Prior to the invention of the Gutenberg Press in 1440 few people could read and knowledge was concentrated in the hands of the Church. The creation of transfer of knowledge was a very slow process. The publication of the first book, Ars Minor, in 1451 on the Gutenberg Press created the spark that that led in the end to the Reformation and large shifts in the economic and political power base. Knowledge and learning could be far more easily shared and the power of the Church to control the perception of truth was forever altered.
During WW2 Alan Turing, the father of the Digital Age and modern computing, created digitally based calculation machines that could ‘create’ knowledge that was beyond human capacity at that time. An example of that knowledge was the ability to understand the German Enigma codes.
Computers led to rapid developments in knowledge creation, but these computers existed within fairly discreet silos, mostly within the control of government or large businesses. The start perhaps of the military-industrial complex so loved by the paranoid conspiracy theorists but, as they say, just because you are paranoid it doesn’t mean they are not out to get you.
Pre-internet computers and software were developed in the 1970’s and 80’s by organisations such as IBM, Apple and Microsoft, but knowledge remained difficult to transfer and storage capacity was a significant limiting factor.
Sir Tim Berners-Lee took things to the next stage with the publication of the first web page in 1991. The broadband internet and Google were close behind and in no time email and user friendly software led us into the DotCom crash and out the other side. In 2014 Google had indexed 200 Terabytes of information on the internet with over 3 billion people using it - about 40 per cent of the world population up from less than one per cent in 1995.
An external 1 TB hard drive, available for £40, can now store about 100,000 digital versions of the King James Bible. If each of the nine million books in Oxford’s Bodleian Library was the size of the King James Bible when digitised and compressed then the entire contents could be stored on 90 x 1 TB drives rather than on 176km of shelving. A single piece of digital content in text, audio or video can be quickly and cheaply duplicated and distributed worldwide in an instant.
Happy days - free information accessible to all improving social mobility and global collaboration. Remote working allows a more flexible labour force and open sourcing mobilises talents from across the globe to solve tricky problems. Artificial intelligence and automation bring us charming robots like Pepper and world champion Go players, as well as replacing 60,000 workers in a single FoxConn factory.
We have trusted and become increasingly reliant upon computer systems and networks, and trust our valuable intellectual property to them and to those who manage them in the IT community. This has very logically led to increased power flowing into these areas, even though they are not generally well understood by those outside the IT community.
Valuable corporate IP, banking and financial information, personal pictures and emails, medical records, lots of details from different stages of our lives, and bad tempered rants delivered too late in the night with too little thought, are all stored on external servers potentially forever. We have been re-assured (and many of us in the IT community have been doing the re-assurance) that corporate and personal data is safe and confidential.
Aside from the occasional hacker reported in the press such as Gary McKinnon, we all felt pretty secure and the views the other way were dismissed as the paranoid ravings of conspiracy obsessed individuals who vacationed in Area 51 and are convinced the Moon landings were faked. However, the signs were there, that a dark side to the digital age was inevitable.
Edward Snowden, former CIA employee and hacker, shone a light into the darker recesses of the internet when in 2013 he leaked 1.7 million documents. In an instant the sudden realisation that the web was not secret and secure dawned on the general population. The US and other governments had grasped that the power of the internet to aggregate massive volumes of knowledge (or data) would, in turn, provide them with great power.
An unintended consequence of this was that it would be publicly revealed how insecure the internet can be and how vulnerable to hacking companies and individuals are if connected to the internet.
If the NSA and CIA can be hacked who cannot be hacked? It seems nobody. To list a few examples Ashley Madison, Premera Blue Cross, Anthem, Sony, Home Depot, JP Morgan, Ebay, Target and TalkTalk have all been breached and had records stolen.
The types of cyber attack to release valuable IP include DDoS, code injection, password cracking, phishing, ransomware, session management and multiple forms of social engineering attacks. Off-the-shelf hacking tools mean powerful attacks can be initiated with no training or skill involved and the impact can be catastrophic. The 2016 NTT Group Global Threat Intelligence Report identified 6.2 billion cyber attacks in the previous year.
Now that the historical context is established how should this changed, and risky environment, be managed? One option is to go analogue / off the grid and revert to the typewriter, but realistically we need to balance security and convenience.
Seven recommendations on the management and protection of valuable intellectual property in the digital age:
- Accept the fact that cyber risks have increased and communicate this across your organisation and supply chain.
When selling in the benefits of a new piece of hardware or software or arguing for budget for a new project it is human to de-emphasise the negative aspects and risks. However, this has led to the perception among non IT literate senior managers that there is no risk. This is unfortunate as it makes it difficult to make the case for additional resources for IP protection and will also put the head of IT in the firing line should the worst happen. - Accept that you need an independent view of cyber risk and resist the temptation to mark your own homework. IT is a broad church and evaluating cyber risk and protecting digital IP is highly specialist. Bringing in an independent expert will provide the highest levels of re-assurance.
- Request a simple risk evaluation. As a first step to identify any very large and obvious security risks it is vital to implement an independent audit.
- Do a risk evaluation today and reduce the risk. From 2018 companies will face fines of up to four per cent of turnover for failing to protect personal data under the GDPR.
- Remember that the threat landscape is constantly evolving and that weaknesses may be found in even the most robust platforms promoted by major brands. The machines that go ‘ping’ with the great brochure may turn out to be all sizzle and no steak.
- Pay as much attention to internal as well as external threats.
- Have a disaster recovery plan. No system is perfect and it is always best to be prepared if the worst should happen.