It's no secret hackers have made an art of sneaking in through companies’ virtual doors and making off with intellectual property. But while a new McAfee report highlights security challenges, it also reveals that companies are looking hard at secure data storage, creating an opportunity for vendors and service providers alike.
The report, entitled “Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency," was prepared by McAfee and the Science Applications International Corporation (SAIC). Based on a survey of 1,000 technology managers in the U.S., U.K., China, Japan, India, Brazil and the Middle East, the report found many businesses are ready to spend money.
Roughly half of the organizations surveyed are looking to increase their IT security spending on hardware and software upgrades, external hosting of data and other services. In addition, around half of organizations anticipate that their investment in securing sensitive information will increase, while only one in 20 are looking to decrease it.
Still, a desire to cut cost appears to be playing a greater role in overall decisions about data storage, as the prospect of saving money by storing data abroad has become more attractive to some companies. According to the report, more than half of the organizations in the study stated they are reassessing the risks of processing data outside their home country due to the economic downturn. In 2008, that number was four in ten, the authors noted.
The countries regarded as the safest to do business with are Germany, the U.K. and the U.S. China, Russia and Pakistan were regarded by respondents as being the least safe even though the source of attacks is often difficult to trace.
“Sophisticated attacks such as Operation Aurora, and even unsophisticated attacks like Night Dragon, have infiltrated some of the of the largest, and seemingly most protected corporations in the world,” said Simon Hunt, vice president and chief technology officer, endpoint security at McAfee, in a statement. “Criminals are targeting corporate intellectual capital and they are often succeeding.”
Just how successful they are often escapes the public eye. Only three out of 10 companies worldwide report all data breaches and losses related to IP to outside government agencies, stockholders or authorities. Sixty percent of respondents said they “pick and choose” which breaches to report “depending on how they feel about them” while one in 10 said they only report breaches and losses when legally mandated.
How many -- and what type -- of breaches were made public varied by region. For example, 40 percent of U.S. respondents said they report all breaches regardless of size. Sixty percent said they report them unless they are “small or insignificant.” In contrast, 50 percent of respondents in the United Arab Emirates (UAE) said they only report breaches when legally obligated. In China, slightly more than 10 percent said the same, while 50 percent said they report breaches unless they are judged to be insignificant.
According to the report, many of these successful attacks escape public notice because businesses are concerned the admission of a significant vulnerability could draw other attackers, and as a result they are hesitant to admit intellectual capital losses publicly.
“Around half of organizations reported (reputation) as their number one concern regarding a data breach involving sensitive information or intellectual property,” the report notes. “Today a public company can lose a top secret recipe, a go-to-market plan or other key secret and they are reluctant to report it given the potential backlash from customers, shareholders, and the market. Media coverage after a breach can affect brand reputation, and shareholder value and therefore are underreported.”
Adding yet another layer to the problem is that the cost of dealing with data breaches isn’t getting any cheaper. The rising costs may explain why just 25 percent of organizations globally conduct forensic analysis of a breach or loss, and only half take steps to remediate and protect systems for the future after a breach or attempted breach, the report’s authors speculated.
“More than half of organizations have, at some point in their history, decided not to further pursue or investigate a security incident because of the cost of such an investigation/pursuit,” the report notes. “Organizations are more likely to review/investigate a small data breach internally, rather than bringing in external help. This lack of investigation means that potential vectors of attack are not shored up and future penetration is possible or the threat persists. Insiders are not identified, and incongruities are not investigated to identify a larger threat.”
The distinction between insiders and outsiders is blurring, opined Scott Aken, vice president for cyber operations at SAIC.
“Sophisticated attackers infiltrate a network, steal valid credentials on the network, and operate freely – just as an insider would,” he said in a statement. “Having defensive strategies against these blended insider threats is essential, and organizations need insider threat tools that can predict attacks based on human behavior.”