MT EXPERT: Corporates caught unaware - tales from the front line of cyber security

Curious international powers, angry hacktivists and spurned staff: get data protection wrong and you stand to lose millions, says online security veteran Seth Berman.

by Seth Berman
Last Updated: 30 Oct 2015
Ever thought your company is a potential target of state-sponsored hackers, eager to lay their hands on sensitive commercial information or use your IT infrastructure as a springboard to others’ systems? It sounds unlikely, but it isn't as far-fetched as it may seem. News media and governments in several countries have reported foreign states are showing a greater interest in commercial hacking and corporate espionage.
At the front line, companies are now regularly having to tackle data breaches. Take for example the manufacturing company that discovered hackers had gained access to its systems. The hackers, in the pay of a nation state, had accessed and copied detailed plans for future products. These plans were of significant value in the hands of a third-party. We worked with the company to scan its network for viruses and establish whether data had been copied. It was a time-consuming and complex process which, in this case, meant we had to reverse engineer and analyse the code of the viruses. This eventually allowed the team to ensure the hacking had stopped and to identify and confirm which secrets were stolen.
A similar scenario arose for a business involved in an auction to sell mineral rights worth several billion dollars. Halfway through the auction, it was found that the email system had been penetrated. This had allowed the system to be reprogrammed, with every incoming and outgoing email copied and sent to the hackers. The subsequent investigation suggested that the hacking had been carried out by one the companies involved in the auction in a move to gain an unfair advantage in the bidding process.
Knowing your enemy can play a key part in defining your next steps. A lesson learned by several well-known brands, which have come under fire from online hacktivists. Having threatened to attack these companies as a result of a real or perceived insult hacktivists have published logins and passwords for users of the companies’ sites and even published emails from the CEOs.
Even the most advanced security may prove inadequate against the onslaught of hackers intent on targeting the weakest link: people. Most computer users have been recipients of poorly worded ‘phishing’ emails one time or another, requesting online banking password resets or offering ‘lucrative,’ never to be missed deals. While the vast majority would hit the Delete button, it only takes one unwitting member of staff to fall for the scam before security has been breached. When the email appears to come from the CEO, alongside a plausible explanation ('I’ve sent this email from my private email address as I have not been able to access the office network'), the number of individuals clicking on the offending link could be even greater.
This predicament was faced by several dozen associates at a London law firm. The email, sent after-hours from the ‘private’ email address of the ‘managing partner’, asked each recipient to review an attached document, the content of which would be discussed at a meeting the next morning.
The document contained a virus. Once opened, the virus was deposited on the laptop or home computer of the unfortunate associate and from there onto the law firm’s network.
Such examples of ‘spear phishing’, or highly targeted fraudulent emails that may introduce a virus, activate malware to log keystrokes, copy emails, or even record phone conversations, are pretty common.

The challenge is to stop staff from clicking on innocent-looking links and using the same easy-to-guess password for multiple devices and online accounts. Therefore the development of an information security policy and standards of conduct that instils security into the company’s culture is as important as ensuring that firewalls, anti-virus detection software is up to date.
Of course, the threat that your staff inadvertently introduce a virus into your network is not the only – or even primary way – they can cause a data breach.

And when thinking of your staff, spare a thought for the threat of insider data theft. Dropbox, Google Drive and Apple iCloud, as well the ubiquitous nature of social media, have all contributed to breaking down the barriers between personal and work data. Add to this the growth of private smartphones and tablets in the workplace, and employers are facing an uphill struggle to prevent disgruntled or departing staff from siphoning off a veritable treasure throve of sensitive data.
In one such case, a defence contractor won a multimillion-dollar judgment against a group of former employees who used stolen company data to set up a competing business. The conspiracy by these former employees, the data stolen and its intended use were all revealed as a result of detailed computer forensic analysis, which ultimately proved their undoing.
Hacking and data theft is one of the greatest business and technology threats of the digital age. We are well past the point where any organisation can responsibly ignore this risk.
There are different lessons to be learned from each and every incident but two critical factors regularly stand out. First, staff must be trained in how to prevent and respond to such attacks. Second, incident response cannot be done on the fly. An initial security audit, followed by a regularly updated incident response plan, will significantly enhance the prospects of successfully tackling an incident, irrespective of whether the adversary wears the cloak of a nation state, an opportunistic hacker or someone closer to home.
 - Seth Berman is executive managing director and UK head of Stroz Friedberg, a digital risk management and investigations company. Prior to joining the firm, Seth was an Assistant U.S. Attorney and served as a member of the New England Electronic Crimes Task Force.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

A mini case study in horizon scanning

Swissgrid has instituted smart risk management systems for spotting things that could go wrong before...

Interview ghosting: Stop treating job seekers like bad dates

Don’t underestimate the business impact of a simple rejection letter.

5 avoidable corporate disasters

And the lessons to learn from them.

Dressing to impress: One for the dustbin of history?

Opinion: Businesswomen are embracing comfort without sacrificing impact. Returning to the office shouldn't change that....

How to motivate people from a distance

Recognising success in a remote or hybrid environment requires a little creativity, says Insight SVP...

What pushy fish can teach you about influence at work

Research into marine power struggles casts light on the role of influence and dominant bosses...