Valuable information

What's the most valuable information within an organisation? And what would be the impact on the stability and future success of the enterprise if it was stolen?

Such questions are becoming increasingly important for IT security, because corporate cyber crime is evolving. As cyber villains move up the data food chain, corporate secrets are becoming prime targets.

Commenting on the findings of Verizon's 2011 Data Breach Investigations Report, Dave Ostertag, global investigations manager at Verizon Business, said: “I think what we're seeing is that there's a big change in the type of data that criminals are going after.

Corporate secrets are the real mother lodes for cyber villains.

Mark Eardley is channel manager at SuperVision Biometric Systems.

“There's a glut of personal data out there now, and there really isn't a great market for it. The value of intellectual property, on the other hand, is much higher - criminals are finding that they can make as much money from stealing a smaller number of highly sensitive records as they can from stealing a big database of customer information."

This message about the changing focus of cyber crime has been supported by research and commentary from a variety of sources. For example, the UK government published a report in February this year estimating that the cyber theft of corporate secrets cost UK companies £16.8 billion (R185 billion), accounting for almost 60% of the country's cyber crime losses in 2010.

The threat was also highlighted by a March 2011 survey from McAfee, which stated: “While it remains a profitable enterprise to buy and sell stolen credit cards, lately, intellectual capital has become the new source of large and easy pay-outs.”

There's also plenty of widely-reported evidence to illustrate the realities of the cyber threat to corporate secrets - so far in 2011, Morgan Stanley, the G20 summit, Lockheed Martin, the IMF, and RSA (EMC) have all been targeted for their secrets.

And during 2010, the corporate secrets of hundreds of organisations were the focus for two serial cyber attacks known as Operation Aurora and Night Dragon.

The mass cyber theft of customer data - such as those experienced recently by Sony, CitiGroup and CodeMasters - may hit headlines, but it would make sense that corporate secrets are the real mother lodes for cyber villains.

For many organisations, knowledge is not only power, it also represents the majority of their financial value.

Ocean Tomo, a US merchant bank, estimated that in 2009 the implied intangible asset value of the S&P 500 reached 81%, an all-time high since the firm began charting such values in 1975.

This means the market value of a cross-section of major US corporations comes far more from their intellectual assets than from, say, their property holdings or manufacturing plants.

James E Malackowski, Ocean Tomo's chairman, explains: “Within the last quarter century, the market value of the S&P 500 companies has deviated greatly from their book value. This 'value gap' indicates that physical and financial accountable assets reflected on a company's balance sheet comprises less than 20% of the true value of the average firm.”

But intellectual capital represents only part of the information that organisations seek to protect. The overall 'knowledge base' of confidential information is multi-faceted, and might cover production processes; R&D findings; source code; formulae; M&A activity; partnerships and alliances; product roll-outs; financing arrangements; contract bids and deal negotiations; pricing structures; legal data; financial forecasts and results; and strategic plans.

The cyber theft of corporate secrets is frequently associated with a form of cyber heists known as advanced persistent threats (APTs) - such as Operation Aurora and Night Dragon.

When victims speak of APTs they typically refer to them as being 'tenacious', 'sophisticated', 'determined', 'significant', 'accomplished', 'prolonged' and 'co-ordinated'.

This operative terminology also allows some IT security vendors to portray the threat as terminally damaging in an attempt to convince organisations that they must reinforce their protection against the uber-villains of cyber crime.

But the reality is perhaps a great deal different from the public announcements of cyber crime victims and the marketing speak of vendors.

Could it be that the purported nature of these cyber crimes is being used as a shield to conceal fundamental flaws in IT security?

Is the APT bogey-man being created by different masters - victims and vendors - in order to conceal the fact that most IT security is woefully inadequate and is, in fact, rotten at the core?

The cyber-targeting of corporate secrets typically features the exploitation of employees' passwords and PINs. And all passwords and PINs share three inherent security flaws: they are all routinely forgotten, shared and stolen.

There is nothing particularly advanced about stealing them and then using them to steal corporate secrets. After all, using someone else's password and PIN is no more complicated than using your own.

Cyber theft of intellectual capital may not be technically advanced or even particularly persistent, but that does not lessen the threat it poses.

In fact, quite the opposite is true: a dogged reliance on passwords and PINs as the protectors of intellectual capital is exposing many organisations to extraordinary risk - a risk that is potentially far more damaging than any other form of cyber crime.

Businessmen go down with their businesses because they like the old way so well they cannot bring themselves to change. Henry Ford said that. He also said if he had asked his customers what they wanted, they would have said a faster horse.

Which is pretty much where people are at with IT security: they want stronger passwords that get automatically changed lest they remember them, or two-factor authentication with PINs and one-time PINs - faster horses...

What is actually needed is a rapid, accurate, convenient and secure way to identify IT users and authorise their activities. And fingerprint biometrics can certainly give everybody that - as an advocate of biometrics, of course I'm bound to say that.

But the world of physical security long ago decided that access cards, PINs and passwords have to be replaced with biometrics, and there are now over 60 000 fingerprint scanners deployed across South Africa. Substantial investments in fingerprint-based security solutions are being made locally, because it's proven that they cut the losses caused by unauthorised access and activity.

Isn't that what IT security really wants, too?