Competitors to British companies are receiving help from
foreign intelligence services to hack into corporate databases to
steal new product plans and win business, a former director of
theCentre for
the Protection of National Infrastructure(CPNI) says.
Former CPNI director Steve Cummings, now a special advisor on
security and privacy for the
Deloittes management consultancy, said corporate espionage was
on the rise, aided and abetted by foreign state intelligence
services.
Deloittes is currently advising a client which believes its
"very expensive R&D" was stolen by foreign agents, he said.
Cummings added that the nature of the internet made it hard to
identify the actual perpetrators, but it looks like they are
getting help from state intelligence agencies, if indeed the
agencies are not acting directly, he said.
Corporate espionage is not new, he said. The
director general of MI5 wrote a letter to 300 leading UK firms
to warn of the threat in November 2007. But it is now a "hot
button".
Increasing threat
Globalisation is a key factor in increasing the threat, and the
internet is raising it further, Cumming said.
Mike Maddison, partner of Deloittes' security practice, said
there was growing evidence that spies were changing their attack.
Companies have improved their defences against random distributed
attacks, so spies are targeting potentially vulnerable
individuals.
Cummings said some staff were revealing their job titles and
work e-mail addresses on social networking websites. Spies collect
this data and try to exploit them using social engineering.
He said he currently had no firm evidence that the recession is
affecting people's "motivational package", but as it continues some
are likely to find themselves stretched and hence potentially
vulnerable to an approach.
The CPNI and Deloittes have tried to develop more scientific
ways to identify staff who might go bad. So far, Maddison said the
damage insiders have caused is mostly "vandalism", but we might not
yet have discovered cases of systematic long-term abuse".
Risks to information security in consumer
businesses:
- 91% of consumer businesses had at least one security breach in
the past year
- 48% believe social engineering will continue to be the major
threat to infosecurity
- 98% of firms have third parties that can access their data
- 57% do not audit their third-party partners' infosecurity after
the initial investigation
- 74% do not have defined infosecurity training and awareness
schemes
- 43% do not have a formal infosecurity strategy
Threats to information security in consumer
businesses:
- Social engineering
- Theft or leakage of internal data
- Employee conduct
- Virus/worm outbreaks
- Weak passwords
Source: Deloittes Consumer Business Security Survey
2009
Useful links: