Economic espionage – also known as industrial espionage, corporate espionage and corporate spying – justifiably resides as the top concern of security professionals and persists across companies of all sizes. Whether a company’s knowledge assets or data on its personnel, the odds have long been that someone seeks proprietary information.Today, however, the information is more accessible, exists in various locations and available to devices via the internet. What has also changed is the migration of access to data as it no longer occurs for everyone from a computer terminal in an office. Data now resides in the cloud and may possibly be distributed across a myriad of electronic devices. Moreover, the adoption of mobile computing combined with the explosion of electronic devices has forged a Bring Your Own Device (BYOB) work model that has essentially extended the enterprise’s security perimeter to each employee’s phone providing assailants a greater surface to attack with an easier entrée given the vulnerabilities with smartphones. These devices that have more computing power than what powered a business 40 years ago have but a fraction of the protections. The abilities to access corporate systems, intercept inter-company correspondence, eavesdrop on sensitive conversations, track employees and store precious data now reside on smartphones and reside in nearly every employee’s hand with the first and often only guard of protection to something an enterprise values.
The U.S. Military and FBI categorize hacker motivations as MICE (Money, Ideology, Compromise and Ego) or MEECES (Money, Ego, Entertainment, Cause, Entrance to social groups and Status). In a survey of 634 IT security practitioners, eThis post expands on this “why” with who may behind an attack, what they may seek and how they may attack.
The number 1 “WHY” organizations are attacked– Economic espionage
The image below from “The Second Annual Cybersecurity Risk to Knowledge Assets” study by Kilpatrick Townsend and the Ponemon Institute depicts the attack motivation rankings of security professionals for 2016 and 2017.
As former FBI Director Robert Mueller cited in a 2012 address:
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Who wants what data
In this context the awareness of the vulnerabilities an organization faces can reign supreme. Recognizing attackers, their motive, the information they seek, and their approach can aid dramatically in defending any company. Below is a non-exhaustive list of the types of attackers or information seekers who would want to spy on an organization and for what information:
- First and foremost: competitors. Whether it be customers, raw materials, formulas, business processes or talent, there undoubtedly exist organizations and individuals that not only would benefit from a business’s assets but would go so far as to break the law to obtain these assets. Insights and knowledge of an upcoming business transaction, a go-to-market strategy or a new formula are far less suspicious, significantly more valuable and much more difficult to prove wrong doing than the heist of equipment or theft of documents or cash. For an example of the extent to which an organization would go, take a read on the recent allegations against Uber as noted in this USA Today article.
- Another set of adversaries to consider: nation-states. They may range from smaller countries lacking the foundational elements for technical innovation to world powers like China or Russia. The nation-states target private organizations for intellectual property to empower their national corporations and military as well as strengthen their economies. As recently reported in The Hill, the U.S. Department of Justice disclosed details of an Iranian espionage campaign targeted at universities and private businesses in addition to government agencies.
- A third and far less suspecting category: technology firms. The saying goes “Google knows more about you than you” and this may very well apply to any organization as well. It’s no secret that in addition to Google, Amazon and others who operate on information-based business models are enhancing their user interfaces to leverage audio and video to capture even more data in order to maintain their market share and find new revenue sources. Aggregating the daily activities and information on a workforce is not only at a technology firm’s fingertips but empirical to their evolution as they leverage machine learning and artificial intelligence of that data to build new offerings and potentially undermine advertising spends or drive up their rates. While companies through their users consent to the terms of use of these sites and their services, the caution lies in that the user of potential audio services require constant access to microphones which could potentially expose sensitive or confidential discussions.
How does Economic espionage occur?
Attackers undermine the security of an enterprise and spy on corporate activities or access knowledge assets in a number of ways. Traditional routes include hacking through an enterprise network or into a server program. With advances in data security, attackers today are turning to brute force, phishing, smishing and social engineering to get access to corporate systems through credential fraud. The 2017 Verizon Data Breach Investigations Report revealed sixty-two percent of all attacks involved hacking; and 81% of those leveraged either stolen and/or weak passwords. With the prevalence of mobile devices, consider the user’s smartphone as the primary attack vector on an enterprise. Attacks on smartphones span from exposures in mobile apps and operating systems to vulnerabilities in chipsets so that practically any connected computing device is susceptible – giving deeper gravitas to Comey’s 2012 statement. Only through a hardware root of trust and robust smartphone security for enterprise can a business operate and process information with confidence and peace of mind.
In closing, a company’s users undoubtedly have insights or access to corporate information that someone wants. Protecting those assets from attackers may begin with data servers and networks but ultimately ends with the users who become easier prey as their mobile devices become richer targets. For more insight on the challenges download our Mobile Espionage white paper.
Read more about how Privoro can enhance your mobile security posture with SafeCase, our high-security, intelligent and modular platform for iPhone.