With many business processes now reliant on IT, and an increasing number of companies trading online, the majority of modern companies recognise the need to take IT security precautions. Particularly where consumer data is concerned – such as names, addresses and financial details – they go to great lengths to ensure maximum privacy, security and confidentiality. But in many cases, it appears, this is as far as their defences extend.
IT analyst Ovum has highlighted cyber espionage as being a fast growing problem in the business world, one which potentially threatens every company with a computer and internet connection. According to the firm, UK business leaders are simply not taking this danger seriously enough - effectively inviting hackers to get their hands on business-critical information. Despite the lengths they go to conceal customer credit card numbers and banking details, companies are managing to leave corporate plans and proprietary information 'lying around' on their PCs and networks.
Ovum explained that cyber espionage is usually aimed at key individuals within an organisation, who are sent 'spear phishing' emails. These contain malicious links or attachments that infect their machines, allowing malware to identify assets, decrypt login details and steal target information. In the worst instances, entire company identities could fall into the wrong hands, facilitating corporate ID fraud.
Graham Titterington, principal analyst at Ovum, said the cyber espionage threat must be addressed by enterprises since it is "as relevant to them as it is to national security organisations". He called on firms to take additional steps to safeguard valuable information such as product and technology blueprints, customer lists, and information that could be used to embarrass or disadvantage them commercially. Otherwise, they could end up at the mercy of a malicious third-party – someone happy to profit from their illegal activity.
"Almost every organisation has sensitive information that would damage it if it were to be leaked out," Mr Titterington wrote. "However, many have overlooked cyber espionage in their preoccupation with preventing the theft of financial data." The analyst said this needs to change quickly, for the sake of individual companies and UK business as a whole. "Enterprises need to wake up to the danger posed or risk losing valuable information and having to deal with the consequences," Mr Titterington stated.
So what steps can businesses take to defend against this heightened form of hacker activity? Ovum suggests that employee education, the restriction of sensitive information within internal operations, and additional vetting of individuals with a high level of security clearance can go some way to mitigate the risks. Businesses should also think about how best to protect data stored on third-party sites, and include mobile devices and removable media in their IT risk analysis. The more data a company stores, the greater the risk of falling victim to cyber espionage, Ovum said. "The increasing volume of data makes it harder to manage the entire data estate. It gives spies more potential targets to attack," Mr Titterington added. "At minimum, organisations should make more use of shared data infrastructure and services so individual users can be discouraged from creating their own copies."
The lack of precautionary action in this area is made all the more surprising by the fact that cyber espionage is hardly a new concern. As far back as January 2008, research analyst SANS Institute reported on a surge in business information fraud in the US. The firm ranked cyber espionage at number three in its 'Top Ten Cyber Menaces for 2008' chart, suggesting that the IT security industry was well aware of the dangers faced by businesses there and then.
At the time, the SANS Institute claimed that a significant proportion of cyber espionage activity was state-sponsored, with countries using data theft to seek economic advantage in multinational deals. This point may be unproven, but it is clear the risks affect both international corporations and smaller, localised businesses. Spear phishing with attachments was described as the "attack of choice" in the 2008 report – so little has changed in this respect in the last four years. Businesses were urged to be mindful of website, botnet, mobile phone and insider attacks – and take appropriate action to defend against their corporate assets. But on the basis of Ovum's latest paper, all too few businesses have heeded the warning.