Worry more about the cubicle dweller and less about the Chinese hacker
Michael DuBose, cyber investigations practice leader, Kroll Advisory Solutions
When The Wall Street Journal and other newspapers announced at the end of January that they had been the victim of Chinese hacking operations, it was big news.
The headlines were soon followed an attention-grabbing report from cyber security company Mandiant identifying a Chinese military unit as a major source for numerous hacks on U.S. business networks. Since then, there's been a lot of fevered discussion – generally focusing on the formidable skills of Chinese hackers.
These discussions are missing a larger point: China's cyber surveillance abilities are significant, but overseas hackers are not the biggest threat to U.S. businesses. Insiders are.
Case in point: The hacks of The Journal and other papers, where foreign hackers penetrate networks and stay there for long periods of time, are old news in the cyber security community. For years, leading experts have known about this type of hacking, often referred to as the advanced persistent threat. APTs use zero-day exploits, or malware that has yet to be discovered, making detection using conventional means extremely difficult.
But APTs are not involved in the vast majority of cyber theft incidents involving trade secrets and other proprietary data. Instead, these thefts are perpetrated by people employed within an organization. These insiders penetrate networks for financial gain, on behalf of a foreign government, or for reasons of their own.
Just ask Dow Chemical, Motorola, Rockwell, Boeing and DuPont – all of whom have recently seen former employees sentenced to prison terms for stealing valuable, proprietary data, and selling it to foreign governments. And this is only a partial list.
Make no mistake, APTs and outside hackers are a serious threat to trade secrets and proprietary data, but more than two-thirds of all cyber cases involving theft of intellectual property are carried out by company insiders, according to Verizon's most recent "Data Breach Investigations Report."
The headlines may not be as sexy, but the problems are worse and more widespread.
Moreover, when there is intentional and malicious destruction of data, a corporate insider – not a hacker – is most typically responsible. Whether driven by opportunism, greed, a desire for revenge, or a combination of all three, insiders exploit their positions of trust to obtain access to their organization's most valued digital assets. Moles, opportunists, contractors, disgruntled employees – all currently pose a greater risk to corporate intellectual property than state-sponsored hacking and APTs, both in frequency and in damage caused.
Corporations – including newspapers – can take steps to reduce the risk of insider cyber theft. This list of network security measures – from internal monitoring of corporate networks to the implementation of strict access controls – is lengthy.
But prevention measures alone won't eliminate insider cyber theft. Deterrence must also come from effective investigation and enforcement. When confronted with suspicious activity, organizations can't be reluctant to green-light the arduous, yet critical, work associated with analyzing a suspect's computer and mobile devices, tracking his or her every move on the corporate network, and interviewing key witnesses.
Only through a multi-disciplinary investigative approach can organizations root out problems where they lie and, when an incident is confirmed, uncover the type of persuasive evidence necessary to take appropriate civil, criminal, or administrative action.