Businesses and their executives everywhere should be aware of this story run by 60 Minutes on Jan 17, and the blog Jeff Lipson wrote about here. The fact that China is stealing U.S. companies’ intellectual property is not news. The fact that President Obama worked with the Western District of Pennsylvania to indict five Chinese officers of theft of intellectual property is not news. So, what is the real news bite here? Some companies and Americans want to fight back and stop China, calling them out on the world stage and put up huge defenses. Most companies and CEOs do not want to stop China because of the great loss of revenue from such a maneuver.
China is the second largest economy in the world, and it’s already slowing down. If American CEOs stop doing business with them, they risk huge amounts of lost revenue. The cost of selling to Chinese companies and their people outweighs the cost of America trying to stop them, for the mean time anyway. So let’s say there are lots and lots and lots of companies that fall into this bucket.
As a member of U.S. Cyber Command and the U.S. Marines, the idea that a country is getting away with this criminal and dishonest behavior is maddening. As a member of the business community that employs Americans, I understand the need to do a cost benefit risk analysis and not be quite so hasty.
So What’s the Key?
As an American running a business, if I had to sell to China, I would want to find a way to get the revenue, without the risk of losing what makes my company successful (the Intellectual Property). How is that accomplished? Full knowledge of risk, robust training, and constant awareness of network and business processes that could expose my company’s assets.
How To Think About Solving This Problem
This starts with training and education, and not just the basic training that was mentioned in Jeff Lipson’s blog. The executives need a firmer awareness of the risks posed to them by their third-party vendors, suppliers, etc. Everyone from the janitorial staff to the IT MSP, ISP, email provider etc. will all increase the attack surface of company. A company naturally builds and exposes the surfaces for which they can be attacked.
Vendors/Suppliers/Software Services = Increased Avenues of Attack
In most cases it’s almost impossible to come to a full understanding of the risk a company is exposed to until they go through a full scope information risk assessment (which we recommend). However, as a first step, something every business can do is review their vendors’ contracts and look for security, liability, loss protection, and privacy clauses. If they exist (great) look through them and see who is liable for what and then communicate that to those who need to know.
If they don’t exist (most likely) then start looking at all the areas of your company they touch, and therefore create an increase in your attack surface. Pull aside a cybersecurity company, go through a security risk assessment, and do the work. The assessment will be worth your time because it will act as a planning tool for policies, governance, use of technology, and it trains your company to be resilient (as well as your people to get it there).
We don’t want to see Philadelphia area companies take a loss because they weren’t proactive.