For cyber criminals, corporate intellectual property (IP) tops the most wanted list, with attackers using techniques associated with advanced persistent threats, according to Charlie Stewart, director at SuperVision Biometric Systems.
Stewart believes attackers are not looking to grab just anything they come across, but IP and corporate secrets in particular.
Ernst & Young, in its report 'Insights on IT risk: Countering cyber attacks', says IP is “the most sought-after data type for attackers using techniques associated with persistent threats, whether it is protected formulae, seismic research data, technology designs, unreleased movies or music, or proprietary engineering schematics and designs”.
Stewart sees this as particularly worrying for corporate SA, where economic crime is rampant and most of it is committed by insiders.
“This isn't an amateur hacker trying to get hold of relatively low-value credit card data or an accounts clerk making fraudulent EFT payments. These are sophisticated, organised and determined attempts to steal much more valuable data - corporate IP,” says Stewart.
Forrester Consulting for SA and Microsoft in their joint 'Value of corporate secrets' report in March, refer to secrets as information that confers long-term competitive advantage, such as product plans, earnings forecasts and trade secrets.
The report defines custodial data as information that companies are compelled to protect by regulations - typically personal and identity information such as that relating to credit cards.
“For example, financial services companies such as banks, medical schemes and insurers will have lots of personal info about you and they are increasingly required to provide for its security,” he explains.
However, he notes these companies also hold sensitive data that does not relate directly to individuals, including financial forecasts and earnings reports; product development plans; marketing strategies and associated research; pricing, margin and discounting policies; procurement and supplier information; and plans for expansion, mergers and acquisitions.
“But many companies hold little, if any, custodial data. A large mining, IT or pharmaceutical company is unlikely to keep much custodial data simply because they don't deal with individual consumers - their markets are often only other companies. But they will certainly have sensitive and proprietary information that underpins their competitive advantage,” says Stewart.
Describing the commercial effects of losing one's knowledge base, Stewart gives the example of the UK Financial Services Authority, which fined Zurich Insurance a record £2 275 000 (R24 960 909) in August this year after a back-up tape containing personal details of 46 000 policy holders was lost a year ago by the South African branch of the company.
The tape had personal information on general insurance customers, including identity details and some bank and credit card information.
“One implication of the fine is clear: lose that type of custodial data and it's going to cost you £50 per record in regulatory fines.
“But, what would Zurich have lost if a competitor acquired the data and then successfully sold its services to each and every one of the clients on the tape? The loss of 46 000 customers is far more significant than losing information about them. It's not a refined argument, but it does illustrate how the value of data can change according to who gets their hands on it,” says Stewart.
He adds the use of stolen access credentials is the top hacking method in data breaches. ”Passwords are the number one usual suspect in IT-based crime. They are so frequently abused by insiders and outsiders because they are so simple to abuse.
“Any IT access credential based on cards, PINs or passwords is inherently insecure because they are all routinely lost, forgotten, shared, stolen and cracked,” he concludes.
Share