised by not being restrictive enough. At the end of the day, you need to find the right balance, bearing in mind that you can never eliminate IP leakage to zero; you can only manage it.”