Valuable intellectual property targeted by cyber attacks
Today cyber attacks are never far from the headlines in our interconnected world as organisations report a surge in incidents with criminals and even, potentially, state actors, seeking to steal commercial secrets on an unprecedented scale. With advanced aircraft designs to business plans firmly in the hackers’ sights, intellectual property that can represent years of effort and millions of pounds worth of investment can be stolen in the blink of an eye.
Peter Jopling, Executive Security Advisor, IBM (UK & Ireland), is certainly well versed in the cyber security threat as deputy lead of a specialised worldwide ‘tiger team’ whose mission is to advise organisations on large, complex, cyber-security issues. Marking out the scale of the problem, Jopling reveals that cyber attacks have actually overtaken more traditional criminal activities: “In the middle of 2013 the scales really tipped. In fact there are now more active organised criminal gangs in the cyber crime area than there are involved with
Regarding intellectual property theft, specifically, Jopling reports that it isn’t unknown for a manufacturer to turn up at a trade show in the Far East and see their ‘brand new widget’ being exhibited by another company: “This is perhaps an extreme example, however the overwhelming challenge at the moment for pretty much every organisation is that they have lots of security products – anti-virus and content filters – but there isn’t a holistic view, each component works in its own environment.” He stresses that, in terms of best practice, organisations need to have the capability to aggregate their data in real-time to understand the subtle nuances within their network: “This allows them to detect anomalies, and behavioural issues, that weren’t there yesterday or last week. It is about being able to detect and respond.”
When a cyber attack hits Jopling believes every second counts: “The timeline is very short so the human element is really incidental, it is technology that is going to help you assess what’s vulnerable and what you need to do.” When it comes to stopping an attack, Jopling feels that there is a tendency for organisations who are not geared up to simply panic: “As they haven’t planned for this [cyber] activity it tends to cost them an awful lot to bring in resources and triage.” Another downside of a mere ‘sticking plaster’ approach, reckons Jopling, is the danger of destroying vital digital evidence: “You can have a double effect, you don’t know how the issue happened and you can’t take remedial action against it happening again.” Jopling doesn’t pull his punches for those who may think the danger is over once they suffer an attack. In fact, he reports, lighting does strike twice: “If you have been hit there is a high propensity, through the ‘dark web’ networks, for people to try to do the same and look at the exploits, and slightly change their malware, for a new attack.”
Of course it is not just external threats that give cause for concern, Jopling also sheds light on the ‘clear and present danger’ posed by less scrupulous employees: “We have a managed service within IBM and pretty much over 30 percent of the activity that we see of our 4,500 customers is from an ‘insider’ threat.” This reality is reinforced by the IBM 2015 Cyber Security Intelligence Index which reveals that whilst a significant proportion – 45 percent – of cyber crimes are instigated and committed by hackers, directly targeting an organisation’s network from the outside, 32.5 percent of attacks are driven purposely by malicious or disgruntled current and former employees looking to take advantage of their privileges or continued access to company files. Added to this, the IBM Index shows that in nearly a quarter of attacks – 24.5 percent – cyber criminals worked to exploit unwitting personnel or third-party partners as conduits for a breach.
Another report, which helps to puts some figures on the trends here, is EY’s Global Information Security Survey 2014. The headline findings of the survey include the fact that 56 percent of organisations who responded were unlikely to detect a sophisticated cyber attack; 74 percent have admitted that their cyber security only partially meets their needs and 37 percent said they had no real insight into the cyber risks they faced.
According to Chris Gould, Head of Cybercrime Investigations at EY, one thing that stands out when discussing intellectual property theft, above and beyond other types of cyber crime, is the degree of state sponsorship in and around this activity to gain an economic advantage.
Given the scale of the challenge he considers intelligence gathering as a way for organisations to very quickly get a handle on whether things are happening with their ‘IP’: “One of the service offerings we have at EY is actively doing R&D [Research and Development] cost analysis – a kind of economic cyber crime investigation – where we look at, for example, a car producer in country A spends ‘X’ on R&D before bringing out a new model and then a company in country B has a fraction of that cost of R&D but is still able to produce and develop cars equally quickly. You can actually see some very clear patterns when you do
that,” concludes Gould.
The business implications of intellectual property theft for organisations who are committed to heavy R&D investment are reiterated by Dan Solomon, Director, Cyber Risk and Security Services, at Optimal Risk Management Ltd: “Should a competitor get their hands on product information and bring the same kind of thing to market, but cheaper, it can cost a huge amount of market share.” For Solomon ‘industrial espionage’ remains a huge problem: “Most people aren’t awake to it so by the time they actually see indicators of compromise they believe it is already too late. Some industrial espionage campaigns have gone
undiscovered for years.”
Solomon feels that in many ways the odds are stacked in the favour of the attacker: “If they pay hackers to acquire information the risk to the attacker is quite low. Even if the hacker is caught or doesn’t succeed the chances of them [the attacker] being identified and prosecuted is pretty small.”
The right classification
Pressed on what organisations can do to address the problem, Solomon replies that one aspect would be to think like an ‘intelligence agency’: “If you want something that is absolutely vital to remain confidential it should be classified. Classification of data and transactions – by that I mean the sending and storage of information – is absolutely key. If you can correlate the classification of data with the permissions of the user then you can quickly identify where somebody is accessing a certain kind of data from the wrong place at the wrong time.”
Digital media matters
Joe Schorr, the Director of Advanced Security Solutions at Bomgar, considers that the inexorable rise of digital content means that this type of intellectual property – like pre-release versions of films or songs – are especially vulnerable to criminal elements: “Media companies live in fear of songs or films being stolen and shared before their official release date. Yet they often rely on third party vendors or outsourcers to handle some or all of their day-to-day IT operations.” Schorr goes on to say that, more often than not, these vendors are accessing the media companies’ networks through traditional VPNs: “This makes it difficult to control or monitor what they’re doing once they’re on the network.” So what is the answer to this? Schorr feels that third parties who have access to other companies’ IT networks need to be managed closely and their activities audited and tracked. One suggestion is that rather than giving them a key to the entire network with a VPN they should only have access to the systems on which they actually need to work, with workflow to request additional access if needed.
A further aspect which organisations need to keep on top of is how they manage their IT assets, stresses Amol Sarwate, Director of Engineering at Qualys which recently launched a free, cloud-based, IT asset tool called AssetView. He warns that if patches and updates aren’t applied in a timely way this creates new avenues for hackers to gain access to sensitive intellectual property: “Creating an inventory helps companies to keep track of their assets and ensure they are fully patched,” says Sarwate.
So, to conclude, it would seem that the threat of cyber attacks to intellectual property isn’t going to disappear anytime soon and that renewed vigilance by organisations, regarding external and internal threats, should very much be the order of the day.