The world is awash with data theft. The line-up of brands – Sony, Target, Ashley Madison, Carphone Warehouse – that have been hit by hackers increases every day, while protecting customer details in the era of cloud computing, when more data is being held digitally, is now a board-level issue.
Yet the impact of the theft of customer data arguably pales in comparison compared with the potentially devastating hit a company can take if its own secrets are stolen. All data may be valuable, including customers’ personal details, but it is a company’s intellectual property (IP) that represents cyber criminals’ big pay day.
Hitting businesses hard
The loss of IP can have a devastating effect on a business beyond brand reputation. Forrester Research uses the example of Codan, a little-known Australian metal detection company, that suffered a data breach in 2014 and found its designs were stolen. A flood of similar devices hit the market in no time and Codan was forced to slash its prices as a result. Net profit slumped that year to A$9.2 million from A$45 million a year earlier before the breach happened.
The impact can be even worse in that it can put a company out of business altogether. Nortel Networks was one of the world’s biggest telecoms equipment companies at the turn of the century. Yet one of Nasdaq’s highest fliers was not immune to IP theft and has been retrospectively accused of failing to spot a breach for four years, during which time its systems were constantly monitored. It then failed to act effectively when it discovered the breach and within six years Nortel had collapsed altogether.
Although the entire sector was hit by price competition, Nortel in particular seemed to suffer from the rise of Chinese companies that had rapidly acquired technological know-how. Failing to protect its IP may have proved terminal for the business.
There is, of course, nothing new about IP theft with traditional threats coming from both within – an employee with a grudge trying to steal and sell information – and without – in the form of corporate rivals. The threats have grown exponentially in the world of global connectivity and unsecure corporate networks where an infected USB stick or even a weak firewall at a trusted partner, such as a law firm, can leave the chicken coop gate wide open for the cyber-foxes.
Heidi Shey, an analyst at Forrester, says IP theft is now the “jackpot of corporate espionage” with BlackOps Partners, a counter-intelligence company, estimating that it costs US companies $500 billion a year.
Just as the world becomes accustomed to “malware-as-a-service”, the value of IP theft has spawned an industry Forrester calls “espionage-as-a-service”. These are effectively IP bounty hunters, who offer a range of services priced between $1,000 and $10,000, looking to target companies in fields such as telecoms, financial services, defence, law and IT. “If not contracted to steal this data, these groups will sell stolen intellectual property to the highest bidder,” says Ms Shey.
Simon Crosby, chief technology officer and co-founder of Bromium, says the relatively low cost of attempting IP theft is very appealing to cyber criminals. He says the data under threat falls into two distinct categories, “competitive differentiation and fundamental IP”. The first category includes tenders, contracts and any data valuable to a company’s rivals.
A Bromium customer, who designs and builds power plants, reported a huge increase in targeted attacks in the days prior to submitting a bid, says Mr Crosby. Losing a bid is bad, but there is even more at stake for those failing to protect fundamental IP, which can include formulas for compounds, product designs or core technology. Such information is so valuable that it is national governments that are often indirectly behind attempts to steal it.
The main threat comes from so-called advanced persistent threats, which are targeted attempts to get at a specific set of information. They can infiltrate a network and use backdoors to copy it, while avoiding detection. In such cases, by the time the threat is detected, the data has gone and it’s too late. “Once an organisation’s IP is out, it’s out,” says Forrester’s Ms Shey.
As is often the case with cyber security, it is the more basic techniques that can work. Jacob Ginsberg, a senior director at Echoworx, says any data held in an unsecure manner is at risk given its value, but companies often spend too much resource on expensive solutions which bring confidence that a network is secure.
Companies need to prepare for a Doomsday scenario – at the very least to ensure that, if and when a breach of its fundamental IP occurs, a strategy is in place
“There’s no need for criminals to hack a complex security system anymore when users make it so easy to access their data,” says Mr Ginsberg. “Ninety per cent of attacks come as a result of human error, usually from an employee. E-mail security is often overlooked in favour of network firewalls or file server security and ‘spear phishing’ has become more frequent as a result.”
Some companies may have to prepare for the vulnerabilities posed by careless workers, but for others, the internal threat is more pronounced. David Gibson, vice president of strategy and market development at Varonis, says: “It’s often insiders who go after sensitive data – trade secrets, strategic plans, proprietary software, key customer accounts, legal documents – not just the outside attackers that get inside. After all, employees – often the ones who have worked on the IP itself – know where the files are located and, more significantly, the IP’s true value.
“Unlike locked file cabinets from yesteryear, we’ve not been careful about access permissions – too many users can find the IP and transfer it to their thumb drives, print it out or e-mail it.”
Companies need to prepare for a Doomsday scenario – at the very least to ensure that, if and when a breach of its fundamental IP occurs, a strategy is in place. Ms Shey recommends testing and refining an “incident response” plan as a critical move for any organisation.
Others have confidence that there are technological solutions. Andy Heather, vice president, Europe, Middle East and Africa, with HP Security Voltage, says the advent of a new format preserving encryption standard has greatly simplified the process of protecting data throughout its life cycle.
Mr Gibson of Varonis says user-behaviour analytics and unstructured data protection techniques have improved to the point where unusual file patterns can be spotted early to prevent IP theft.
Some, however, believe more drastic measures need to be taken, particularly to protect fundamental IP. Bromium’s Mr Crosby argues that a system of “micro-virtualisation”, which enables machines to be designed to protect themselves in the case of a compromised system, could prove an adequate defence. “A few systems need to be re-imagined from scratch, using trusted media. These systems need to be protected by design from any malware in the intranet and infrastructure,” he says.
Tony Berning, a senior product manager at software specialists OPSWAT, says isolating critical and classified networks, and creating multiple layers of cyber security, can be effective, but contends that using data diodes as one-way gateways brings peace of mind. “No data can leave, effectively preventing any intellectual property loss,” he concludes.