20 April 2009
As the world faces the economic meltdown and deals with its impact, it is vital for businesses to protect their critical information assets like intellectual property (IP) and sensitive data.
This is because a single breach or loss can cause irreparable financial damage to a company's reputation, its share price and customer confidence. It's a risk that businesses can't afford to take, particularly in the current climate.
A recent report by McAfee, titled "Unsecured Economies, Protecting Vital Information" that was released to Emirates Business, reveals that companies surveyed by the computer security company estimated that they lost an average of $4.6 million (Dh16.89m) worth of intellectual property per firm in 2008, due to security breaches.
This ranged from a low of $375,000 in the UK to a high of $7.2m in China. The financial services industry suffered the highest losses with a $5.3m per firm loss, followed by product development and manufacturing with a $4.6m per firm loss in the past year. The total loss of intellectual property among respondents during the last 12 months, excluding losses due to piracy, totalled $559m. According to the respondents surveyed by McAfee, it costs an average of almost $600,000 per firm to respond to each security breach concerning the loss of vital information such as intellectual property, and that number is expected to rise as the global recession drags on. This figure reflects just the cost of cleanup such as legal fees, victim notifications, not prevention and detection.
Greg Day, Emea Security Analyst, McAfee Avert Labs, told Emirates Business: "At any time, but particularly in recessionary times, it is critical for companies to be diligent about intellectual property and valuable customer, citizen, or other corporate information. Companies may feel they are hurting now, but if a breach, of any magnitude is suffered, it will only cost companies more at a time when they least need the additional costs."
The report revealed that respondents worried more about the damage that leakage or loss of vital information would do to their company's reputation than about the financial impact. Fifty per cent of respondents said they worried more about the impact on reputation of data loss over the economic (33 per cent) and the regulatory (16 per cent) impact.
Forty-two per cent said recently redundant employees posed the single biggest threat to their intellectual property and other sensitive data in the current economic climate as intellectual property and sensitive data has become a premium currency for financially desperate or laid-off employees.
Day said: "According to a McAfee datagate report completed several years ago, more than half of employees take data with them when they leave. For many it can be seen as a differentiator to help get their next job. As we utilise technology more the value of data is only increasing.
"Insider threats will still be a concern, and mass redundancies will incite a percentage of previously loyal employees to look at criminal activity. These economic realities could tempt an increasing number of financially strapped and laid-off employees to use their corporate data access to steal vital information. After all, who knows better where the goods are and how to get them than people with some connection to the organisation?"
Sixty-eight per cent of the respondents surveyed by McAfee cited "insider threat" as the top threat to vital information. This was above patching vulnerabilities (51 per cent), cyber-terrorism (38 per cent) and industrial espionage (36 per cent). Forty-two per cent of respondents said laid-off employees are the biggest threat caused by the economic downturn, followed by outside data thieves (39 per cent). Thirty-six per cent were worried about the security threat from financially strapped employees.
According to the report, cybercriminals also see this vital information as a high value commodity and are devising increasingly devious ways to infiltrate companies through its employees. And China, Russia and Pakistan are emerging as clear sources of threats to vital corporate data.
Day said: "Cyber-criminals see IP as a high value commodity because it's very transportable, through technology and human error, an easy target and can be sold on the black markets for huge returns.
"Cyber thieves have expanded their activities beyond basic hacking and stealing of credit card data and personal credentials. Their emerging target is IP. Why sink all that time and money into research and development when you can just steal it?
"Credit card fraud and identity theft have moved into the so-called "cash cow" phase of criminal strategy. In other words, it's a source of revenue, but there's not much room for growth, so criminals are looking for the new stars of their portfolios."
According to Day, businesses need to shift their mindsets in the way they value and protect IP. The key issue is the problem is only going to grow. There are commonalties with IT security in terms of balancing risk with investment to protect. However, the volume and fluidity of data present for most a seemingly mammoth task. Businesses need to start to tackle this problem today. That requires IT security working closely with the business to do their own classification to understand just what their data is worth and which bits they should focus their attention on.
"As cybercriminals realise just how valuable corporate information can be, they will push harder and harder against known vulnerabilities. Globally, the nature and sophistication of the attacks is evolving. This corresponds with the finding that patching vulnerabilities was the second biggest concern among respondents," he said.
According to McAfee, companies in the Middle East are as vulnerable to losing their IP as any other country. Day said: "Every business must understand what data they have, where it is stored and how, where and why it is used. From this they can see if the correct controls are in place to protect it. However, just as important is the ability to deal with a data breach if and when it occurs. From our research, we found different countries were perceived to have abilities to respond to incidents.
"In the Middle East specifically, our 'Unsecured Economies' report highlighted businesses perceived a lack of co-operation when tackling data breaches. In other countries cost, relevant legislation, or negative publicity can mean breaches are not pursued correctly. Companies in the Middle East must understand both the local controls to protect against and recover from data loss but also those of the countries they do business and share data in.
"Despite this concern, many companies are leaving themselves open to exploitation and attack because they don't realise the value and location of their intellectual property. Some of that property is stored in Microsoft Word and Adobe Acrobat PDF documents, Microsoft PowerPoint presentations and other media formats.
The study also highlights the concern for existing employees who may be in the current financial climate more open to bribes etc. However, user error or user intent is still the most common reason for data loss, which must be combated both through education and the correct controls.
Findings from the McAfee study reveal that the global economic crisis is poised to create a "perfect information security storm".
How they steal your IP
For some time now cybercriminals are targeting executives using sophisticated techniques such as phishing. But now phishing has evolved from error-ridden fake emails to highly sophisticated and targeted "spear phishing" attacks, where even highly trained security professionals can have difficulty distinguishing a phishing email from a legitimate one. These attacks can be surprisingly effective. Spear phishing attacks are a weak point in many organisations' security programmes, as it is easy for busy executives to not pay close attention and accidentally give away user IDs and passwords in even poorly-crafted attacks, let alone sophisticated ones.
How to deal with IP theft
Write concrete contracts with specific security requirements for outsourcers.
Enforce those requirements.
Know the country's laws and their ability to enforce such policies in time of breaches
Invest in the right solutions to protect data, but also invest in the employees--retain sufficient staff who understand where the data is housed, how it is protected and how to respond in a time of a breach
Protect accounts during layoffs to ensure that no one has access who is not on active payroll
Increase staff awareness.
Enforce policies with employees, helping them to understand the criticality of safe business practices
By Reena Amos Dyes
© Emirates Business 24/7 2009
As the world faces the economic meltdown and deals with its impact, it is vital for businesses to protect their critical information assets like intellectual property (IP) and sensitive data.
This is because a single breach or loss can cause irreparable financial damage to a company's reputation, its share price and customer confidence. It's a risk that businesses can't afford to take, particularly in the current climate.
A recent report by McAfee, titled "Unsecured Economies, Protecting Vital Information" that was released to Emirates Business, reveals that companies surveyed by the computer security company estimated that they lost an average of $4.6 million (Dh16.89m) worth of intellectual property per firm in 2008, due to security breaches.
This ranged from a low of $375,000 in the UK to a high of $7.2m in China. The financial services industry suffered the highest losses with a $5.3m per firm loss, followed by product development and manufacturing with a $4.6m per firm loss in the past year. The total loss of intellectual property among respondents during the last 12 months, excluding losses due to piracy, totalled $559m. According to the respondents surveyed by McAfee, it costs an average of almost $600,000 per firm to respond to each security breach concerning the loss of vital information such as intellectual property, and that number is expected to rise as the global recession drags on. This figure reflects just the cost of cleanup such as legal fees, victim notifications, not prevention and detection.
Greg Day, Emea Security Analyst, McAfee Avert Labs, told Emirates Business: "At any time, but particularly in recessionary times, it is critical for companies to be diligent about intellectual property and valuable customer, citizen, or other corporate information. Companies may feel they are hurting now, but if a breach, of any magnitude is suffered, it will only cost companies more at a time when they least need the additional costs."
The report revealed that respondents worried more about the damage that leakage or loss of vital information would do to their company's reputation than about the financial impact. Fifty per cent of respondents said they worried more about the impact on reputation of data loss over the economic (33 per cent) and the regulatory (16 per cent) impact.
Forty-two per cent said recently redundant employees posed the single biggest threat to their intellectual property and other sensitive data in the current economic climate as intellectual property and sensitive data has become a premium currency for financially desperate or laid-off employees.
Day said: "According to a McAfee datagate report completed several years ago, more than half of employees take data with them when they leave. For many it can be seen as a differentiator to help get their next job. As we utilise technology more the value of data is only increasing.
"Insider threats will still be a concern, and mass redundancies will incite a percentage of previously loyal employees to look at criminal activity. These economic realities could tempt an increasing number of financially strapped and laid-off employees to use their corporate data access to steal vital information. After all, who knows better where the goods are and how to get them than people with some connection to the organisation?"
Sixty-eight per cent of the respondents surveyed by McAfee cited "insider threat" as the top threat to vital information. This was above patching vulnerabilities (51 per cent), cyber-terrorism (38 per cent) and industrial espionage (36 per cent). Forty-two per cent of respondents said laid-off employees are the biggest threat caused by the economic downturn, followed by outside data thieves (39 per cent). Thirty-six per cent were worried about the security threat from financially strapped employees.
According to the report, cybercriminals also see this vital information as a high value commodity and are devising increasingly devious ways to infiltrate companies through its employees. And China, Russia and Pakistan are emerging as clear sources of threats to vital corporate data.
Day said: "Cyber-criminals see IP as a high value commodity because it's very transportable, through technology and human error, an easy target and can be sold on the black markets for huge returns.
"Cyber thieves have expanded their activities beyond basic hacking and stealing of credit card data and personal credentials. Their emerging target is IP. Why sink all that time and money into research and development when you can just steal it?
"Credit card fraud and identity theft have moved into the so-called "cash cow" phase of criminal strategy. In other words, it's a source of revenue, but there's not much room for growth, so criminals are looking for the new stars of their portfolios."
According to Day, businesses need to shift their mindsets in the way they value and protect IP. The key issue is the problem is only going to grow. There are commonalties with IT security in terms of balancing risk with investment to protect. However, the volume and fluidity of data present for most a seemingly mammoth task. Businesses need to start to tackle this problem today. That requires IT security working closely with the business to do their own classification to understand just what their data is worth and which bits they should focus their attention on.
"As cybercriminals realise just how valuable corporate information can be, they will push harder and harder against known vulnerabilities. Globally, the nature and sophistication of the attacks is evolving. This corresponds with the finding that patching vulnerabilities was the second biggest concern among respondents," he said.
According to McAfee, companies in the Middle East are as vulnerable to losing their IP as any other country. Day said: "Every business must understand what data they have, where it is stored and how, where and why it is used. From this they can see if the correct controls are in place to protect it. However, just as important is the ability to deal with a data breach if and when it occurs. From our research, we found different countries were perceived to have abilities to respond to incidents.
"In the Middle East specifically, our 'Unsecured Economies' report highlighted businesses perceived a lack of co-operation when tackling data breaches. In other countries cost, relevant legislation, or negative publicity can mean breaches are not pursued correctly. Companies in the Middle East must understand both the local controls to protect against and recover from data loss but also those of the countries they do business and share data in.
"Despite this concern, many companies are leaving themselves open to exploitation and attack because they don't realise the value and location of their intellectual property. Some of that property is stored in Microsoft Word and Adobe Acrobat PDF documents, Microsoft PowerPoint presentations and other media formats.
The study also highlights the concern for existing employees who may be in the current financial climate more open to bribes etc. However, user error or user intent is still the most common reason for data loss, which must be combated both through education and the correct controls.
Findings from the McAfee study reveal that the global economic crisis is poised to create a "perfect information security storm".
How they steal your IP
For some time now cybercriminals are targeting executives using sophisticated techniques such as phishing. But now phishing has evolved from error-ridden fake emails to highly sophisticated and targeted "spear phishing" attacks, where even highly trained security professionals can have difficulty distinguishing a phishing email from a legitimate one. These attacks can be surprisingly effective. Spear phishing attacks are a weak point in many organisations' security programmes, as it is easy for busy executives to not pay close attention and accidentally give away user IDs and passwords in even poorly-crafted attacks, let alone sophisticated ones.
How to deal with IP theft
Write concrete contracts with specific security requirements for outsourcers.
Enforce those requirements.
Know the country's laws and their ability to enforce such policies in time of breaches
Invest in the right solutions to protect data, but also invest in the employees--retain sufficient staff who understand where the data is housed, how it is protected and how to respond in a time of a breach
Protect accounts during layoffs to ensure that no one has access who is not on active payroll
Increase staff awareness.
Enforce policies with employees, helping them to understand the criticality of safe business practices
By Reena Amos Dyes
© Emirates Business 24/7 2009
