What is critical information?
When we talk about preventing information loss, we usually talk about three areas: Identification, valuation, and protection of the information.
We can generally classify information into two categories, intellectual property and critical information.
Intellectual property
Intellectual property includes (in decreasing order of visibility) trademarks and service marks, copyrighted materials, patents, proprietary information, and trade secrets. We have observed that there are too many IP holders who have never performed an inclusive audit of their IP, nor have any listing of their IP inventory, its disposition, nor even the ability to find out whether if there have been lost.
There are also significant issues surrounding valuation of intellectual property (such as IP developed in-house, for example, rather than being acquired outside, has no book value), with the actual valuation of IP being the elephant in the boardroom.
There is little mystery surrounding protection of trademarks and service marks, copyrighted materials, and patents from deliberate and unintentional violation. There is a lot of mystery surrounding the protection of trade secrets and proprietary information from competitive intelligence, economic espionage, and theft.
Critical information
The second is critical information. What do we mean by critical information? We mean information that, if known, would give an advantage to competitors and adversaries. Be aware that in the world of commerce we tend to think of “competitors” and “adversaries” as being synonymous. They are not. Those in the same business as you are competitors. People or groups who try to kidnap or kill your management and staff, blow up your facilities, or rob you are adversaries. A company may have no competitors, yet still have adversaries.
By this definition proprietary information and trade secrets might fall into either category. And, in fact, while protection of public forms of intellectual property (trademarks and service marks, copyrighted materials, and patents) falls into the bailiwick of attorneys and accountants, proprietary information needs to be protected as if it fell into the more-amorphous category of critical information.
In order to identify critical information, we must understand the operational goals and objectives of management. We must then aid management in identifying information which an adversary must acquire to achieve their own goals and objectives, or to inhibit or stop management’s attainment of management goals and objectives.
Above all, it is important to avoid the trap of looking at what is considered important to you: Information considered important to you should in theory already be protected from general threats and crimes of opportunity by attorneys, accountants, and security.
While some critical information (processes and trade secrets) is fairly concrete, in many cases it is not. Thus, for example, the written formulation of a product may be something that you protect assiduously because it is important to you. But if you do not shield your loading docks to prevent people from looking at the raw materials you are buying – these are likely to be roughly equivalent to the proportions of your formulation – keeping the proprietary formula under lock and key may not be entirely fruitful.
While determining what constitutes critical information is a management function, it is not a function that has been generally addressed. By the same token, the practical skill set of protecting critical information is not taught in law, business, accounting, or security courses. This skill sets fall into the area of counter-intelligence.