LookingGlass was recently lucky enough to chat with business intelligence specialist, author, and developer Michael Schrenk in advance of his upcoming DEF CON talk, “You’re Leaking Trade Secrets.” Read on for a first glimpse at his lecture and his thoughts on organizational secrets.
LookingGlass: Part of the teaser for your DEF CON talk reads “Organizations, in fact, leak information at a much greater rate than individuals.” What do you mean by that?
Schrenk: The press has done a fine job of warning individuals about online privacy threats. They’ve been negligent, however, in identifying the privacy threats that organizations face. The media tends to focus only on the most sensational corporate data breaches, and people seldom read reports of the tsunami of trade secrets that are unintentionally leaked by well-meaning employees every day. This lack of reporting results in a lack of awareness. And because of this lack of awareness, the opportunities for trade secret leaks, within organizations, increases with each additional employee.
LookingGlass: Is this problem one that just affects organizations with limited information security budgets?
Schrenk: Security isn’t something that can be fixed with budgets. Merely spending more money on security doesn’t necessarily yield better outcomes. Part of the job of managing an organization is to help employees learn the value of trade secrets, and then to identify how privacy leaks occur. Privacy isn’t even an IT responsibility. Protecting trade secrets is everyone’s job. Organizational secrets are only secured when management establishes meaningful and enforceable policies that keep employees, vendors, and contractors from doing irresponsible things.
LookingGlass: If you had to guess, approximately what percent of Fortune 100 companies are leaking trade secrets at any given moment? Walk us through how you came up with that percentage.
Schrenk: Given the information that is leaked through websites like LinkedIn and Twitter, I’d hazard to guess that all Fortune 100 companies unintentionally leak trade secrets every day. For example, you don’t have to spend a lot of time on LinkedIn or Twitter to deduce who an organization’s Business Development people are. With a little more digging, you can usually compile their client list, too.
LookingGlass: Your work includes “industrial webbots and botnets” for large and admired corporations like Disney, Nike, and Medtronic. Is it safe to assume that there are black hats out there developing similar technology with less ethical goals? What do you think criminals would use that similar technology for?
Schrenk: Not every project I’ve done involved webbots or Business Intelligence. In fact, much of my earlier portfolio focused on enforcing online business process. Also, I would never identify Business Intelligence clients or the nature of that work due to the competitive advantages it brings to clients. As far as criminal activity? I know it exists because I turn down request for projects that have ethical issues. You’d be surprised by the projects people ask me to develop.
LookingGlass: Chief Information Security Officers (CISOs) have a long list of threats to defend against. How should decision makers in security teams prioritize efforts to minimize the unauthorized or unintentional leaking of intellectual property?
Schrenk: It’s important to start with all the obvious things. By that, I mean enforcing proper password policies, configuring firewalls correctly, and managing mobile devices with an eye on security, etc. Beyond the obvious, organizations need to examine what they publish online and who the unintended audiences may be for that information.
LookingGlass: Any final advice for organizations wishing to minimize sensitive information leakage?
Schrenk: It’s vital to recognize that information published online may be read by people other than the intended audience. Before something is published, ask yourself if anyone, other than the intended audience, could use that information. Hire an Internet search specialist to research your organization and employees online. Commission a report of the findings and where the information was sourced. Study the results and identify enforceable policies to rectify the leaks. That would be a good start.
Want to learn more about protecting your organization’s data? Our Information Protection services may be able to help.