Houston Astros Hacking Scandal serves up a cautionary tale
Silicon Valley, CA (June 2015)—Most of us assume that corporate espionage and digital theft of trade secrets rarely occur outside of technology, retail, and finance.
But as the recent hacking of the Houston Astros' internal computer network—allegedly by St. Louis Cardinals employees—proves, every company in every industry is vulnerable.
As cybersecurity breaches become increasingly common, says James Pooley, companies need to take steps to protect their information assets. If it can happen in baseball, it can happen anywhere.
"Competition these days is all about information—who has it and who can get it," says Pooley, author of Secrets: Managing Information Assets in the Age of Cyberespionage. "We'll be hearing about stories like this more frequently as we expand our use of technology and hackers get more sophisticated."
Having recently completed a five-year term as deputy director general at the World Intellectual Property Organization in Geneva, where he was responsible for management of the international patent system (PCT), Pooley is an expert in the fields of intellectual property, trade secrets, and data security.
Secrets, which thoroughly explains how to recognize and mitigate the risk of information loss in today's electronic business landscape, is a must-have guide for executives and managers, knowledge workers, consultants, security professionals, entrepreneurs, investors, lawyers, and accountants—anyone and everyone who works with information.
Here, Pooley spotlights four questions to consider if you're serious about protecting your company's secrets from being hacked:
What information do you have that could give your competition an edge?
Don't underestimate the value of your company's information. Cyberhacking isn't just a threat for big organizations with complicated technology. In the hands of the competition, a wide variety of information about your company's products, processes, strategies, and client base can be used against you.
"The Astros' database contained private statistics, scouting reports, and information about players," Pooley comments. "Most companies collect and store similar data about their performance, strategies, customers, and employees. The competition would love to know all this, and sometimes people step over ethical and legal lines to get it. Remember, in order to protect your information assets, you must first know what you have."
What are you doing about your passwords?
In the Astros' case, it appears that the hackers were able to access the team's internal network simply by trying some passwords that had been used by a former manager of the Cardinals before he went to the Astros.
"In our personal lives, we often reuse the same passwords because they're hard to remember," Pooley acknowledges. "But in business, you can't afford that kind of convenience. Especially if you rely only on passwords to protect information, you need to change them frequently—and especially after key personnel leave your company. Use very 'strong' combinations of characters. And if possible, consider adding extra layers of protection, like call-back requirements or biometrics such as fingerprints."
What procedures are in place to prevent employees from taking valuable information with them when they leave?
When employees leave your company, you reclaim their keys, laptops, and ID cards—but do you worry about the knowledge they carry in their heads?
Companies need to mitigate the risk from the "insider threat," since most information is lost this way. "Even when you have the right contracts in place and have done all appropriate training, you should conduct a thorough exit interview, learning as much as you can about the employee's next job and emphasizing the importance of your secret information and your determination to protect your rights," Pooley advises.
Do you educate employees about your trade secrets?
Employees don't naturally think about information security, and the Facebook generation in particular has been raised on the idea that sharing is good and information is free.
Again, behavior that is generally acceptable in employees' private lives can cause serious problems in a business context. That's why employers must proactively educate their people about corporate hygiene.
"Good training is the best (and most cost-effective) way to avoid problems and make sure employees stay within the bounds of what's legal, ethical, and safe," Pooley shares. "The best training is continuous, careful, upbeat, and professional, and does not rely on threats. While stories of information breaches—like the Astros hacking scandal—provide good case studies, be sure to also highlight your company's own initiatives, especially actions by individual employees, that may have helped avoid a problem."
"As the Astros' misfortune has demonstrated, no industry or organization can consider its information assets safe," Pooley concludes. "While it is impossible to guard against all information leaks, companies do have the power to strongly mitigate the risk of being hacked. What steps does your organization need to take to plug holes in its defense system?"
About the Author:
James Pooley is the author of Secrets: Managing Information Assets in the Age of Cyberespionage. He provides international strategic and management advice in patent and trade secret matters, performs pre-litigation investigation and analysis, acts as a neutral and special master, and consults on information security programs.
Mr. Pooley recently completed a five-year term as deputy director general at the World Intellectual Property Organization in Geneva, where he was responsible for management of the international patent system (PCT). Before his service at WIPO, Mr. Pooley was a successful trial lawyer in Silicon Valley for over 35 years, representing clients in patent, trade secret, and technology litigation. He has also taught trade secret law at the University of California, Berkeley, and has served as president of the American Intellectual Property Law Association and of the National Inventors Hall of Fame.
Mr. Pooley is an author or coauthor of several major works in the IP field, including his treatise Trade Secrets (Law Journal Press) and the Patent Case Management Judicial Guide (Federal Judicial Center). He graduated from Columbia University Law School as a Harlan Fiske Stone Scholar in 1973 and holds a bachelor of arts, with honors, from Lafayette College.
About the Book: Secrets: Managing Information Assets in the Age of Cyberespionage (Verus Press, 2015, ISBN: 978-0-9963910-0-9, $24.97) will be available June 30, 2015, at bookstores nationwide and on Amazon.