Cybercrime targeting of commercial enterprises and organizations is rampant. Increasingly sophisticated, organized crime groups are gaining improper access to point-of-sale systems and corporate networks to steal credit card numbers, expiration dates, account holder names and CVV codes, intellectual property, as well as other sensitive data.

In addition, certain countries have historically utilized their intelligence agencies to use intelligence-gathering techniques to steal information, such as computer source code, product formulas and design information about new products or processes. These types of state-sponsored economic espionage often target technology-centric industries, including computer software and hardware, biotech, aerospace and defense, telecommunications, transportation and engine technology, automobiles, machine tools, energy, materials and coatings and so on.

The high-tech sector is widely considered to be the most frequently targeted area for economic espionage, though any industry with information of possible use to foreign governments and their commercial sectors is at risk. Increasingly, these government intelligence agencies are using hacking techniques to gain access to commercial secrets.

Whether it is organized crime that is seeking to gain access to your network or a foreign government seeking to obtain the product formulation of the next wonder drug, companies’ most valuable information is stored electronically on their networks and individual computer workstations. While companies expend tremendous sums of money and resources securing their networks and testing their security, sometimes the issue is not knowing the universe of sensitive data that they possess, where and how it is stored and who has access to it.

Knowing where your data resides is, in many instances, half the battle. Trying to identify an organization’s “crown jewels,” or key assets, is equally important. Boards of many major corporations are scrambling to implement security controls to processes in order to safeguard their organizations, but many also need to focus on risk management to identify their crown jewels when implementing these controls and safeguards.

Often, information about what valuable data the company has, where it is stored and who may have access to it is determined only after there has been a breach. As network security experts trace the activities of the hackers to see what systems and applications were accessed illicitly, they learn what information was stored and whether it was exfiltrated from those devices. Indeed, one of the most challenging issues for internal auditors as well as information technology (IT) security professionals is, when assessing their company’s information security, not only understanding the systems and the security controls designed to monitor, detect and prevent data breaches but also taking an inventory of the various categories of sensitive data stored electronically across the organization, identify where specifically it is located and who has access to it.

Without this critically important information, internal auditors and others charged with the responsibility of assessing the effectiveness of network security and the extent to which the company’s most sensitive data may be exposed are severely restricted.

Some sensitive data is of obvious interest to hackers, and it is fairly straightforward to assess how it is collected, where it is stored and how it can be accessed. Knowing who and when data was accessed is equally, if not more, important. Being able to pinpoint who has accessed data is critical to any organization trying to protect its data. Logging and monitoring controls enable organizations to accomplish this.

During a forensics investigation, trying to find the source of a breach is like trying to find a needle in a haystack. Without logging and monitoring controls or limited controls, that needle in the haystack becomes a needle in an open field. Sensitive data includes customer information, credit card numbers, personnel records and payroll and banking information, among other assets deemed to be the organization’s crown jewels. The challenge is in determining what other types of sensitive data may exist and where. Such sensitive information includes corporate development (M&A) information, prototypes, source code, customer lists, proprietary pricing information, legal files, human resources data and other data that, were it to be released, would be commercially damaging to the company.

What steps should companies take to better understand where their valuable data is?
  • Before companies understand where it is, they need to understand what it is or what their crown jewels are.
  • Survey key business units and obtain a list of their most sensitive data and IP by category.
  • Determine what added security may be in place to protect that data.
  • Request information about where the data is stored, how it is secured and how access is controlled.
  • Integrate what is learned by this data gathering exercise into future IT security audits.
This post was published originally on The Protiviti View by Protiviti Inc. Copyright 2014-2015. Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit (www.protiviti.com). Scott Moritz is the managing director and leader of Protiviti’s investigations and fraud risk management practice. Rocco Grillo serves as the managing director and leader of Protiviti’s incident response and forensics practice.