Corporate espionage is a huge problem for businesses and individuals alike as there is both intellectual property (IP) and employee/customer data at risk. Your HR department has a lot of information about you, including bank account numbers for direct deposits. Your company’s digital IP ranges from proprietary drug/chemical formulas to a Internet search algorithm and its loss can break the business.
Will I say that every company is at risk? No, not every company. If you’re already using open source or don’t possess IP of great value, then there’s not a huge monetary/intellectual gain in ripping you off. But, time and time again, we’ve seen evidence that foreign powers and corporations are finding it’s easier to steal information than develop it. Espionage isn’t new. It’s just that by putting information on hard drives and improperly securing it, we’ve allowed people seeking our precious ‘widgets’ the ability to do so without leaving the privacy of their home (or military base).
We don’t have real numbers for corporate rip-offs, though. We’ve all seen press coverage around Aurora , but honestly, most people don’t want to admit to the public that a serious breach occurred, unless they have to. Or, look at the Chamber of Commerce hack… they didn’t even know it happened until the FBI knocked on their door to give them a friendly heads-up.
Thinking like a hacker is a serious skill. It requires patience, diligence and technical aptitude. How many people exist like that in the world today? Not enough. Even in the places where they’re most critically needed. I mean, you’re not talking about engineers. Engineers are phenomenal builders, but they’re not trained to think of the myriad of ways their creations could be abused, manipulated and destroyed. Skilled hackers need wide knowledge on a pretty Swiss army knife array of technologies to penetrate a modern enterprise, and do so without being detected by modern IDS, DLP, etc systems.
So, I mean, it’s not companies are behaving inappropriately, but it’s that the talent is hard to find, and often pretty expensive. A lot of companies think IT generalists can handle complex security scenarios, and I’m just not sure that’s the case anymore. And, with increasing load on IT staff in terms of virtualization, remote offices, new applications, etc, it’s almost impossible to manually keep up with an internal IT landscape, let alone their security posture.
I would encourage people to think stronger about security and use a combination of people, software and process to combat the threat. Realistically, the core issue is companies are lying to themselves if they think the ghost isn't already in the machine.
Time has shown that it’s not an 'if' scenario, it’s a 'when'. The key is to be prepared when that happens, so when it does you know you're in the best possible position.
- Ken Pickering, Development Manager, Security Intelligence