Almost every organisation is being targeted by sophisticated malware attacks, McAfee study reveals

Almost every organisation is being targeted by sophisticated cyber attacks, a comprehensive study of a malware command and control centre has revealed.

Almost every organisation is being targeted by sophisticated cyber attacks, a comprehensive study of a malware command and control centre has revealed.

Researchers at security firm McAfee studied the logs of a targeted operation by a single nation state actor over a period of five years.

The operation targeted more than 70 global companies, governments and non-profit organisations in 14 countries, including the UK, making up more than 30 organisation types.

Researchers were surprised by the enormous diversity of the victim organisations, said Dmitri Alperovitch, vice-president of threat research at McAfee.

"Virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm," he said.

According to Alperovitch, no organisation can ignore the threat of sophisticated intrusions reported at big companies such as Google, Lockheed Martin and RSA Security.

"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised, or will be shortly, with the great majority of the victims rarely discovering the intrusion or its impact," he said.

The McAfee report draws attention to the fact that there is no global overarching legislation or treaty on how to deal with computer-related crime, says Sam Jardine, associate in the technology group at international law firm Eversheds.

"As a result of this, extradition becomes a real issue and is often a political hot potato. You need look no further than the Gary McKinnon case which has polarised public opinion along David and Goliath lines," he said.

The UK's Computer Misuse Act 1990 creates several offences in connection with hacking, cracking and otherwise unlawfully accessing material stored on IT systems. It was updated in 2008 to keep step with increasingly novel ways of attacking IT systems.

"What is evident is that any entity storing data which is networked and ultimately accessible via the internet, needs to ensure the security of that data," said Jardine.

In the UK, where this includes personal data, all data controllers are required to comply with the Seventh Data Protection Principle of the Data Protection Act, which requires them to have in place appropriate technical and organisational measures against unauthorised or unlawful processing of personal data.

In addition to fines of up to £500,000, the Information Commissioner's Office has renewed calls for prison sentences in cases of deliberate misuse of stolen data in the wake of the News of the World phone and computer hacking scandal.

Photo: Thinkstock

Read more on IT risk management