Organizations need to do a better job protecting their most safeguarded assets to stave off a new wave of cybercriminal attacks targeting trade secrets, marketing plans, source code and other intellectual property (IP), a new study finds.
We're definitely seeing the cybercriminals going after things like marketing plans, trade secret formulas and information relating to mergers and acquisitions.
vice president for cyber operationsSAIC Corp.
The study, "Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency," (PDF) undertaken by the Science Applications International Corp. (SAIC) and McAfee, has found that corporate IP is the fastest growing currency on the black market. The study surveyed more than 1,000 senior IT decision makers in the U.S., U.K., Japan, China, India, Brazil and the Middle East. It found companies were not doing a good job protecting email describing corporate culture, employee manuals and patent. While client supplier data, employee data and trade secrets were the best protected data, attackers are using targeted attacks and social engineering tactics to gain access to the sensitive information.
"The adversaries are shifting momentum away from attacking your typical PII type of information and going after the larger intellectual capital of major corporations," said Scott Aken, vice president for cyber operations at SAIC. "We're definitely seeing the cybercriminals going after things like marketing plans, trade secret formulas and information relating to mergers and acquisitions."
Data breaches remaining undisclosed
The study also found that cash-strapped organizations are not following up on data breaches or better securing systems to avoid a future breach. About 25% of the organizations surveyed have had a merger or acquisition or a new product roll-out stopped or slowed by a data breach, or the credible threat of a data breach. Only half of those organizations that experienced a data breach took steps to remediate and protect systems from future breaches.
Companies cited cost as the primary reason for failing to take remediation steps after a breach, Aken said. Many organizations lack the expertise in house to do attack mapping, so they have to outsource the work to specialized companies, he said. Instead, those surveyed indicated they sometimes only wipe the machine or system containing the malware.
"It leaves them wide open for repeat attack," Aken said. "If they're not doing the appropriate follow-through to understand what happened, they're probably going to get hit by the same thing."
The survey found that only 3 in 10 organizations report all data breaches suffered, and 6 in 10 organizations currently "pick and choose" the breaches they report. The report also shows that organizations may seek out countries with more lenient disclosure laws. Eight in ten organizations that store sensitive information abroad are influenced by privacy laws requiring notification of data breaches to customers.
"There's definitely a large disparity between the organizations in what they are choosing to report and what they are choosing not to report," Aken said. "Companies are worried about reputational impact and a significant breach could have large impacts on their reputation."
The new survey is being compared to a 2008 survey called "Unsecured Economies," (PDF) in which McAfee predicted that the weak economy would cause more companies to find cheaper options to store IP abroad. But the 2011 survey found that the weakening economy had the opposite effect. "Both the value of the information and the amount spent securing information has decreased in the last two years."
"In 2008, companies spent about $3 for the protection of $1 of data," the survey found. "This has proportionally increased to $4.80 in security for every $1 of data stored abroad because many companies have decreased the amount of data stored abroad while keeping the same protections."
But the latest survey also found more organizations are looking to store IP abroad to cut costs, said Simon Hunt, vice president and chief technology officer for endpoint protection at McAfee. Approximately one third of organizations are looking to increase the amount of sensitive information they store abroad, up from one in five two years ago.
"There was a high response of organizations saying they're moving data to China and India because it was perceived that there was more autonomy in those countries," Hunt said. "There is confusion in the industry about how breach notification laws work. It doesn't matter what country the data resides, organizations still have a legal duty to report, based on being a U.S. company."
Like the 2008 report, those surveyed in the new study identified China, Russia and Pakistan as being the least safe for data storage, and the U.K., Germany and the U.S. as being be the most safe.