Corporate Espionage and the New War on Privacy

Cybersecurity has reached a new level of national concern. The proposed 2017 budget rolled out by President Barack Obama allocates $19B to cybersecurity initiatives for the government and private sector. Last summer the FBI launched a nationwide campaign warning business leaders of the danger they face from foreign actors and their aim to catch them in the act. Meanwhile, American technology firms and the U.S. Government have returned to old debates thought settled over encryption, device access, and the role those two factors play in ensuring consumer privacy while simultaneously ensuring successful counterterrorism efforts.

For companies and governments protecting themselves from criminals engaged in the war on privacy and data, unseen adversaries are guided by the goal of gaining intelligence for economic purposes. The effects of their digital attacks are often far more severe and damaging than people realize, costing the global economy over $500B annually. Unfortunately, despite corporate espionage being a question of national security, the U.S. Government needs to improve significantly its efforts to protect your industry.

Consider the following:

  • In June 2015, the attack on the U.S. Government’s own Office of Personnel Management compromised the social security numbers of 21.5 million Americans, 19.7 million of whom had requested background investigations for applications for federal employment and 1.8 million of whom were simply connected with applicants in the former group.
  • In February of 2015, the attack on Anthem, the second largest U.S. health insurer, compromised the personal information of 78.8 million customers and is expected to cost over $100M USD.
  • In 2014, the Home Depot attack, stemming from point of sale systems infected with malware posing as anti-virus software, affected 56 million customers and cost the company $33M.

These breaches, and others like them, have been disclosed by corporations because they were required to inform their customers. The number of breaches that are handled quietly, without disclosure, or have not yet even been discovered, is likely far greater.

What You Need to Know

Companies in developed nations are the principal targets of sophisticated digital crime, with the largest hits coming from intellectual property theft carried out by foreign governments or mercenary hackers. If your company is based in the United States, corporate espionage is a challenge you are already facing.

Illegal espionage is highly lucrative, with minimal risks posed for the perpetrators. While digital criminals are willing to go to some lengths in order to obtain proprietary information, they all too often have to do very little. They may stalk manufacturing sites, use disgruntled employees against you to steal and deliver information, or track executives’ movements online to lay malware traps for them. This means that the activities of your employees under your own roof, complicit or not, pose an increasingly significant risk. These types of attacks are discreet, custom built, well-funded and well-planned. You can’t see the attackers, and they don’t necessarily need physical access in order to get what they want.

Taking Action on Corporate and Individual Levels

At a company level there are actions you can take to protect your sensitive IP and your employees.

  1. The principle of least privilege. Employees should only be given the accesses and privileges necessary to complete their job. Privileges should be routinely audited to ensure an employee’s privilege set evolves and shrinks with their responsibilities.
  2. Layered security (aka: the onion model). Security systems are most effective when layered and isolated from one another. A firewall is a strong outer layer, but intelligent uses of isolated network areas coupled with least privilege access rights create robust security systems. Isolating local networks limits the damage that a successful attack can do, and can prevent a breach from spreading to other area networks within an organization. This minimizes cleanup costs, data theft, and system downtime.
  3. Multi-factor authentication. Reduce the chance of human error exposing your systems. Passwords can be phished or stolen. It’s unfortunately not uncommon to see passwords stored on sticky notes. Expanding authentication requirements to include not just what you know, but what you have, is always a good idea because it raises the bar for how much effort a criminal needs to go through to succeed.
  4. Education and cultural enforcement. Teach employees about best practices for password management, the security systems protecting them, social engineering tactics used by attackers, and your facility security. Let them know the limitations of your safeguards. Security tools can often appear intimidating and opaque at first — make them approachable.

What you can do on an individual level

  1. Everyone can be an attack vector. Be thoughtful of the networks you connect to. Wi-Fi at hotels, airports, coffee shops and conventions are all convenient, yet they’re also reliably targeted by attackers. If you must use them, encrypt and anonymize your traffic. Likewise, when communicating and collaborating with other colleagues ask yourself: how can I keep potentially dangerous files from moving into sensitive networks? Not all files should be downloaded.
  2. Encrypt before sending confidential information. Using PGP encryption is a safe and reliable way to ensure only the intended recipient can access sent material. If a server is compromised, encrypted data provides a final layer of protection after it has been stolen and is out on the black market.
  3. Use a password manager. Password managers enable you to easily use complex passwords unique to each login you need. Not only do they make your life easier, a password manager readily permits logins that are demonstratively harder to brute force by a third party with no additional burden on you. Use 20+ characters whenever possible.

While these actions are part of the security solution, they still leave a corporation vulnerable. Recent technology has emerged allowing companies to hide their networks in plain sight. Attackers need to find your networks and employees in the first place before they can begin researching how to break in. With that in mind, lets add a sixth action you can take to protect your company.

Use ephemeral infrastructure (aka: hide that onion). The onion model provides interlocking layers of protection, which can make a security system much more robust and responsive. But a stationary security solution is still a static target, subject to scrutiny and analysis by attackers. New sophisticated ephemeral infrastructure shifts locations and destroys itself, enabling your networks, people, and communications to avoid detection with no downtime or increased IT burden. By shifting your organization’s infrastructure into an ephemeral infrastructure, hackers do not have the benefit of time when planning an attack on your system, which, if anonymized properly and cycled regularly, the attacker won’t ever find in the first place.

Above all breaches, hacks, and other attacks are no longer a matter of “if” but “when.” Patchwork privacy doesn’t hold up over time. In today’s increasingly globalized economy, businesses that are able to safely and securely conduct sensitive business — and continuously assess and update company and individual protections — are the ones who will be thriving tomorrow.

Ethan Schmertzler