Countering corporate espionage

Theft of commercially valuable information costs the world's largest companies over £22bn a year, and small firms are just as vulnerable. How can you mitigate the risks to your company?
Written by Sally Whittle, Contributor

Corporate espionage costs the world's 1,000 largest companies in excess of $45bn (£22.8bn) every year, according to research from consulting firm PricewaterhouseCoopers.

However, smaller companies are also at risk, warned Toralv Dirro, a security strategist with McAfee. "What you need to know is that this is happening more than ever before, and on a bigger scale than ever before," he said. "Any business that derives competitive advantage from information should be concerned about this issue."

Dirro argued that corporate espionage has increased rapidly in the last decade, as more information is put onto corporate networks — and potentially within the reach of hackers. PricewaterhouseCoopers, for example, reported that losses from corporate espionage doubled between 1990 and 2000.

Corporate espionage can be defined as the theft of commercially valuable information. This may be the secret formulation of a new product but it could equally be the names and salaries of senior executives, or simply the date of your next marketing initiative.

It's difficult to know exactly how common corporate espionage is because most victims never report the attack to the police, fearful of the consequences of going public, said Paul King, a senior security adviser with Cisco. Moreover, many companies don't necessarily realise that they've been attacked if a hacker is sufficiently skilled. Cisco's security experts constantly scan the internet for reports of attacks on other organisations and assess the risk of similar attacks on their own company. "I think the best we can do is monitor our systems carefully and, if we hear of an attack on another organisation, ensure that it couldn't affect us," said King.

The question isn't whether you know you're vulnerable to corporate espionage, it's knowing how vulnerable you could be, said King. "I never ask why something would happen to us; I ask why it wouldn't," he said. "So, if your chief executive says he's not a victim of this stuff, how confident is he? And the only way to be really confident is to be looking hard for it."

The first step in protecting yourself from corporate espionage is to close the most obvious loopholes — those which can be exploited by hackers without even breaking the law. "We're seeing massive growth in Google hacking," said Rhodri Davies, a technical architect with security specialist Vistorm. "This is the process of using really smart Google searches to find information left open on web servers. It's unsportsmanlike, but definitely not illegal."

With Google hacking, hackers can routinely find information on projects and personnel and the file names of confidential documents, even if they cannot access the documents themselves. "You can easily automate searches, so that, if a document is online even briefly, you'll be emailed that search result," said Davies. The danger is that this information will then be used as the basis of an attack, enabling a hacker to pretend to be inside the company or to launch a social-engineering attack.

Security companies have seen a dramatic increase in "spear phishing", a highly targeted phishing attack where a single executive may receive an email that appears to be from an authorised partner or supplier, relating to a project that isn't widely known outside the company. "The usual trick with this sort of email is to encourage the user to open a file which will launch a Trojan, potentially giving someone access to the whole network," said Dirro. "We have been seeing an awful lot of these [attacks] in the last year or so."

How do you know if you have been a victim of corporate espionage? In many cases, you'll never know, said Dirro. "If it's a skilled hacker, they will have used Trojans to ensure the intrusion-detection system isn't triggered." Security experts recommend regularly conducting...

...penetration testing (including looking for search vulnerabilities) to protect against this kind of attack. However, the best advice for protecting against hackers attempting corporate espionage is: know your data.

Audit your corporate data and identify what information is potentially sensitive and therefore vulnerable to attack, advised Dirro. Next, separate this information into dedicated areas of the network, and consider separating highly sensitive information entirely. "If you have a highly confidential R&D project, I would consider putting it on its own network, with no external links whatsoever," said Dirro. "Regardless, you should have a clear idea of your data structure, so you know who is accessing sensitive data, and what they're able to do with it."

There isn't a single technical solution to corporate espionage, added Cisco's King. "If there was, we'd be selling it." However, companies can take steps to minimise the threat posed. King's key advice is not to rely on reactive security systems which will warn you only when something specific has happened. Although a good intrusion-detection system and firewall are essential, they aren't enough. "If you're waiting for an alarm to go off, that's not good enough, and it won't alert you to most corporate espionage," he said.

For example, you may want to investigate the latest data-log protection systems. These new software tools can "mark" confidential data with a virtual watermark, which prevents it from being copied to a mobile device or distributed via email. "The technology is relatively new and can be quite difficult to get up and running, but, once you have done the upfront work, [it's] highly effective," Dirro said.

In addition, King recommended routinely checking through IDS log files and access logs looking for attacks or patterns of unusual activity. "We have a product that monitors all our log files from routers and firewalls and looks for anomalous behaviour," says King. "That is different to only reacting to something you know has happened."

It's also important to pay attention to less sophisticated forms of information theft. "Educate people on risks that may seem small, like using a laptop on a plane," advised King. Cisco executives are routinely provided with plastic privacy shields that prevent so-called "shoulder surfing", and the IT department provides training videos that help people be more aware of the risks of discussing confidential projects in public places.

"Sometimes you can be at risk in the most public places," said King. "For example, someone at a trade show might ask you a question which is designed to help them later to do some kind of social engineering." Since producing videos on this topic for the corporate intranet, King's team has received many more calls from employees who say they have received suspicious telephone enquiries.

The vast majority of corporate espionage attacks have the involvement of someone inside the company, argued Mark Schettenhelm, a security consultant with Compuware, and a certified information privacy professional (CIPP). "We've done such a good job of blocking hackers and spam from outside that it's easy to forget the threat from people inside the company who have all the authority and access."

However, King believes it is important to keep corporate espionage in perspective. "We want security to enable the business, and we're not going to lock down systems and stop people doing business." For this reason, Cisco does allow employees to use...

...memory sticks and mobile devices, but with appropriate encryption and other security measures.

The best approach is to accept that providing employees with access to sensitive information will always carry some risk, but to mitigate that risk as far as possible, said Schettenhelm. Compuware provides a range of tools designed for "application auditing", which basically means monitoring who uses software and what they do with it. One of the biggest challenges for any company that has been hacked is knowing the extent of the breach and application auditing can also help in this respect, showing which screens and fields of data were viewed by an individual user.

"It means, if there is a breach, you can easily see where it happened, who did it and what was breached," says Schettenhelm. "It also protects employees from false accusations because it shows where there was no inappropriate action."

Application auditing can be combined with data-mining tools to reveal patterns of usage and alert managers to anomalous activities. For example, you could monitor the activity level in a customer-service centre to show that a typical agent is accessing 100 records per day, while one employee is regularly accessing 500 records. "That type of spike might indicate a problem, and further investigation may show which sort of records he is accessing and whether it tallies with the number of inbound calls they were handling," said Schettenhelm. "You can then ask: why did you need that screen for that call?"

This type of technology works best when sensitive data is held on separate screens, Schettenhelm added, so that you can track exactly who is accessing information such as credit-card details or medical records. It will also help in preventing future problems, because auditing will show which screens really are needed to do a specific job — meaning that access to any information that isn't strictly needed can be restricted.

Of course, an organisation can't simply block access to all confidential data — developing new products is difficult if the engineers can't access the plans, after all. But analysing network traffic can show who is downloading information and at what times. "A common trigger which might indicate a problem or a hacker is someone accessing files outside of office hours, when they can't be seen by colleagues," said Schettenhelm.

Five corporate espionage cases
In 2005, HP allegedly paid an ex-Dell executive to collect "competitive intelligence" about its rival's business activities. The allegations were contained in a countersuit filed by former employees of HP who were accused of starting a rival business while still employed by the firm. Another lawsuit filed by one of Dell's Japanese rivals accused the company of running a "competitive intelligence investigation".

Five years earlier, in 2000, Microsoft fell victim to what the company called "a deplorable act of industrial espionage" when hackers broke into the company's system and access Windows and Office source code. Hackers had access to the source code for up to three months.

In the pharmaceutical sector, Proctor & Gamble and Unilever became involved in a dispute when Fortune magazine reported that Proctor & Gamble had been involved in corporate espionage against its archrival. Agents appointed by Proctor & Gamble were alleged to have misrepresented themselves as market researchers and used various other methods to collect information about their rival.

In 2006, two hackers were extradited from the UK to Israel when it was alleged that they had developed and sold spyware which was used by companies to spy on rivals in their native Israel. Three private investigation companies in Israel were alleged to have sent emails with Trojan packages designed to evade detection by security tools.

A UK hi-tech firm became a potential victim of corporate espionage when computer hardware was stolen from its offices in Lancashire. Thieves who stole a number of laptops from the fuel management firm in March also stole server hard drives, causing fears that the information could be sold to commercial rivals.

Editorial standards