Cyber Security and E-Espionage - On Your Board’S Agenda?
e-Espionage raises the stakes and profile of cyber security
e-espionage - why it should be on every board's agenda
NOT JUST OBVIOUS TARGETS
The chief executive of one of the world's biggest aerospace and defence groups told the Financial Times that in his industry, 'industrial espionage is a problem now and it will be even more in the future.' But e-espionage isn't just prevalent in high-tech industries like electronics, aerospace and automotive; virtually any company that invests heavily in research and development is likely to be a target.
As a result, there's been a shift in attitudes of boards; they used to view the responsibility for security and integrity of their corporate data as squarely with the IT department. William Beer, author of PWC's report on e-espionage, says: €The increasing threat and the rising impact of possible breaches mean the prevention and detection of e-espionage should now be on every board's agenda. Those that fail to focus on it are putting the very future of their organisations at risk.'
The popular bait for e-espionage attack is still:
€Intellectual Property (IP) like inventions and new design concepts;
€Production techniques, processes and formulas, R&D;
€Customer and prospect databases - Personally Identifiable Information (PII);
€Data on pricing, prospective bids, sales, product or marketing plans/ideas.
The most attractive targets are still:
€Those who operate in industries such as IT, biotechnology, aerospace, automotive, telecoms, energy and transportation;
€Financial organisations and those who trade online with high transaction volumes;
€Government bodies in defence or intelligence activities, and
€Those who hold highly confidential data or information of commercial value, or data of value to competitors.
This probably won't make many board members more comfortable since almost all major companies meet some of these criteria.
STEALTHY AND EFFECTIVE
e-Espionage increasingly takes the form of €Advanced Persistent Threats' or APTs, first seen in €Operation Aurora,' which targeted Google, Adobe and some 30 other companies in late 2010. APT-style campaigns have since become popular with cyber crime syndicates because they can slip through conventional information security defences. At the recent Cornerstones of Trust event in San Francisco, experts agreed that traditional, perimeter-based security was useless against APTs.
These attacks have clear yet simple objectives: to circumvent IT security efforts' to gain access, to steal information and to maintain a foothold for future exploits.
€The 'Advanced' aspect stems from a combination of elements to ensure stealth.
€The 'Persistent' part is about undetected, repeat attacks designed to establish a permanent foothold for ongoing ex-filtration of data.
€The term 'Threat' is used because APTs aren't isolated single attacks, but campaigns that can persist for years in some cases, presenting an ongoing threat.
The goal of APTs is to remain undetected by ensuring their advance is gradual and cautious. As a result, APTs are often not detected by victims, but by third parties during security audits or checks. Even if they are detected, many go unreported to avoid the negative publicity and impact on shareholders and customers.
e-espionage - why it should be on every board's agenda
NOT JUST OBVIOUS TARGETS
The chief executive of one of the world's biggest aerospace and defence groups told the Financial Times that in his industry, 'industrial espionage is a problem now and it will be even more in the future.' But e-espionage isn't just prevalent in high-tech industries like electronics, aerospace and automotive; virtually any company that invests heavily in research and development is likely to be a target.
As a result, there's been a shift in attitudes of boards; they used to view the responsibility for security and integrity of their corporate data as squarely with the IT department. William Beer, author of PWC's report on e-espionage, says: €The increasing threat and the rising impact of possible breaches mean the prevention and detection of e-espionage should now be on every board's agenda. Those that fail to focus on it are putting the very future of their organisations at risk.'
The popular bait for e-espionage attack is still:
€Intellectual Property (IP) like inventions and new design concepts;
€Production techniques, processes and formulas, R&D;
€Customer and prospect databases - Personally Identifiable Information (PII);
€Data on pricing, prospective bids, sales, product or marketing plans/ideas.
The most attractive targets are still:
€Those who operate in industries such as IT, biotechnology, aerospace, automotive, telecoms, energy and transportation;
€Financial organisations and those who trade online with high transaction volumes;
€Government bodies in defence or intelligence activities, and
€Those who hold highly confidential data or information of commercial value, or data of value to competitors.
This probably won't make many board members more comfortable since almost all major companies meet some of these criteria.
STEALTHY AND EFFECTIVE
e-Espionage increasingly takes the form of €Advanced Persistent Threats' or APTs, first seen in €Operation Aurora,' which targeted Google, Adobe and some 30 other companies in late 2010. APT-style campaigns have since become popular with cyber crime syndicates because they can slip through conventional information security defences. At the recent Cornerstones of Trust event in San Francisco, experts agreed that traditional, perimeter-based security was useless against APTs.
These attacks have clear yet simple objectives: to circumvent IT security efforts' to gain access, to steal information and to maintain a foothold for future exploits.
€The 'Advanced' aspect stems from a combination of elements to ensure stealth.
€The 'Persistent' part is about undetected, repeat attacks designed to establish a permanent foothold for ongoing ex-filtration of data.
€The term 'Threat' is used because APTs aren't isolated single attacks, but campaigns that can persist for years in some cases, presenting an ongoing threat.
The goal of APTs is to remain undetected by ensuring their advance is gradual and cautious. As a result, APTs are often not detected by victims, but by third parties during security audits or checks. Even if they are detected, many go unreported to avoid the negative publicity and impact on shareholders and customers.
