Competitors to British companies are receiving help from foreign intelligence services to hack into corporate databases to steal new product plans and win business, a former director of the Centre for the Protection of National Infrastructure (CPNI) says.
Former CPNI director Steve Cummings, now a special advisor on security and privacy for the Deloittes management consultancy, said corporate espionage was on the rise, aided and abetted by foreign state intelligence services.
Deloittes is currently advising a client which believes its "very expensive R&D" was stolen by foreign agents, he said.
Cummings added that the nature of the internet made it hard to identify the actual perpetrators, but it looks like they are getting help from state intelligence agencies, if indeed the agencies are not acting directly, he said.
Corporate espionage is not new, he said. The director general of MI5 wrote a letter to 300 leading UK firms to warn of the threat in November 2007. But it is now a "hot button".
Globalisation is a key factor in increasing the threat, and the internet is raising it further, Cumming said.
Mike Maddison, partner of Deloittes' security practice, said there was growing evidence that spies were changing their attack. Companies have improved their defences against random distributed attacks, so spies are targeting potentially vulnerable individuals.
Cummings said some staff were revealing their job titles and work e-mail addresses on social networking websites. Spies collect this data and try to exploit them using social engineering.
He said he currently had no firm evidence that the recession is affecting people's "motivational package", but as it continues some are likely to find themselves stretched and hence potentially vulnerable to an approach.
The CPNI and Deloittes have tried to develop more scientific ways to identify staff who might go bad. So far, Maddison said the damage insiders have caused is mostly "vandalism", but we might not yet have discovered cases of systematic long-term abuse".
Risks to information security in consumer businesses:
- 91% of consumer businesses had at least one security breach in the past year
- 48% believe social engineering will continue to be the major threat to infosecurity
- 98% of firms have third parties that can access their data
- 57% do not audit their third-party partners' infosecurity after the initial investigation
- 74% do not have defined infosecurity training and awareness schemes
- 43% do not have a formal infosecurity strategy
Threats to information security in consumer businesses:
- Social engineering
- Theft or leakage of internal data
- Employee conduct
- Virus/worm outbreaks
- Weak passwords
Source: Deloittes Consumer Business Security Survey 2009