Survey: Some U.S. Firms Lost Over $50 Billion In Proprietary Information
A group of U.S. companies lost as much as $59 billion in proprietary information and intellectual property from 2000 to 2001, according to a survey by ASIS International, PricewaterhouseCoopers (PwC), and the U.S. Chamber of Commerce.
Most of that stolen information was resident in companies computer systems, says Jay Ehrenreich, senior manager at New York-based PwCs Cybercrime Prevention and Response Group. “About 80% of intellectual property is estimated to be in a digital format,” he notes.
“While the risk of cyberterrorism is increasing, the theft of intellectual property is where companies are incurring the most losses to date,” says Ehrenreich.
The 10th Trends in Proprietary Information Loss Survey was conducted among CEOs of Fortune 1000 companies and of 600 small and mid-sized companies that belong to the U.S. Chamber of Commerce, says PwC. The firms reported experiencing losses in the July 1, 2000 to June 30, 2001 timeframe.
According to the survey report, 40% of those participating in the survey reported “incidents of known or suspected losses of proprietary information.” The survey defined such information as “information which is not within the public domain and which the owner has taken some measures to protect.”
“In 2001, the companies represented by study respondents are likely to have experienced proprietary information and intellectual property losses of between $53 [billion] and $59 billion,” said the survey report.
On average, the report noted, companies reported two such loss incidents in the surveys timeframe. The largest average dollar value loss per incident occurred in research and development ($404,000), followed by financial data ($356,000), the report said.
Only 12% of the companies in the survey were in the financial sector, and the report noted that the financial industry firms reported the lowest number of incidents among all the survey sectors.
The highest reported incidence rates were in the service industry group and in companies with annual revenues in excess of $6 billion.
The report added, however, that, “It is likely that these and other study data reflect a significant degree of underreporting by responding companies.”
Ehrenreich says the lost information included data on companies proprietary research and development projects. “It could be the schematics of a next generation widget, your customer lists, or the formula for Coca-Cola,” he explains.
This could result not only in loss of revenue, but also loss of competitive advantage, he adds.
According to PwC, many companies dont put a value on intellectual property until they are in litigation of some kind. “Since these assets are not typically tracked in corporate accounting systems, they often are not well protected,” said PwC.
The report noted that the greatest risks for loss of proprietary information and intellectual property came from former employees, foreign competitors, on-site contractors, and domestic competitors.
“Hackers are also considered a major problem, and this is an area that should be earmarked for heightened scrutiny by businesses in upcoming sequels to this survey,” said PwC. “Companies that had made IP protection a high priority indicated no loss incidents.”
Such companies also had internal security measures in place to protect sensitive information, says Ehrenreich. “Most of the stuff that goes out the door is an employee who has access to it, then goes to a competitor and takes the intellectual property with [him],” he explains. “A firewall wont stop that type of thing.”
The greatest impact of the losses came through increased legal fees and loss of revenues, said the survey report. For businesses with over $15 billion in sales, and for high-tech firms, loss of competitive advantage was the most serious problem.
“For financial institutions, embarrassment was the biggest concern,” the report noted.
The report also cited what it characterized as “a troubling managerial attitude” among some companies. “Around three quarters of respondents indicated that information about new products and services [was] the lifes blood of their companies, but only 55% said their management was concerned about information loss and were taking necessary precautions,” said the report.
Why arent more companies taking precautions? “In terms of awareness, security has become a major business concern, but theres a real economic issue as well,” says Ehrenreich. “Security is viewed as overhead, and the return on investment is not always clear.
“In a bad economy, the first priority is revenue, so companies see security as a priority, but theyll spend money on it when theyre making more money again,” he continues. “If a company has 10 things to do, security is number 11.”
According to Stephen Jordan, executive director for the U.S. Chamber of Commerce Center for Corporate Citizenship, “Electronic thieves are hurting businesses. We applaud the steps many companies are taking to protect themselves, but its clear that this is a big problem, and businesses that havent invested in cyber security are paying the price.”
“The thing that strikes me is that theres so much press about cyberterrorism and risk–electronic Pearl Harbors and so forth–but if you really look at where companies are losing money, this is where the highest dollar losses are,” says Ehrenreich. “Companies need to understand and value their intellectual property.”
According to Ehrenreich, it will take a stronger economy and “an improved awareness” to bring improvement. He points out that cyber security insurance will also be a factor in the equation. “To what extent do you make fixes and to what extent do you transfer risk to insurance companies?” he asks.
He points out, however, that insurers will likely do a security assessment of potential cyber security insurance clients, “and if your house is not in order, youll be considered too high risk to insure.”
ASIS International is an international organization for security professionals with 32,000 members worldwide, says PwC.
Reproduced from National Underwriter Life & Health/Financial Services Edition, October 14, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.