By Paul Mitchell.
In the last article, we began our examination of IP protection by providing a number of real-world examples, outlining how easily the security of actual companies (who shall remain nameless), had been breached and how easily highly sensitive information had been obtained.
We looked at who the most likely perpetrators of IP theft are within an organisation and some of the more obvious vulnerabilities that modern companies face – such as email, SMS messaging and social media. We finished by asking three simple questions that every company needs to consider in the modern age of 21st Century communication. Those were:
- Why do we not encrypt all our sensitive information and all communication surrounding it?
- What do we store?
- What do we need access to in both the short-, medium- and long-term?
To begin with, encryption is time-consuming, and problematic to implement and use. There is a very definite “pain factor” in use if an organisation insists on encrypting all communication. This is evidenced by the fact that many executives carry unencrypted sensitive documents rather than ensuring they only carry encrypted information.
Many electronic communications need to be retained for long periods of time, both for organisational use or to fulfil statutory requirements. Email is a prime example. Capture of communications data for retention must be complete and should be automated. Asking staff not to delete any of their emails for 10 years simply will not work.
And what about SMS? SMS “chatter” around the project and an accumulation of small amounts of intelligence/information contained in SMSs can alert other governments, or your corporate competitors, to your activities and successes. So, do you store this SMS traffic or do you leave it on a public server? Is the SMS traffic encrypted and can you search it to create an audit trail of information leakage?
Effective and comprehensive encryption and archiving goes a long way to solving many of the issues surrounding data vulnerability. Using a well-known, open encrypted communication format allows easy communication. Popular open formats are transparent and well studied by experts so that any security flaws are exposed, but access to the stored communications needs to be strictly controlled. If just any IT staff member can simply export all of the email and walk out with it without even leaving a trail, it makes any policy or encryption in transit system practically useless.
Public/private key cryptography provides a powerful encryption method for communication between parties. In this system, each user has a matched pair of keys: a public key and a private key. The users share their public keys with each other, or obtain them from a centralised system. To communicate, the sender encrypts their communication with the intended recipients public key. Only the recipient’s private key can be used to decrypt the communication. From a user’s perspective, this process is automated and managed by the corporate IT department.
A complete archive of emails, documents and SMS traffic, with appropriate access permissions, can allow users to access the archive securely over the internet. They can then delete communications from notebooks and other portable devices which could be lost or stolen. An electronic permissions system is needed to control who has access to what is stored information. Permissions need to be changeable over time. For example, new staff joining a sales unit may need access to previous sales related communications. An audit trail must be kept so that even authorised personnel and their access to the stored communications are recorded. An authorised person has access to communications and information stored for legitimate purposes but should not be using their access for personal or other purposes that are not aligned to the organisation.
Police departments throughout Australia have made it illegal for members to access information about cases on which they are not directly involved. This is to prevent sensitive information being leaked.
Does your Corporation have a “clean device” policy? Does your corporation or government department maintain an audit trail of access to all sensitive/secret IP, communications and/or research? This should also include Board papers and decisions.
So who is at risk? The internet is full of lists relating to incidents of data theft and its impact on the company, government or individual. What is not disputed is that the theft of IP, business sensitive information and client details, is costing the economy billions of dollars annually.
In September 2013, British police arrested eight people that had criminally infiltrated the computer system of the branch of Barclays bank and stole £1.3 million. One month later, they arrested 12 people who were in the final stages of stealing millions of pounds via online intrusion from a branch of Santander UK.
In May of 2013, Reuters reported the arrest in New York of a global cyber crime ring who had stolen US$45 million from two Middle Eastern banks by hacking into credit card processing and withdrawing money from ATMs in 27 different countries. The sophistication and speed of cyber crime almost defies description. In just over 10 hours, US$40 million was taken from ATMs in 24 countries involving 36,000 transactions. And banks and financial institutions are not the main targets of cyber crime. The healthcare industry is. However, no industry is immune and where there is value there is someone wanting to take an unfair advantage by stealing valuable IP and business sensitive information.
There is much discussion about trends relating to data being breached and since Wikileaks there has been not only an increased interest in prevention but also increased analysis of what is considered of value. A corporation’s business security planning system should include a risk analysis to ensure that you are considering the corporate exposure to data theft and the impact it would have on your business.
To conduct a risk analysis:
Identify what data you have.
Whether it is business data or customer data, whether financial, personal, or operational, its loss or compromise could be a huge impost on both the business and the personal. I am reminded of a small company operating in a highly lucrative contractual relationship with government. They only accepted a small number of contracts each year and were, financially, very successful. Three years ago they suddenly started to lose every single tender that they entered into. They simply could not work out why they had gone from success to disaster in such a short period of time. That was until they discovered that their system had been hacked by their main competitor. All sensitive commercial information, including tender documents, had been exposed to the unfair gaze of a ruthless competitor. They were fortunate. They and the authorities were able to prove the breach and the culprit. Their business is now back on a level playing field but they have lost three years of income. For most companies, that would be a disaster and it has certainly made their life tough, but they will recover and go on.
Identify how critical the information is to your business.
Data collected from customers may be particularly sensitive – credit card details, personal addresses and phone numbers in the case of a retail company, or a client’s IP and top-secret information in the case of a company working as a consultant or adviser. For this, read lawyers, accountants, trade advisers or bankers. Your business has a legal responsibility regarding client details and certainly a legal responsibility for the protection of IP entrusted to you.
Identify the impact on your business if the data is stolen.
An accurate assessment of compliance, regulatory and legal responsibility needs to be accurately assessed and valued. What would it cost to compete against a competitor that had paid no research cost to develop an identical product/service? Where would your price point have to go in order to compete?
Identify how your data is currently stored.
Who has access to your IP/data/communications, both physically and electronically. Do you have an identifiable audit trail?
Identify how and when your information is used in day-to-day operations and by whom.
You must control access to your computers and data. To achieve this, you should:
- Only provide access to your computer network and sensitive information to those that need it to do their job. In today’s business world most people need access to the network but you can reduce, to a very small number, the people who need access to your IP or client information. The segregation of IP and sensitive information is facilitated by effective identification staff roles and responsibilities.
- Create individual user accounts for all staff members. Using separate accounts will allow you to control who has access to your business data. This will allow you to manage what level of access everyone has and potentially monitor transfer of information by stand-alone external media or email.
- Not allow anyone to install software onto a company owned device or network. If an employee is required to install or manage software, they should be given two accounts. One as admin and one personal. Use of the administrator account for anything, other than tasks requiring administrator privileges, should be grounds for dismissal. All use of administrator privileges by anyone in the company, including executives and board members, should the routinely audited.
- Develop and implement information access and use policy and procedure. This should include who can access business owned hardware.
- Decide how confidential information should be treated including restrictions and processes regarding email.
- Use passwords and ensure that they are secure. How are your passwords created, how often are they changed, who is responsible for changing the password, do you use individual passwords for multiple devices, etc. These are all things you need to decide.
- Restrict the installation of programs and software.
- Develop policies around the use of remote access, especially by executive team members accessing sensitive archived documents and emails.
- Secure corporate data in the employee’s home.
- Put in place restrictions regarding the storing personal files on company hardware.
- Outline your clear and robust expectation of compliance with security measures, especially at Executive and Board level with a clear outline of the consequences of non-compliance.
Too many networks, both corporate and government, are designed to block intruders attempting to gain access from the outside but do not do anywhere near enough to catch people stealing data from the inside. The reasons that people steal IP and/or sensitive data are many, but include financial gain or from a feeling of revenge due to dismissal, passing over for promotion or failing to gain a pay rise.
Networks are notoriously difficult to get into from the outside but once in, an experienced intruder can usually move around with impunity. Snowden used passwords of other employees to hack firewalls and gain access. A holistic audit process of access to sensitive data and IP is a must if you are going to avoid the vulnerabilities and risks accepted as inevitable by others.
This year, PWC were commissioned by the UK Department for Business Innovation to conduct a security breaches survey. Their survey found that:
- 78 per cent of large organisations were attacked by an unauthorised outsider in the last 12 months
- 39 per cent of large organisations were hit by denial of service attacks in the last year
- 20per cent of large organisations detected that outsiders had successfully penetrated their network in the last year
- 14 per cent of large organisations know that outsiders have stolen their IP or confidential data in the last year.
They also reported that staff members play a key role in many breaches. Serious security breaches are often due to multiple failures in technology, processes and people.
Increasingly, as I service my clients, the discussion turns to IP and sensitive information protection, prevention of compromise to senior executives, and the protection of shareholder value. Internally, they discuss developing resilience in regard to these modern day threats. Insurance will go a part of the way to taking away the pain of failure to prevent or detect criminal activity. But how do you explain to an executive’s family that the electronic communication trail allowed him to be kidnapped? How do you explain to the shareholders the loss of half a billion dollars worth of research? How do you compete against someone who is selling an identical product into the market without having had all the costs of research and development? If we accept that it is inevitable that others will attempt to take what is ours, is it not smart that we put in place procedures that make it very difficult for them to succeed?
It was this reality that forced me, on behalf of my clients, to look around at what others were doing. In the process of looking around, I found that one of the largest companies in the world was using a uniquely Australian solution to the problem of protecting electronic documents and communication. Like most in their industry, they were convinced the solution would be difficult. They were amazed to find it was quite simple. For three years they have used this Communications Security Risk Management Solution. They have had it audited by one of the world’s smartest accounting firms and they feel they have a competitive advantage over others in their industry because their information and IP is now secure. They also have a competitive advantage because the cost of compliance is far lower than what it once was. They report: the product sits alongside their existing infrastructure, it is easy and non-disruptive and interfaces with the mobile devices of their executive and management teams.
But most importantly:
- they can search their archives without unencrypting or compromising security
- there is a clearly defined audit trail by user, transaction, etc.
- it authenticates both the sender and receiver
- it prevents repudiation after transmission
- it is capable of user-defined alerts, keyword and subject defined alerts
- it has the capability for both scheduled and on demand reports.
So there is a solution out there and I am sure there are proprietary solutions in some of our major corporations. Are corporations and governments focussed on a solution? I am sure they are beginning to, but I am also very convinced that some of this has been put in the “too hard basket”. It is, after all, an IT problem. Is it not? Is the corporate world and government doing enough? Clearly not or the bad guys would not be winning this war of “who owns what and at what cost?”
My thanks to the Coolrock Team in Australia, for information on what is required as a solution to this global problem.
Paul Mitchell is Managing Director of GlobalEdge, an Australian and UK based Company providing State of the Art Training Programs relating to Executive Personal Safety, Security and Risk Assessment in hostile environments, either at home or abroad. Global Edge also provide high-level training programs for the military and police in highly specialised areas of training
Paul can be contacted on +61 433 349809 or by email at paul@globaledge.net.au
Bibliography
2013 information Security breaches survey. UK Department for business innovation and skills.
Security threat report volume 17, Symantec.
The billion dollar lost laptop study. Ponemon Institute and Intel.
2011 Cost of a data breach. United States. Symantec and Ponemon Institute.
Behavioural risk indicators of malicious insider IP theft. Eric D Shaw Ph.D. December 2011.