How Trade Secrets Can Be Abused By An Attacker After A Data Breach

Last updated by UpGuard on September 4, 2018

 

Overview

Even as public awareness of data breaches grows, the popular conception of what information is sensitive, and how sensitive it is, lags behind the threats that individuals, businesses, and governments face today. The classic model for a data breach is individuals’ login credentials for banking or private identity information like their social security numbers, but there is equal– and in many cases far greater– value in information with less obvious potential for abuse. Documents generated by businesses describing their strategy and intellectual property do not need to contain either personal information or credentials to be highly valuable for attackers, or very damaging when made public. Indeed, business documents are often what those credentials are intended to protect.

Trade Secrets and Product Strategy

What are trade secrets and why are they necessary

Businesses not only produce and sell a good or service, they develop means to do so better than competitors. That, in theory, is the essence of marketplace economics: the competition to perform some productive activity better than anyone else. Knowledge of how to make their respective better mousetrap, then, is the crown jewel of each business.

What these documents look like for different types of businesses will vary depending on the product or service, but every business has them. For manufacturing companies, the production process itself is a trade secret. From the layout of factories to the separation of labor between humans and machines, all of this information determines the cost of the end good and the productive capacity of the business. The documents detailing this information may take the form of blueprints and models of the facilities and end product. For software companies, product strategy is more likely to be contained in text documents and project management systems like JIRA. Fully developed project management instances will provide a long term development roadmap, outstanding bugs, research the team needs to perform, and estimations for when features will be delivered.

Potential for Abuse

Whatever the industry, a business needs to plan what it is going to do and describe how it will accomplish its production goals. Not only do significant amounts of labor go into producing those documents, but they contain a business’ most valuable asset: its potential for growth. Exposing product strategy and the trade secrets for executing that strategy is essentially self-inflicted corporate espionage.

To pick one recent example, Waymo’s lawsuit against Uber contended that Uber had stolen trade secrets related to the emerging technology for autonomous vehicles. Despite the judge commenting that “Waymo had yet to deliver on the substantive legal part of the argument that Uber knowingly stole Waymo’s trade secrets for use in its products,” the suit was settled with Waymo getting equity in Uber worth USD $245 million at the time. Part of Waymo’s case involved a former employee downloading documents before leaving Google, Waymo’s parent company. A data breach of those trade secrets could have revealed that information, worth millions, to the world, with no counterparty from whom to recuperate damages.

Sales Strategy

What are sales strategy documents and why are they necessary

Businesses don’t just make products, they must sell them, and the process for doing so is as carefully orchestrated as the factory line. Having a defined sales strategy allows marketing efforts to target the best opportunities and representatives to deflect objections and showing greater value than competitors. All of that adds up to efficient revenue generation and a healthy business. Conversely, diffuse marketing is expensive and generates insufficient leads, while undisciplined sales execution leads to deals being lost unnecessarily.

To sell effectively, businesses plan their strategy and document its execution. While marketing materials showing a product’s benefits are often intended to be public, sales strategy can also include competitive comparisons that highlight the product’s weaknesses in a given sales situation.

Potential for Abuse

Knowing how a company is targeting a given market is like a sports teams giving an opponent their playbook ahead of the game. While one would hope that the buyer performs their assessment of the two tools independently and objectively, that is simply not the reality of sales and marketing. Buyers must assess many tools and rely on representatives to provide timely, compelling, and insightful information. Knowing how competitors are behaving can make sales reps appear “one step ahead” by seeding doubts and uncomfortable questions.

Additionally, trust in a sales representative is one of the most determining factors for choosing one company’s solution over another. The fact of exposing data unintentionally undermines trust in the sales organization and by extension the representatives.

Budgets and Financial Projections

What are financial projections and why are they necessary

Planning how to resource product development and other business functions generates documents. Budgetary projections and planning lay bare the financial architecture of a business: where money comes in and where it goes out, the cardiovascular system of an organization.

Planning those outlays is necessary to ensure that important initiatives have the resources they need to beat out competition and bring the necessary product to market. Projecting revenue is necessary to ensure that the business will stay solvent and to verify that those outlays will provide a sufficient return on investment.

Budgetary planning documents must include some rationale for how those figures are derived, providing greater insight into the functioning of the business and the risks to its financial model. For example, a company with a large number of many low paid workers would be at risk for substantial changes in its model if they secured a raise by going on striker, a proven means to workers to secure greater compensation from their employers. Conversely, a business with a small number of highly paid workers would be at risk if even one of them left, as was the inciting event in the Waymo vs Uber case discussed above. Understanding and planning for these scenarios is a vital part of maintaining the operational capability of any business.

Potential for Abuse

Knowing a business’ finances not only allows competitors to target them more effectively, it can also expose the vulnerable pressure points in their supply chain. As a competitor, this information might be useful for disrupting human capital– that is, wooing key personnel with competitive offers– or as leverage in negotiations with shared suppliers or partners. As a criminal, it provides an inventory of secondary targets through which to access additional data, hints as to which projects do not have sufficient funding for their security programs, and a roadmap for where monetary jackpots may be.

Finally, there is the potential for public embarrassment. The head of the EPA, Scott Pruitt, resigned following a series of ethics scandals, many related to misuse of department funds for travel and other personal expenses. Even in responsibly-managed companies, knowing where every dollar goes can highlight differences in how certain projects or roles are considered within the organizaiton. And while projections are necessary to have some sense of a company’s future, when they are not met the results can be disastrous. When Facebook did not realize its growth forecasts, it led to “the biggest one-day loss in U.S. market history.” Managing projections for organizations big and small is critical to maintaining the trust of investors, and part of that is managing the information security for any internal deliberations on those projections lest their improper disclosure result in a public relations disaster.

Mergers, Acquisitions, and Funding

A special class of strategic expense deserves mention: mergers, acquisitions, funding, initial public offerings, and similar one-off events with outsized impacts on a company’s finances. While such events affect financial projects, they are distinct events rather than the ongoing work of budgeting for normal functions. Dramatic financial events like acquisitions or funding involve the transfer of millions or billions of dollars at a time, and involve careful planning and diligence from all parties involved. Such massive changes to a business’ ledger or market position allow for accelerated realization of opportunities or for investors to realize a return on their initial investment.

Potential for abuse

Part of the reason this class of business event merits separate discussion is because the scale of these events makes them particularly sensitive to any disruption. In “Beyond Cybersecurity,” the McKinsey Institute names a breach of strategic information for M&A negotiation as the most costly to a business. Due to the very large amounts of money involved in mergers and acquisitions for the world’s leading enterprises, even slight losses in leverage can cost tens of millions of dollars.

As startups grow from early stage funding to public offering, they typically receive several rounds of funding that can grow to hundreds of millions of dollars. The valuations and growth plans driving those investments are crucial to ensuring the financial health of the business, and improper disclosure of that information can complicate and derail sensitive negotiations about how much money a business is worth. Additionally, the culminating cash transfers create a juicy target for hackers. Successful phishing attacks during funding rounds can fool investors into wiring millions of dollars to the wrong account.

Conclusion

Some of the most valuable information assets that a business must secure are also the most abstract: those detailing corporate strategy. While simple theft or regulatory fines may be damaging in the short term, they do not touch the heart of what allows a business to compete successfully. A high level strategy to offer a uniquely compelling product is the core of a business as such, and data exposures that leak this information pose an existential threat to their ability to function. While the short term effects of strategic leaks may be minimal, their long term impacts can make them among the most common kind of data exposures.

Learn why hundreds of companies trust UpGuard to protect their trade secrets.

Book a free demo