According to a new report from PriceWaterhouseCoopers (PWC) Inc., cyber-espionage is a growing problem and is no longer restricted to governments and large international companies.
"There is an elevated risk, even for smaller companies, that they may become a potential target," said William Beer, a director in PWC's risk assurance services group and co-author of the report.
While not coming up with any new evidence to support the claims, the report assembles recent material from a number of sources to indicate what it sees as a growing danger.
For instance, it mentions that in late 2007, the head of MI5, the London-based security intelligence agency, sent a confidential letter to 300 U.K. business leaders at banks, accountants and legal firms, warning them of a coordinated, Web-based cyber-espionage campaign against the U.K. economy.
The report also cited that in November 2008, the U.K. Cabinet Office published the first National Risk Register, showing the likelihood and impact of various threats, from flu pandemics to attacks on crowded places. Included in the list was the risk of electronic attacks, which were seen as highly likely to occur, although of lower impact to the country as a whole.
The PWC cyber-espionage, or e-espionage, research also pointed out a March 2009 report from the University of Cambridge called "The Snooping Dragon: Social-malware Surveillance of the Tibetan Movement," which concluded: "What Chinese spooks did in 2008, Russian crooks will do in 2010, and even low-budget criminals from less developed countries will follow in due course," referring to possible external social-malware attacks that could allow malicious hackers to spy on users' machines.
The 'snooping dragon' report also warned: "Social malware [using email lures to get people to visit bogus websites that serve malicious code] is unlikely to remain a tool of governments. Certainly organisations of interest to governments should take proper precautions now, but other firms had better start to think about what it will mean for them when social-malware attacks become widespread."
In early 2009, the Canada-based research project, Information Warfare Monitor, published a report titled "Tracking GhostNet: Investigating a Cyber Espionage Network," which detailed the findings of a 10-month investigation into a global electronic spy network that had infiltrated computers in various government offices around the world. The report said the network used malware to compromise 1,295 computers in 103 countries, including systems belonging to foreign ministries and embassies and those linked with the Dalai Lama.
PWC's Beer said senior management needs to take security more seriously, especially since the rise in espionage coincides with a general rise in fraud caused by the economic downturn.
"Part of the challenge is that whenever senior managers hear about anything with 'cyber' or 'e' in it, they see it as an IT problem and delegate down," he said. "It requires more focus and a wider approach than just IT. Technology is the instrument that is used, but we need much better governance to try to provide a better assurance that these problems are not going to occur."
Beer said that in PWC's latest global research into security awareness, which questioned 7,000 senior management from 119 countries, 35% admitted they had no idea how many security incidents had occurred in their own organisations.
PWC has compiled a checklist of questions to help companies assess and tackle e-espionage risks:
- Do you know the scale, number, nature and source of the incidents you have suffered to date?
- Have you clearly identified your business's most valuable assets and which ones are most at risk from attack?
- What would be the business impact of information/assets being stolen or compromised?
- What is your strategy to manage, mitigate and minimise this risk?
- Do you discuss this risk with investors and in the Annual Report?
- What processes and technologies have you put in place to execute your security strategy?
- What investment are you making to put these in place and ensure they remain effective?
- How often do you reassess the risk and the strategy to manage it?
- What new threats to your business are emerging in the e-espionage arena?
- Have you educated and trained your staff to recognise and respond to the issue?[1]
2 comments:
I think that at the first step we have to define that what is economic espionage? Maybe it is so obvious for the person which working with in the field of IT or LAW but I think there are many companies that are not familiar with this concept and nobody clarify for them what is economic espionage. Economic espionage means use of a stolen trade secret to benefit foreign powers or in commercial or economic trade.Those who commit economic espionage do so in order to gain and benefit from proprietary information developed by businesses. It is estimated that economic espionage has caused business losses in the trillions of dollars over the last decade alone.
I think top managers of the companies have to hire specialist in these fields that are familiar with these concepts and can help to the company to prevent high costs.
In continue:
the company has to have some sense who their competitors are and who might have an interest in their particular type of intellectual property and sensitive information. That is what is called a threat assessment and companies need to have information security policies and protocols that are responsive to those threats. And when they do that, they need to look at how they handle the information and who has access to the information.
Post a Comment