Defending Against Competitor Cyberespionage
September 10, 2015 No CommentsFeatured article by Vidhya Raganathan at Accellion
Tales of cyberespionage pervade mainstream media with new breaches being reported almost weekly. While cyberwarfare is a reality, sometimes the biggest breaches are not the work of spy agencies, organized crime syndicates or even sophisticated hackers, but rather the act of a former employee or business competitor. Today’s IT departments need not be on the look out for James Bond – it’s James the disgruntled former product manager with an axe to grind that they should be concerned with.
For example, in 2009 US-based hospitality company Starwood accused rival hotelier Hilton of industrial espionage, specifically the theft of more than 100,000 electronic files containing sensitive information about its luxurious W hotel chain resulting in a $75 million settlement. More recently, federal investigators have recommended charges be filed against members of the St. Louis Cardinals front office for allegedly accessing a database managed by the Houston Astros that contained information on the club’s developing players.
What is to be gained from competitor cyber-espionage? If you manage a sports team, it may be information on potential trades or draft picks or details of a player’s injuries. If you are an enterprise business owner, it could be new product features, M&A discussions, customer contracts, employee issues; the list goes on and on.
These and other incidents should be a wake up call for CIOs and CISOs and IT managers. Because a competitive advantage is priceless in the market place, those employees entrusted with safeguarding proprietary information should assume that they are already being targeted by a competitor, at risk of an accidental data leak by a careless employee or an intentional data breach by a disgruntled worker. Adopting an offensive mindset, namely being proactive with managing your corporate data, can provide the best defense.
With reputation and shareholder value at risk, data security has become a C-suite issue. Below are four crucial actions that enterprise business owners and IT departments must take to better protect themselves against competitor cyber-espionage:
Terminate privileged accounts and credentials of rogue employees
Insider attacks are among the biggest threats facing enterprise data. In fact, according to a 2015 study from Online Trust Alliance, 29 percent of data breaches are caused either accidentally or maliciously by employees. To avoid making the headlines as the latest victim of a breach, or worse, a competitor hack, CIOs must ensure IT departments identify and terminate any privileged accounts and credentials that are not in use, including those associated with employees that are no longer with the company. This will increase the likelihood of keeping your businesses’ secret sauce out of the hands of your biggest competitor.
Enforce security protection using unique and complex password requirements
It doesn’t take a sophisticated hacker to break into your enterprise data vault if passwords are easy to crack. Because we all have a multitude of passwords to keep track of, people tend to become lax using the same easy-to-remember passwords for a variety of purposes. According to a 2015 Trustwave research report of 574 data compromises that took place across 15 countries, 28 percent of the breaches were the result of weak passwords. Each year, several reports are released sharing the most common passwords such as “1234” or “qwerty.” Although common knowledge, employees may still use these uncomplicated passwords. As the first line of defense, enforce passwords that require upper and lowercase letters, symbols and numbers that are unique, meaning they are not in use elsewhere, to decrease the likelihood of a breach. Despite how much of a St. Louis Cardinals fan an employee may be, any password that also uses a favorite sport or sports team is not recommended.
Take ownership of encryption keys
While house keys are never shared with complete strangers, the same concept should be applied with encryption keys. Enterprise data and information that is stored in a public cloud can be at risk since encryption keys are also maintained by cloud service providers and architects. Rather than overthinking whether an encryption algorithm is strong enough, a better question to ask is where encryption keys are held or managed. Whether information is being stored via smartphones, laptops or wearables, organizations should be aware of the risks associated when using the public cloud. Consider deploying a private cloud storage solution that guarantees ownership of encryption keys for maximum protection and control over stored data.
Train employees on cybersecurity best practices
Steven Covey famously said, “always treat employees exactly as you want them to treat your best customers.” Employee training does two things: It shows that you value them and are willing to provide them with all the tools they need to do a good job. From a security perspective, enterprise management and IT departments can teach employees the value of protecting customer and employee information. This helps to decrease the likelihood of careless errors concerning corporate information. Mandatorytraining sessions that focus on security practices help employees learn how to manage passwords and identify and avoid risks. In addition to periodic training sessions, an ongoing support system ensures that employees have the security resources and education they need to stay up-to-date in making smart decisions when using corporate data.
As important as it is to invest in a strong security system, internal measures that protect against competitor cyber-espionage are essential to guard sensitive information. The negative repercussions from the Starwood Hotels and Houston Astros’ breaches prove that all organizations should develop, monitor and continually enhance internal systems and policies to safeguard sensitive data. Human error, carelessness or malicious attacks from rogue employees are prime examples of internal security risks that can be avoided. In order to prevent a scandal and subsequent headaches for IT managers, their C-level bosses and their boards of directors, you need to develop solid internal security measures that keep spies out of your business and back in novels and movies where they belong.