Is Your Data Safe from Industrial Espionage?
The story seems all too common: hackers compromise the data security protocols at a large retailer and gain access to sensitive information; public relations, management and other company personnel scramble to understand what happened and handle the crisis; concerned customers worry that they are victims of identity theft and will lose a great deal of their own money.
While many of the reported stories of information breaches involve large, well-known companies such as Barnes & Noble, Nortel, Nissan and others, in the world of cyber crime, size doesn’t matter – only information does.
Motivations and Objectives of Internet Attackers
Who are these criminals? The most common image that comes to mind is of an anti-social teenager in his parents’ basement, clicking away on his keyboard for fun or recognition among his peers. However, the reality is that these hackers are sophisticated, educated computer experts employed by corporations, organized crime, terror organizations and governments with significant resources.
Foreign Governments — Although computer network intrusions often cannot be directly attributed to foreign entities, many threats originate from China, Russia, Iran and elsewhere as under-resourced governments may look to obtain business information or technology or to be economically or politically disruptive.
Industrial Spies — Corporations looking to improve their own processes without dedicating the time and expense to do so on their own may try to obtain pricing information, intellectual property, management efficiencies, best practices and other resources in order to give themselves a competitive edge over their competitors.
Organized Crime — People armed with powerful malware such as the ZeuS Trojan and complex methods for hacking into company online banking accounts are motivated by the opportunities cyberspace provides to steal from companies large and small.
Hacktivists — These political and social activists may have different motivations, but they use the tools of economic espionage that can inflict damage to companies and other entities.
Internal Threats — Up to 70 percent of identity thefts begin with an internal employee. Attackers only need basic information: a Social Security number and address; credit card number and address; or user name and password. The number of company personnel who have access to this information can determine the level of risk.
Teens Having Fun — Yes, they do exist. But they are not the primary concern when it comes to information security.
Targets and their Vulnerabilities
Companies large and small may be vulnerable to breaches by criminals in a number of ways, and there are many areas at risk
Bank Account Information. Particularly attractive to thieves are online banking accounts, enabling them to transfer funds when a computer virus is introduced into a system used to manage the account. A large California escrow firm was forced to take out a loan to pay back $465,000 it lost through online theft.
Payroll, Cost Accounting and Other Systems. These systems may include Social Security and other human resources-related information that have a potential dollar value to the hackers.
Intellectual Property. When companies participate in joint ventures, intellectual property can become open to theft. In one instance, a truck cab manufacturer shared its designs with a parts manufacturer it enlisted to make one part but, due to an oversight, the company shared proprietary design specs for other parts as well.
Productivity. As with any improvement, the longer you wait, the more expensive it can be to upgrade, enhance or change altogether. Legacy systems may not be supported by suppliers. So when a system patch is distributed, it may not fix a vulnerability to the company’s existing system.
What Can Companies Do Now?
A risk management program can help identify, prioritize and monitor risks both inside and outside an organization. Steps in such a program include the following:
- Establish a formal, disciplined framework and governance strategy
- Formalize the process to identify all key risks within the organization, including their likelihood and impact
- Develop quantitative and qualitative measures
- Quantify risks, examine risk treatment and determine risk gaps
- Establish risk monitoring processes and continuous improvement activities.
Kathy Thomas-Beck is Florida Managing Partner for McGladrey. Assisting her with this article were Corbin Del Carlo, director, Technology Risk Advisor Services for McGladrey; and Hussain Hasan, principal, Regional Leader – Risk Advisory Services for McGladrey.