ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > Resources > Articles

Security threats Toolkit

Countering corporate espionage

Sally Whittle ZDNet.co.uk

Published: 07 Jan 2008 13:01 GMT

Corporate espionage costs the world's 1,000 largest companies in excess of $45bn (£22.8bn) every year, according to research from consulting firm PricewaterhouseCoopers.

However, smaller companies are also at risk, warned Toralv Dirro, a security strategist with McAfee. "What you need to know is that this is happening more than ever before, and on a bigger scale than ever before," he said. "Any business that derives competitive advantage from information should be concerned about this issue."

Dirro argued that corporate espionage has increased rapidly in the last decade, as more information is put onto corporate networks — and potentially within the reach of hackers. PricewaterhouseCoopers, for example, reported that losses from corporate espionage doubled between 1990 and 2000.

Corporate espionage can be defined as the theft of commercially valuable information. This may be the secret formulation of a new product but it could equally be the names and salaries of senior executives, or simply the date of your next marketing initiative.

It's difficult to know exactly how common corporate espionage is because most victims never report the attack to the police, fearful of the consequences of going public, said Paul King, a senior security adviser with Cisco. Moreover, many companies don't necessarily realise that they've been attacked if a hacker is sufficiently skilled. Cisco's security experts constantly scan the internet for reports of attacks on other organisations and assess the risk of similar attacks on their own company. "I think the best we can do is monitor our systems carefully and, if we hear of an attack on another organisation, ensure that it couldn't affect us," said King.

The question isn't whether you know you're vulnerable to corporate espionage, it's knowing how vulnerable you could be, said King. "I never ask why something would happen to us; I ask why it wouldn't," he said. "So, if your chief executive says he's not a victim of this stuff, how confident is he? And the only way to be really confident is to be looking hard for it."

The first step in protecting yourself from corporate espionage is to close the most obvious loopholes — those which can be exploited by hackers without even breaking the law. "We're seeing massive growth in Google hacking," said Rhodri Davies, a technical architect with security specialist Vistorm. "This is the process of using really smart Google searches to find information left open on web servers. It's unsportsmanlike, but definitely not illegal."

Read this

Feature: Cracking open the cybercrime economy

Hacking for fun has evolved into hacking for profit, and created a business model that is nearly as sophisticated as that of legal software

With Google hacking, hackers can routinely find information on projects and personnel and the file names of confidential documents, even if they cannot access the documents themselves. "You can easily automate searches, so that, if a document is online even briefly, you'll be emailed that search result," said Davies. The danger is that this information will then be used as the basis of an attack, enabling a hacker to pretend to be inside the company or to launch a social-engineering attack.

Security companies have seen a dramatic increase in "spear phishing", a highly targeted phishing attack where a single executive may receive an email that appears to be from an authorised partner or supplier, relating to a project that isn't widely known outside the company. "The usual trick with this sort of email is to encourage the user to open a file which will launch a Trojan, potentially giving someone access to the whole network," said Dirro. "We have been seeing an awful lot of these [attacks] in the last year or so."

How do you know if you have been a victim of corporate espionage? In many cases, you'll never know, said Dirro. "If it's a skilled hacker, they will have used Trojans to ensure the intrusion-detection system isn't triggered." Security experts recommend regularly conducting...

1 2 3

Did you find this article useful?
5 out of 12 people found this useful

Post a comment

Full Talkback thread

1 comment

There are simple solutions harpless

More in this Special Report

Governments prepare for 'cyber cold war'

There has been a sea change over the past year in the amount of government-sanctioned cyber-espionage, according to some security experts. more

MI5 warns of Chinese digital espionage

MI5 has issued a warning to UK businesses that spies in China are conducting a campaign of cyber-espionage against them. more

Burglars plunder Verizon's London data centre

Criminals posing as policemen conned their way into a data centre near London's King's Cross station, tying up staff and stealing computing equipment, the Metropolitan Police said on Friday. more

Cyberterrorism: Myth or reality?

Following recent accusations of government-sanctioned digitial espionage and alleged hacking attacks from China and Russia, there seems to be evidence that countries are capable of using electronic means to disrupt the computer systems of rival nations. more

Explaining the Estonian cyberattacks

When it comes to denial-of-service attacks, Jose Nazario has seen just about everything. more

The worst IT security incidents of 2007

Despite the message being driven home by governments, consumer groups and industry bodies that IT security is paramount, this year has thrown up a worrying number of serious breaches. more

Cracking open the cybercrime economy

Hacking for fun has evolved into hacking for profit, and created a business model that is nearly as sophisticated as that of legal software more

Countering corporate espionage

Theft of commercially valuable information costs the world's largest companies over £22bn a year, and small firms are just as vulnerable. How can you mitigate the risks to your company? more

Anatomy of a hack attack

With the help of security experts we reconstruct a typical hack attack on two large organisations and walk through the steps that the head of IT should follow in such a case more

Storm worm anniversary brings fresh variants

The first anniversary of the Storm worm has brought a fresh wave of variants, security companies have warned more

CIA: Cyberattack caused multi-city blackout

The CIA has warned of successful attacks against various countries' critical national infrastructures more

Schneier: Cyber-extortion on the rise

The security expert has warned of an increase in cyber-extortion, but added there is no need for panic about attacks on critical national infrastructures more

More In Security threats

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers

Company/Topic Alerts

Create a new alert from the list below:

Featured Talkback

On the contrary, if vendors were forced to stand behind their products it should increase innovation. It would force more, and better , testing before hitting the sales floor, resulting in fewer updates and less downtime for the consumer. At present the EULA removes responsibility from the vendor, and moves it to the user, which is a step backward. Make the vendor responsibility for their code.