Hidden risks of a cyber breach Cyber theft and the loss of intellectual property
Losing customer data to hackers can be costly and embarrassing, but losing intellectual property to cyber thieves could threaten a company’s future. Tanya Ott talks to Emily Mossburg and Ash Raghavan about the risks facing business today.
We’re moving not just from hacking data or information—you’re starting to now talk about public safety, product safety, consumer harm. So we’re really starting to see the impact of cyber permeate to our daily lives.
TANYA OTT: Cyber security professionals have a saying, “Cyber belongs in the war room.” But now it’s a conversation in the boardroom.
I’m Tanya Ott and this is the Press Room, your source for the issues and ideas that matter to your business today.
When you hear there’s been a massive data breach you probably immediately wonder whether your name, social security number, and credit card number have fallen into hackers’ hands. I know I do. I’ve had to change my debit card at least three times in as many years thanks to some really high-profile hacking incidents.
While it’s a total pain for consumers—that’s not the whole story. Those same attacks may result in something less well known, but potentially much more damaging: IP cyber theft. IP stands for intellectual property. It’s a problem that already costs businesses hundreds of billions of dollars a year and the digital research group Juniper says by 2019 that number will reach $2.1 trillion globally.1
To understand how it works, why it sometimes takes months to uncover, and—most importantly—why it’s so hard to stop, you need to know a little about the dark net.
The Dark Net is the hidden underbelly of the Web. Lurking beneath the Internet you use every day there’s a place you can only get to with special software designed to hide your identity. It’s a lawless place where people can anonymously buy and sell drugs and engage in all kinds of illegal activity, including hacking businesses to steal their intellectual property.
Emily Mossburg and her team at Deloitte Advisory help organizations prepare for and recover from these kinds of cyber incidents. I asked her to paint a picture for us.
EMILY MOSSBURG: Let’s say the company is a technology company. Let’s say that they are in the midst of completing some research and development of a brand-new line and some enhancements to their current line around connected devices. And the organization finds out—and this is not uncommon—from an external party that some of their product designs have been found out on the dark web. So now they understand that they have some sort of data leakage, but they don’t know how much. They don’t know the full scale of what’s happened. And they don’t know how it’s happened. So this kicks off an investigation in which they determine that really almost half of their product lines have been impacted by this loss, [which was] an external attack, and that the documents and designs were being stolen by an external adversary and being taken to a foreign country where these products can be replicated. The designs that they had invested in over the last several months are now in the hands of a competitor who plans to use them to basically bring their own products to market more rapidly than this organization. Now on top of that, the organization is trying to keep it quiet, but as you can imagine within the organization it’s going wild. Everybody across the organization is starting to understand what’s happened and there is eventually a leak. And not only now do they understand that this has happened and their competition knows that this has happened, but it becomes public because it’s posted in some way on a blog. So now there’s broader concern about the fact not only that this organization was attacked and hacked, but that the products and services of this organization are probably now in question because the designs are out in the wild and with their competition.
TANYA OTT: So in olden days, like, oh I don’t know 12, 15, 20 years ago, IP theft was often a disgruntled employee who might have stolen documents or computer disks or taken a laptop or something like that. But it’s much bigger than that now. Who’s engaging in this kind of theft and what kind of tools are they using?
EMILY MOSSBURG: In many cases the adversary is an external adversary and so that means that we’re talking about potentially nation states. We’re talking about cyber crime rings. We’re talking about very organized crime focused at valuable assets and then using those to spin up new businesses or in the case of nation states to basically prop up the organizations within a particular country or block of countries. The types of tools that they’re using are really all over the board—the same kind of malware that you see when there is a customer data theft. There is a high amount of social engineering associated with these incidents.
TANYA OTT: What does that mean?
EMILY MOSSBURG: There’s really not a lot of technology happening at all. It means that they’re focusing on learning who the employees are within that enterprise. Who the executives are within that enterprise. Who the board members are. What they do. What they’re known for. How they communicate amongst one another and then using that information to pick up the phone and place a call to someone under a false name and get some information. Or to send an email that appears to be from somebody else in order to get access to certain documents or to get certain links or certain credentials, for that matter. You know it’s really the soft side, this nontechnical component that really, in many cases, starts to open the door for the more intensive technology attacks.
TANYA OTT: So, what kind of assets are most at risk? What do those hackers or whatever you want to call them, what do they really want to get their hands on?
EMILY MOSSBURG: Well it’s not just one thing and there tends to be a lot of distinction industry by industry. So if you think about a technology organization, they may be focused on getting data related to research and development, the latest and greatest version of a product that an organization is working on. If you’re talking about, let’s say, life sciences, they may be focused on the design of a new drug or the trial results related to testing a particular drug with a particular control group. It really runs the gamut.
TANYA OTT: How significant a problem is this? Can you quantify it for us in terms of numbers of thefts or the cost of those thefts?
EMILY MOSSBURG: Well it’s hard to say how big it is and how frequently it’s happening. There’s really nothing out there that requires the disclosure of this type of theft. But what we did want to do is to look at what the reasonable business impact was associated with that theft. And that’s how we came about identifying the 14 impact factors that we talk about related to the cost of a cyber incident. And those 14 factors then help quantify what the long-term business impact is or could be to an organization. And they include things like the costs that are well-known like those associated with technical investigations or regulatory compliance and attorney fees and litigation. But then they also include things like the value of the loss of intellectual property, the value of lost contract revenue as well as the lost value of customer relationships, to really help organizations start to understand these are all of the things that they should be thinking about as they decide what they should be protecting, with what level of priority. I don’t think they have a sense of the true cost and I do think that it is an area that has not been prioritized as highly as it should be.
TANYA OTT: That was Emily Mossburg of Deloitte Advisory’s Cyber Risk Services division. Her colleague Ash Raghavan ocuses on cyber risk in the financial services sector, and he says organizations need to balance protecting themselves against the big “black swan” events (things that very few people see coming, but have huge impact—think the housing and mortgage crisis) and the day-to-day cyber theft risks that are probably more likely.
ASH RAGHAVAN: I think this goes back to just having good cyber hygiene. We’re seeing a lot of organizations really practice their cyber drills, really practice these breaches that could occur every day or some of these black swan-type of cyber events. So in the event that a breach does occur they are equipped to respond the right way and recover in a reasonable fashion. So this is all about practicing and building up your muscle memory so when an event does happen, you know the right steps to take.
TANYA OTT: What are the biggest challenges they face?
ASH RAGHAVAN: Some of the biggest challenges [are] just coordination. Just clearly understanding roles and responsibilities—who does what. I think the impact of a cyber breach is so far reaching that you really don’t know what parts of the organization it’s really going to touch. So the more you practice these types of simulations the better you understand the impact of the cyber breach. So the first challenge is really around roles and responsibilities.
Second: People still tend to approach these issues more as a technology issue. [J]ust doing your technical forensics and your analysis and being able to say, well, we were able to remediate this issue—that’s a little bit of a fallacy there. It’s not really that simple.
TANYA OTT: Well, and if you think of all of the tendrils, all of the costs that are associated with dealing with a breach that you may not anticipate, you’ve got regulatory costs; you’ve got legal costs; you’ve got marketing and communication and all of those kinds of things.
ASH RAGHAVAN: Exactly! The “above the surface” costs are easy to get your hands around, right? The investigation, the notification, some of the other things you mentioned. But then some of the research that our valuation folks did [was] to really understand how do you quantify lost value of customer relationships, what is the impact of operational disruption, and is there any loss of intellectual property and how to you actually quantify that? Those are all things that are not that visible and those are things that people really need to understand and account for to truly understand the cost of the cyber incident.
TANYA OTT: So … Is there a magic formula?
ASH RAGHAVAN: No there isn’t! I have no doubt that in the next few years there will be a pretty good model to sort of measure cyber risk. But today we’re not there yet.
TANYA OTT: Ash Raghavan says as cyber budgets continue to go up and exponentially increase, leadership is increasingly asking chief information officers [and] IT officers to be able to justify and show that they’re spending their money wisely. There is no magic bullet, but Ash and Emily Mossburg both have suggestions for how you can think about quantifying the cost of cyber risk in articles they’ve published at DUPress.com.
While you’re there, check out our archive of podcasts. We’ve had some really interesting conversations on everything from digital disruption to 3D printing, managing Millennials, and HR for Humans. And if you want to make your life really easy, just subscribe to the podcast so the latest episode will automatically download to your device. We’ll be there for you on your next trip to the gym or that long commute. You won’t miss a single thing.
We love to hear what you think about what we’re doing. You can tweet us at @DU_Press and email us at email@example.com. I’m Tanya Ott for the Press Room. Thanks for listening and have a great day!
This podcast is provided by Deloitte LLP and its subsidiaries and is intended to provide general information only. This podcast is not intended to constitute advice or services of any kind. For additional information about Deloitte LLP and its subsidiaries, go to Deloitte.com/about