GOOD. SMART. BUSINESS. PROFIT.TM

Cyber-Security, IP Theft and Data Breaches: Practical Steps to Protect Corporate Assets

October 30, 2014

Chelsie Chmela

Events Manager

chelsie.chmela@ethisphere.com

847.293.8806

We encourage you to engage during the Q&A portion of today’s webcast by using the chat function located within your viewing experience.

HOST

QUESTIONS

RECORDING The event recording and PowerPoint presentation will be provided post event.

3

4

SPEAKING TODAY

Pamela PassmanPresident & CEO, CREATe.org

Marissa O. MichelStrategic Threat Management, PwC Forensics

Cyber-Security, IP Theft and Data Breaches:

Practical Steps to Protect Corporate Assets

Marissa O. MichelStrategic Threat Management, PwC Forensics

Pamela PassmanPresident & CEO, CREATe.org

Introductions

6

Pamela Passman

President & CEO

Center for Responsible Enterprise and Trade CREATe.org

Marissa Michel

Director, Forensic Services Group, Strategic Threat Management Services

PriceWaterhouseCoopers (PwC)

In the News…Cyber-Security, IP Theft/Breaches

7

U.S. hacking victims fell prey to mundane ruses -May 20, 2014

U.S. announces first charges against foreign country in connection with cyberspying - May 19, 2014

U.S. announces first charges against foreign country in connection with cyberspying - May 19, 2014

Trade secrets bill clears a hurdle -September 17, 2014

8

Intellectual Property Risks

• Among 269 senior risk managers, 53% said that loss or theft of intellectual property had inflicted damage on their company’s financial performance —14% reported this as “major” damage.

PwC’s 2013 State of Compliance:

• Intellectual property risks ranked among the top three risks faced by manufacturing and tech companies

• IP risks were perceived to be increasing

On the rise: • Malicious code and sustained probes have

increased the most: average of 17 malicious codes/month, 12 probes/month, 10 unauthorized access incidents

Uncertainty about steps to take: • 50% low/no confidence they are making the

right investments in people, process and technologies to address threats 

Data Breach Risks

9

Greatest threat:• The human factor (negligence) and system

glitches (IT and business process failures) still account for almost two-thirds of data breaches

Why? The Rise of IP Theft & Data Breaches

10

Globalized Marketplace

Information Digitalization

MobileWorkforce

Fragmented Value Chains

Where are the Greatest Threats?

Cyber Risk Threat Landscape

12

Threat Actor

Objectives Methods Vulnerabilities Risks / Outcomes

Nation States

Military technology, help national companies

Blunt force hacking

Social Engineering

Trojan Horse

Spear phishing

Watering Hole Exploits

Malware

Co-opted Credentials

Physical/Non-technical

Processes

People

Technology

IP Theft

Data Breaches

Disrupted Business

Reputational issues

Lost revenues

Lawsuits

Fines

Malicious Insiders

Competitive advantage, financial gain, national goals

Competitors Competitive advantage

Transnati’l Organized Crime

Financial gain

Hacktivists Political/social goals

Source: CREATe.org – PwC Report: Economic Impact of Trade Secret Theft: A framework for companies to safeguard trade secrets and mitigate potential thefts, February 2014

Cybercrime: a key driver of trade secret theft

13

Highlight: Malicious Insiders

14

Impact

Motivation

Access

Connections

Red Flags

Most common source of IP theft; Differs from unintentional or uninformed insiders

Typically disgruntlement or ego, ideology, competition, or personal financial gain

Insider authorization to systems, records, source code, and even facilities = opportunity to exploit access for malicious purposes

Can be leveraged or planted by Advanced Persistent Threats to exploit access to critical assets

Activity changes w/business change: mergers, divestitures and legal entity separations, and within 2 weeks before and after employment separation (voluntarily or involuntarily)

CREATe – PwC Trade Secrets Report

• The economic impact of trade secret misappropriation;

• An analysis of key threat actors;

• Three future scenarios that envision trade secret protection outcomes in 10-15 years; and

• A five-step framework to help companies assess and safeguard trade secrets.

Available on the web at:

www.create.org/protect-your-trade-secrets

16

Framework: Objectives and Outputs

Consensus across business units over definitions and criteria for determining IP that is a trade secret

Prioritized, ranked list of trade secrets with location maps around the world

A clear repeatable process for incorporating new innovations and trade secrets into the existing trade secrets list

Proven formula for assessing the cost of trade secret theft at the individual level

Means to determine how to maximize the value of protective measures to ensure the greatest return on security investment

17

Framework: Step 1

Category of Trade Secrets• Product Information• Research & Development• Critical & Unique Business Processes• Sensitive Business Information• IT Systems & Applications

18

Framework: Step 2

Threat Actors:• Nation States• Malicious Insiders• Competitors• Transnational Organized Crime• Hacktivists

19

Framework: Step 3

How would the trade secret loss impact…•Reputation?•Business operations?•Corporate culture?•Competitive advantage?•Current or future revenue?

20

Framework: Step 4

Impact of trade secret theft in dollar terms:• Financial performance• Customer trust/loyalty• Innovation• Stakeholder perception

21

Framework: Step 5

IP Compliance Team

Policies, Procedures & Records

Scope & Quality of Risk Assessment

Management of Supply Chain

Security & Confidentiality Management

Training & Capacity Building

Monitoring & Measurement

Corrective Actions & Improvements

Effective IP protection involves 8 categories:

22

Online Q&A:

Measures maturity of systems in all categories

Rates maturity on a scale from 1 to 5

1Self-Assessment

2Independent Evaluation

3Improvement Plan

CREATe expert evaluation:

Qualifies self-assessment

Reviews documentation

Generates verified score

Based on rating, company receives:

Improvement steps

Benchmarking report

Measure Improve

How Do You Know if Supply Chain Partners are Protecting Your Company’s IP?

Supply Chain Vulnerabilities

“Financial criminals will typically look for the weakest link – the most efficient, easiest way into a system. And, the majority of the time, suppliers are the easiest way in”

24

25

Ask Supply Chain Companies These Questions

1) Are IP protection policies in place?

2) Who manages IP protection?

3) What business processes are in place to protect IP?

4) How do you work with supplier and business partners to prevent IP theft?

5) Are physical workspaces and IT networks secure to protect IP?

6) What training programs are in place for IP protection ?

7) What ongoing monitoring programs are in place?

8) When things go wrong, what corrective actions do you take?

Questions?

26

Thank You!

marissa.o.michel@us.pwc.com ppassman@CREATe.org

WHY SHOULD YOU APPLY?

• Learn your scores – your Ethics QuotientTM

• Compare your practices to those of the Worl’s

Most Ethical Companies• Understand the gaps in your program, activities and

practices vs. leading companies• Use this knowledge to guide and shape investments in

program and resources • Engage the entire organization and ecosystem

This webcast and all future Ethisphere webcasts are available complimentary and on demand for BELA members. BELA members are also offered complimentary registration to Ethisphere’s Global Ethics Summit and other Summits around the world.

For more information on BELA contact:

Laara van Loben SelsSenior Director, Engagement Serviceslaara.vanlobensels@ethisphere.com480.397.2663

Business Ethics Leadership Alliance (BELA)

THANK YOU