- City Fajr Shuruq Duhr Asr Magrib Isha
- Dubai 05:27 06:41 12:35 15:52 18:22 19:36
(SUPPLIED)
Vital digital information, such as intellectual property rights and customer data, is increasingly being transferred between companies and continents and lost.
An average company has $12 million (Dh44m) worth of sensitive information stored abroad and companies lost on an average $4.6m worth of intellectual property in 2008.
According to a report by McAfee, a computer security company, titled Unsecured Economies, Protecting Vital Information, elements in certain countries are emerging as clear source of threats to sensitive data, especially to intellectual property.
Three countries in particular stood out in the McAfee survey conducted as part of the report.
Respondents cited China, Pakistan and Russia as the worst-rated countries when it comes to protection of digital assets.
Pakistan, China and Russia, in that order, were also perceived to have the worst reputation for pursuing or investigating security incidents. Respondents cited corruption and inadequate skills in law enforcement and legal bodies as top reasons for the rating.
Twenty-six per cent of respondents had purposely avoided storing and/or processing data in China, 27 per cent in Pakistan and 19 per cent in Russia.
According to the report, a number of factors are influencing the trend for companies to store vital information offshore.
While 26 per cent cited cost reduction as a reason for outsourcing, other drivers for storing or processing sensitive information outside of the home country were supply chain partner efficiency (33 per cent) followed by better expertise (30 per cent) and increased safety (29 per cent).
Talking to Emirates Business about the dangers of outsourcing, Greg Day, Emea Security Analyst, McAfee Avert Labs, said: "Cyber criminals see this vital information as a high value commodity because it is easily transportable and can be sold on the black markets for huge returns and are devising increasingly devious ways to infiltrate companies.
"Cyber thieves have expanded their activities beyond basic hacking and stealing of credit card data and personal credentials. Their emerging target is intellectual property. Why sink all that time and money into research and development when you can steal it?
"Credit card fraud and identity theft have moved into the so-called "cash cow" phase of criminal strategy. In other words, it's a source of revenue, but there's not much room for growth, so criminals are looking for the new stars of their portfolios."
Mike Smart, Senior Product Marketing Manager, Emea, McAfee, said: "When considering outsourcing any part of a business, there are many considerations. Primarily, it is important to look at whether the process of outsourcing may increase business risk.
"For example, it is necessary to look at whether the outsourcing agent has adequate policies and processes in place to protect intellectual property in terms of information. Examples of information that would require a high assurance level are competitive documentation, engineering design schematics, customer data, business plans or proprietary financial information."
"Different regions have different legislation in place to protect data," said Smart. In some regions, there simply is not the maturity in the market around the implementation of what some markets might call best practices. So, there may be an increased risk that a failure in best practices within the outsourcing organisation would result in a data breach. This ultimately would impact the brand – one of the most valuable assets for any firm.
According to the report, with many companies having subsidiaries and satellite offices around the globe and an increased need for collaboration, the traditional operational boundaries are now disappearing. Informational assets are subject to various jurisdictions, infrastructure and cultures, including those of suppliers and partners.
This trend has made it more difficult to lock down intellectual property in order to ensure its safety. Smart said: "Often there is an assumption that an outsourcing company would provide the same level of protection around data that the company that owns the data would. This is a fundamental mistake.
"When looking for an outsourcing partner it is worth making sure that due diligence is done specifically around their corporate governance [best practices in the protection information]. In addition availability of valuable data [information] is also key, so it is important to ensure that the potential partner has established strong business continuity procedures and that they have adequate Service-Level-Agreements around security and availability of information." Considering how much vital information companies are moving offshore in the current economic climate it is more important than ever that this data is secure. The research findings suggest this may not necessarily be the case. Respondents in countries such as Brazil, China and India spent more on security as a percentage of their overall IT budgets, while respondents in developed countries such as Germany, Japan, the United States and the United Kingdom spent less on protecting their vital information.
Thirty-five per cent of Indian, 33 per cent of Chinese and 27 per cent of Brazilian companies reported spending 20 per cent or more of the IT budgets on security, compared to 20 per cent of German, 19 per cent of US, 10 per cent of Japanese, and four per cent of UK firms.
The UK reported the least amount of spend on security as a percentage of their IT budget, with 44 per cent of the respondents spending zero to five per cent of their budgets on security.
When comparing the motivators of information security investments, there is a striking difference in attitudes across the globe. It appears that decision makers in many countries, particularly developed ones, are reactive rather than proactive.
Compliance with regulation is the key motivator in Dubai, Germany, Japan, the UK, and the US.
However, 74 per cent of Chinese respondents and 68 per cent of Indians reported making decisions based on gaining and maintaining a competitive advantage in attracting customers.
To make matters worse, there are a minority of companies in some countries who did not pursue a security breach incident. This suggests that when intellectual property is stolen in certain countries, it will not be reported.
Among Chinese firms, 28 per cent said they do not pursue security incidents because of the cost, and 35 per cent do not pursue them to avoid bad publicity.
Twenty-three per cent of German and Japanese firms said they do not respond to incidents because of the cost.
Smart said: "Often this is because different geographical regions have different perspectives and culture around the value of data. In regions where data privacy directives are either not ratified or specific legislation is not in place, we would tend to see culturally that less value is associated to protecting their information [and potentially the information that may have been outsourced to the region]."
"Specific to Dubai, there were some interesting statistics in McAfee's Unsecured Economies report; Dubai was included in the top three countries that had chosen to outsource sensitive data (though they chose not to outsource any of their own intellectual property).
However, Dubai was in the bottom when it came to doing risk assessments during the outsourcing process.
This tells me that businesses in Dubai value intellectual property [because they do not outsource it], but do not value sensitive data [which may include customer data] because they are more than happy to outsource it without doing risk assessments," said Smart. "In addition, in Dubai there was significantly lower than average money spent on protecting vital information [only Japan was lower], and only 28 per cent of respondents in Dubai thought they were not spending on protecting vital information."
So, how can companies that are outsourcing ensure protection of their data and intellectual property? According to McAfee, even though it is often a case of "out of sight is out of mind", this is not an approach that organisations can afford to take when outsourcing.
Much due diligence and risk assessment needs to be done during the initial phases of an outsourcing project.
In some situations a risk assessment may help organisations to discover that the risk is too high to outsource information.
In addition, successful outsourcing agreements are reached when the two business integrate their architecture [establishing Virtual Private Networks and providing access to internal content management systems or intranet systems].
Ensuring that the organisation that has chosen to outsource data builds in policies and processes that take into account the outsourcing agent will also help to reduce risk.
Smart said: "Also important is the provision of training to the outsourcing agent to help them understand the organisation's policies around protecting vital information, and also making sure that service level agreements are put in place to ensure adherence to these policies."
Keep up with the latest business news from the region with the daily Emirates Business 24|7 newsletter. To subscribe to the newsletter, please click here.
Follow Emirates 24|7 on Google News.