A corporate secret is “any secret practices and processes that give a company a competitive advantage over its competitors.” To be considered a trade secret, an organization must make a reasonable effort to guard the said secret.
While the average company suffers around $1.2 million in damages as a result of lost secrets, the cost of managing them can be just as high.
In the cybersecurity community, it’s a well-known fact that human factors are still one of the main contributors to successful security infiltrations.
A new survey by 1Password highlighted this fact once more, showing that employees are often careless in sharing sensitive information, such as code, credentials, and keys. However, employees polled also pointed the finger at companies not doing enough to secure their secrets.
Regardless, affected companies lose millions as a result. In fact, 60% of companies polled have experienced the leaking of valuable secrets.
The issues facing organizations regarding secret management often stems from a lack of cybersecurity leadership; at least partly driven by the current drought in cybersecurity talent.
LIFARS’ CISO as a Service is designed to address an organizations’ information security leadership needs. Our CISOs are highly skilled at establishing, improving, and transforming Cybersecurity Programs. We focus on maximizing business values by minimizing risks and optimizing opportunities.
Why are managing corporate secrets so hard?
The report shed some light on the exact ways in which carelessness on the behalf of employees can lead to exposing valuable corporate information/assets. Among others, it found that:
- Almost 64% of IT (Information Technology) and DevOps employees admit to reusing enterprise secrets between projects.
- 36% Said that they would share secrets over insecure channels to increase productivity.
- 77% of ex-employees still have access to their former employer’s infrastructure secrets.
However, companies themselves are not completely blameless. The same report found that while nearly all (97%) of companies have policies regarding the protection of corporate secrets in place, only 36% strictly enforce those policies.
Furthermore, 80% of companies admitted to not managing their secrets well. This also speaks to a lack of cybersecurity leadership and policies.
It is also not purely the fault of either employees or the organizations they work for. The cybersecurity industry is facing challenges on multiple fronts and all stakeholders must continually adjust their approach to stay ahead of threats.
For example, 52% of IT and DevOps workers say that the explosion of cloud applications has made managing secrets more difficult.
Undoubtedly, some of this has to do with the careful balancing act that corporates often find themselves having to do when it comes to balancing productivity, cybersecurity, and cost-efficiency.
Humans can be notoriously bad at gauging risk. Often, the long-term implications of unsafe practices are ignored in favor of the immediate advantage of finding quicker and more efficient ways to do things.
Nor are they completely wrong on this point. Without dedicated policies or frameworks for managing secrets, 39% of employees spend around 25 minutes per day handling them – costing organizations roughly $8.5 billion a year.
The difficulty in managing secrets is illustrated further by the report’s other findings:
- 1 in 4 companies say that their secrets are stored in 10 or more separate locations
- 50% of individual contributors in IT or DevOps roles say they do not know how many distinct locations their secrets could be found in
How can organizations manage secrets safely and efficiently?
Organizations need to do something to avoid the potentially massive costs of experiencing secret leakage. However, it must be approached in an intelligent way that does not lead to ballooning costs and an unacceptable loss in productivity.
Here are some of the step’s organizations to take to achieve those goals:
- Devote sufficient time and resources to devise a plan for managing secrets as well as official educational material and password policies.
- Foster a culture that shows your company takes secret protection seriously and reinforces best practices.
- Train new and existing employees and update the training frequently or as needed.