...penetration testing (including looking for search vulnerabilities) to protect against this kind of attack. However, the best advice for protecting against hackers attempting corporate espionage is: know your data.
Audit your corporate data and identify what information is potentially sensitive and therefore vulnerable to attack, advised Dirro. Next, separate this information into dedicated areas of the network, and consider separating highly sensitive information entirely. "If you have a highly confidential R&D project, I would consider putting it on its own network, with no external links whatsoever," said Dirro. "Regardless, you should have a clear idea of your data structure, so you know who is accessing sensitive data, and what they're able to do with it."
There isn't a single technical solution to corporate espionage, added Cisco's King. "If there was, we'd be selling it." However, companies can take steps to minimise the threat posed. King's key advice is not to rely on reactive security systems which will warn you only when something specific has happened. Although a good intrusion-detection system and firewall are essential, they aren't enough. "If you're waiting for an alarm to go off, that's not good enough, and it won't alert you to most corporate espionage," he said.
For example, you may want to investigate the latest data-log protection systems. These new software tools can "mark" confidential data with a virtual watermark, which prevents it from being copied to a mobile device or distributed via email. "The technology is relatively new and can be quite difficult to get up and running, but, once you have done the upfront work, [it's] highly effective," Dirro said.
In addition, King recommended routinely checking through IDS log files and access logs looking for attacks or patterns of unusual activity. "We have a product that monitors all our log files from routers and firewalls and looks for anomalous behaviour," says King. "That is different to only reacting to something you know has happened."
It's also important to pay attention to less sophisticated forms of information theft. "Educate people on risks that may seem small, like using a laptop on a plane," advised King. Cisco executives are routinely provided with plastic privacy shields that prevent so-called "shoulder surfing", and the IT department provides training videos that help people be more aware of the risks of discussing confidential projects in public places.
"Sometimes you can be at risk in the most public places," said King. "For example, someone at a trade show might ask you a question which is designed to help them later to do some kind of social engineering." Since producing videos on this topic for the corporate intranet, King's team has received many more calls from employees who say they have received suspicious telephone enquiries.
The vast majority of corporate espionage attacks have the involvement of someone inside the company, argued Mark Schettenhelm, a security consultant with Compuware, and a certified information privacy professional (CIPP). "We've done such a good job of blocking hackers and spam from outside that it's easy to forget the threat from people inside the company who have all the authority and access."
However, King believes it is important to keep corporate espionage in perspective. "We want security to enable the business, and we're not going to lock down systems and stop people doing business." For this reason, Cisco does allow employees to use...