A Simpler Approach To Protecting Certain Information Assets

Cyber-attacks are part of the daily news cycle. Just about any company, regardless of size and industry, can be an inviting target for hackers. Reportedly, 71 % of cyber-attacks are directed at companies with fewer than 100 employees. (Lou Shipley, “How Small Businesses Can Fend Off Hackers, Wall Street Journal (WSJ), July 17, 2015, A9, citing to 2012 Verizon Data Breach Report.)

Importantly, hackers are more than just technically savvy and deviously creative. They also are adept at networking, no pun intended. They form troubling alliances with equally capable and illicit characters. As recently reported, one group of hackers and stock traders joined forces to steal sensitive, valuable corporate information and reap $ 30-100M in illegal profits over the period 2010-15. (Christopher M. Matthews and Nicole Hong, “Hackers Tapped Bonanza Of Data for Traders, U.S. Says,” WSJ, August 12, 2015, A1-A2.)

Facing that reality, what can a company do to protect its information assets, such as trade secrets, from a cyber-attack?

To begin with, there is the common approach. That approach involves cyber-security software (hopefully, sufficiently robust), cyber-security and information technology (IT) policies (hopefully, sufficiently clear) and cyber-security and IT practices (hopefully, sufficiently consistent). Notably, those practices can include periodic employee seminars on recognizing cyber-threats and attacks, such as phishing scams.

An alternative or, more likely, a supplement to the common approach is a simpler approach that most information asset owners should consider and many can take. This simpler approach involves taking certain information assets off-line. In other words, sequester them on a server or hard drive that is not connected to the internet and, in some cases, not connected to any intranet.

Implementing the simpler approach is feasible if the asset owner is motivated to take three steps.

First, inventory the information assets, or at least start that process.

Second, determine which information assets can and should be sequestered. Because sequestering an information asset means storing it on a server or hard drive that is not connected to the internet and, in some cases, not connected to any intranet, making this determination often involves answering two relatively straightforward questions: (a) which information assets still can be used productively if they are not accessible remotely? and (b) which information assets are so valuable that the risk of losing them in a cyberattack should be reduced as much as possible? Of course, to some extent and at appropriate times, many information assets will need to be carefully shared, internally, externally or both, in order to properly leverage those assets.

Third, assuming sufficient financial and other resources, (a) acquire and securely configure the necessary equipment (e.g., a password-protected computer not connected to the internet or any intranet), (b) securely store the information assets on that equipment (e.g., protect the files with passwords and track when and by whom the files are accessed), (c) locate the equipment in a secure physical space (e.g., a locked area accessible by only certain authorized persons) and (d) eliminate any other copies of the information assets stored elsewhere, bearing in mind that secure back-ups or archival copies can be appropriately stored (e.g., off-site, such as in a secure escrow account) in order to comply with applicable disaster recovery considerations.

Sequestering an information asset may lead to some initial frustration or inconvenience for authorized persons who need to access the asset. But, that is a small price to pay if the sequestration reduces, if not eliminates, a hacker’s ability to access the asset and cause significant economic harm to the asset owner and others.