Today most people equate a data breach with the theft of personal identification, health or financial data—credit card numbers, banking details, social security numbers and more. No doubt this has been a profitable and common focus for cybercriminals. Such data are easily monetized, and a sizable dark market exists for selling them.
For many companies, however, the theft of intellectual property (IP) is the top concern. Although there is little news coverage of such activity, it is frighteningly common. There is no standard or expectation to divulge this type of crime to the public, unless it is a material event for a public company, and even then the notification practices are murky. Most companies would prefer to keep it under wraps.
“We tend to hear so much about identify theft in data breaches, and that’s because that’s what the data breach notification laws require,” said Edward McAndrew, assistant U.S. attorney and cybercrime coordinator at the U.S. Attorney’s Office in a recent interview. What we don’t hear about is the “…daily digital looting of organizations that you don’t necessarily see the injury of day one or day two, but years down the road.”
Corporate espionage is widespread, and companies are victimized every day. There is burgeoning world commerce based on stolen or copied intellectual property, ranging from defense equipment to computer software or communications equipment and drug designs. A 60 Minutes segment called “The Great Train Robbery” aired on January 17 and provided a frank and horrifying peek into the world of IP theft. While some theft comes from reverse engineering, a growing amount is the result of cybercrime. The cost to American companies has been hundreds of billions of dollars and the loss of more than two million jobs according to 60 Minutes.
Despite such devastating results, most enterprises are hardly better off in protecting themselves from the threat of a cyberheist of their IP today than they were 10 years ago. The issue is that companies still mostly rely on preventative security, such as firewalls, antivirus, intrusion prevention systems and “sand-boxing”.
Preventative security is still essential, but it will not keep out 100% of attacks. Eventually a motivated cybercriminal will get through, and then the challenge is to detect an active attacker on your network before they have a chance to steal your valuable assets. Unfortunately only a small number of companies currently have the ability to spot an active attack, and the result is attackers have months in which to perpetrate their attack. New procedures and technologies such as Behavioral Attack Detection have shown considerable promise in finding these attackers, but most companies don’t yet know about them. Finding an attacker that has managed to gain a foothold in the network before they’ve managed to steal IP is critical. Once the secrets are gone, there is little recourse for protecting them when most of the perpetrators are oceans away.
An even more insidious IP threat is looming. Instead of the outright theft of trade secrets, cybercriminals can potentially access a software-based product and create a backdoor, or ticking time bomb, that they can use for extortion or theft that is orders of magnitude greater than identity details. Back in 2004, Microsoft Windows 2000 source code was obtained from a Microsoft partner and leaked out broadly. The scenario could have turned out differently where a cybercriminal could have secretly gained direct access to the source code and modified it. In 2011, perpetrators accessed technology for RSA’s SecurID two-factor authentication product. Again, an unthinkable disaster was averted, but it doesn’t take much imagination to consider what could have been. These attacks have also been seen to succeed. In 2014 a string of compromises of European financial institutions enabled cyber attackers to implant code they later used to steal hundreds of millions of dollars from banks and ATMs.
It’s time for companies to no longer be sitting cyber ducks. Companies need to protect their assets from cyber theft. They owe it to their employees, shareholders or investors, customers and partners. Don’t rely on the same failed security practices that have made the “standard” for dwell time over six months. Bring on the means to effectively detect an active attacker before damage can occur.
Here’s a video interview with the head of IT from one tech company that can effectively protect their IP.