At the front line, companies are now regularly having to tackle data breaches. Take for example the manufacturing company that discovered hackers had gained access to its systems. The hackers, in the pay of a nation state, had accessed and copied detailed plans for future products. These plans were of significant value in the hands of a third-party. We worked with the company to scan its network for viruses and establish whether data had been copied. It was a time-consuming and complex process which, in this case, meant we had to reverse engineer and analyse the code of the viruses. This eventually allowed the team to ensure the hacking had stopped and to identify and confirm which secrets were stolen.
A similar scenario arose for a business involved in an auction to sell mineral rights worth several billion dollars. Halfway through the auction, it was found that the email system had been penetrated. This had allowed the system to be reprogrammed, with every incoming and outgoing email copied and sent to the hackers. The subsequent investigation suggested that the hacking had been carried out by one the companies involved in the auction in a move to gain an unfair advantage in the bidding process.
Knowing your enemy can play a key part in defining your next steps. A lesson learned by several well-known brands, which have come under fire from online hacktivists. Having threatened to attack these companies as a result of a real or perceived insult hacktivists have published logins and passwords for users of the companies’ sites and even published emails from the CEOs.
Even the most advanced security may prove inadequate against the onslaught of hackers intent on targeting the weakest link: people. Most computer users have been recipients of poorly worded ‘phishing’ emails one time or another, requesting online banking password resets or offering ‘lucrative,’ never to be missed deals. While the vast majority would hit the Delete button, it only takes one unwitting member of staff to fall for the scam before security has been breached. When the email appears to come from the CEO, alongside a plausible explanation ('I’ve sent this email from my private email address as I have not been able to access the office network'), the number of individuals clicking on the offending link could be even greater.
This predicament was faced by several dozen associates at a London law firm. The email, sent after-hours from the ‘private’ email address of the ‘managing partner’, asked each recipient to review an attached document, the content of which would be discussed at a meeting the next morning.
The document contained a virus. Once opened, the virus was deposited on the laptop or home computer of the unfortunate associate and from there onto the law firm’s network.
Such examples of ‘spear phishing’, or highly targeted fraudulent emails that may introduce a virus, activate malware to log keystrokes, copy emails, or even record phone conversations, are pretty common.
The challenge is to stop staff from clicking on innocent-looking links and using the same easy-to-guess password for multiple devices and online accounts. Therefore the development of an information security policy and standards of conduct that instils security into the company’s culture is as important as ensuring that firewalls, anti-virus detection software is up to date.
Of course, the threat that your staff inadvertently introduce a virus into your network is not the only – or even primary way – they can cause a data breach.
And when thinking of your staff, spare a thought for the threat of insider data theft. Dropbox, Google Drive and Apple iCloud, as well the ubiquitous nature of social media, have all contributed to breaking down the barriers between personal and work data. Add to this the growth of private smartphones and tablets in the workplace, and employers are facing an uphill struggle to prevent disgruntled or departing staff from siphoning off a veritable treasure throve of sensitive data.
In one such case, a defence contractor won a multimillion-dollar judgment against a group of former employees who used stolen company data to set up a competing business. The conspiracy by these former employees, the data stolen and its intended use were all revealed as a result of detailed computer forensic analysis, which ultimately proved their undoing.
Hacking and data theft is one of the greatest business and technology threats of the digital age. We are well past the point where any organisation can responsibly ignore this risk.
There are different lessons to be learned from each and every incident but two critical factors regularly stand out. First, staff must be trained in how to prevent and respond to such attacks. Second, incident response cannot be done on the fly. An initial security audit, followed by a regularly updated incident response plan, will significantly enhance the prospects of successfully tackling an incident, irrespective of whether the adversary wears the cloak of a nation state, an opportunistic hacker or someone closer to home.
- Seth Berman is executive managing director and UK head of Stroz Friedberg, a digital risk management and investigations company. Prior to joining the firm, Seth was an Assistant U.S. Attorney and served as a member of the New England Electronic Crimes Task Force.