PWC warns of cyber-espionage risks

According to a new report, small companies may not be prepared to tackle cyber-espionage risks.

According to a new report from PriceWaterhouseCoopers (PWC) Inc., cyber-espionage is a growing problem and is no longer restricted to governments and large international companies.

"There is an elevated risk, even for smaller companies, that they may become a potential target," said William Beer, a director in PWC's risk assurance services group and co-author of the report.

While not coming up with any new evidence to support the claims, the report assembles recent material from a number of sources to indicate what it sees as a growing danger.

For instance, it mentions that in late 2007, the head of MI5, the London-based security intelligence agency, sent a confidential letter to 300 U.K. business leaders at banks, accountants and legal firms, warning them of a coordinated, Web-based cyber-espionage campaign against the U.K. economy.

The report also cited that in November 2008, the U.K. Cabinet Office published the first National Risk Register, showing the likelihood and impact of various threats, from flu pandemics to attacks on crowded places. Included in the list was the risk of electronic attacks, which were seen as highly likely to occur, although of lower impact to the country as a whole.

The PWC cyber-espionage, or e-espionage, research also pointed out a March 2009 report from the University of Cambridge called "The Snooping Dragon: Social-malware Surveillance of the Tibetan Movement," which concluded: "What Chinese spooks did in 2008, Russian crooks will do in 2010, and even low-budget criminals from less developed countries will follow in due course," referring to possible external social-malware attacks that could allow malicious hackers to spy on users' machines.

The 'snooping dragon' report also warned: "Social malware [using email lures to get people to visit bogus websites that serve malicious code] is unlikely to remain a tool of governments. Certainly organisations of interest to governments should take proper precautions now, but other firms had better start to think about what it will mean for them when social-malware attacks become widespread."

In early 2009, the Canada-based research project, Information Warfare Monitor, published a report titled "Tracking GhostNet: Investigating a Cyber Espionage Network," which detailed the findings of a 10-month investigation into a global electronic spy network that had infiltrated computers in various government offices around the world. The report said the network used malware to compromise 1,295 computers in 103 countries, including systems belonging to foreign ministries and embassies and those linked with the Dalai Lama.

PWC's Beer said senior management needs to take security more seriously, especially since the rise in espionage coincides with a general rise in fraud caused by the economic downturn.

Sensitive data insecure abroad

Sensitive customer information and intellectual property is at high risk, especially in developing nations, according to a new survey.
"Part of the challenge is that whenever senior managers hear about anything with 'cyber' or 'e' in it, they see it as an IT problem and delegate down," he said. "It requires more focus and a wider approach than just IT. Technology is the instrument that is used, but we need much better governance to try to provide a better assurance that these problems are not going to occur."

Beer said that in PWC's latest global research into security awareness, which questioned 7,000 senior management from 119 countries, 35% admitted they had no idea how many security incidents had occurred in their own organisations.

PWC has compiled a checklist of questions to help companies assess and tackle e-espionage risks:

  1. Do you know the scale, number, nature and source of the incidents you have suffered to date?
  2. Have you clearly identified your business's most valuable assets and which ones are most at risk from attack?
  3. What would be the business impact of information/assets being stolen or compromised?
  4. What is your strategy to manage, mitigate and minimise this risk?
  5. Do you discuss this risk with investors and in the Annual Report?
  6. What processes and technologies have you put in place to execute your security strategy?
  7. What investment are you making to put these in place and ensure they remain effective?
  8. How often do you reassess the risk and the strategy to manage it?
  9. What new threats to your business are emerging in the e-espionage arena?
  10. Have you educated and trained your staff to recognise and respond to the issue?

Read more on Security policy and user awareness