The number of intellectual property (IP) cyber theft incidents in the next 12 months is expected to increase, according to 58 percent of respondents to a recent Deloitte poll. When asked which category of potential adversary they believe is most likely to attempt theft of their organisations' IP, the prevailing percentage of respondents (20.1 percent) answered "employees or other insiders." Yet, only 16.7 percent of respondents said access to IP is very limited, on a need-to-know basis only.

"While many of us know — or have experienced firsthand — how a cyberattack can severely disrupt business, loss of an asset as critical as IP can be crippling for most organisations," said Don Fancher, Deloitte Forensic leader, Deloitte Global.

"Managing risks to trade secrets, drawings, plans or proprietary know-how that drive your organisation's revenue and competitive advantage often includes quantifying how loss of that IP would impact the business, preparing to identify and pursue adversaries, and building a defensible chain of data custody to counter future IP cyber theft threats."

As cited in the Deloitte Review article, "The hidden costs of an IP breach: Cyber theft and the loss of intellectual property," IP can constitute more than 80 percent of a single company's value today. And yet, 44.1 percent of respondents to the Deloitte poll collectively feel that assessing the impact of IP loss and managing relationships would be the largest challenges faced by their organisation.

Sectors expecting a higher than average increase in IP cyber theft in the next year included: power and utilities (68.8 percent); telecom (68.8 percent); industrial products & services (64.7 percent); and automotive (63.9 percent). Those sectors expecting higher than average insider IP theft attempts included: automotive (32.2 percent); oil & gas (27.2 percent); and real estate services (26.2 percent).

Tips for assessing the potential impact and protecting against intellectual property loss include:

• Define the critical assets (e.g., facilities, source code, IP and R&D, customer information) that must be protected and the organization's tolerance for loss or damage in those areas.
• Validate that any partners or suppliers involved in IP creation or utilization collaborate with the cyber risk program.
• Evaluate whether exposing some IP in the public domain may make the organization more subject to attack.
• Consider whether the competitive landscape points to new cyber threats to IP protection.
• Improve cyber resilience to manage brand impact and market position in the event of IP theft.

Taking a holistic approach toward cybersecurity isn't just about balancing technical expertise with information technology investments, or about contingency planning. Organizations need to define their cyber risk, up front, in conjunction with their strategic priorities when making decisions on protecting their most critical assets because they recognize what the adverse consequences would be otherwise.

Adnan Amjad, cyber threat risk management practice leader for Deloitte Advisory Cyber Risk Services  added, "Predicting IP data theft is tough, as adversaries don't fit one specific mould. A robust insider threat mitigation program leverages a broad set of stakeholders to define potential insider threats and risk appetite, establish appropriate policies, procedures, controls and training and utilizes the combination of business knowledge, virtual and non-virtual data and technology to more effectively safeguard vital information."

Poll respondents were from sectors including banking and securities (13.5 percent); technology (8.4 percent); investment management (6.1 percent); travel, hospitality and services (5.4 percent); insurance (5.1 percent) and retail, wholesale and distribution (5.0 percent).