[here].
Ira points out that internal threats from employees are often overshadowed by the well publicized concerns over cyber warfare. It’s important to recognize that along with hacking and computer threats, the information leaked through other forms of electronic eavesdropping can be equally devastating to a corporation.
Hacking Humans, Corporate Espionage and the Spies Among Us
By Cari E. Guittard, Principal, Global Engagement Partners; Professor of Global Management, Hult International Business School
I reconnected with Ira after his remarks at the SC eSymposium to get his take on the state of Corporate Espionage today and to get his sense of how the craft has evolved since he first began working in this space and thoughts of recommendations for what companies and large organizations can do about it.
Cari Guittard: How has corporate espionage changed since you first began working in this space over a decade ago? What are the trends you’re seeing now and how has this changed over the years?
Ira Winkler: I see a lot of attention being paid to spear phishing and APT, which people equate specifically to China. While spear phishing as a primary attack vector is new, China actively comprising information is not, nor is espionage mostly from China. They just are bad in that they are caught so frequently.
Cari Guittard: In your opening remarks to the SC eSymposium last week you began talking about China and the media’s collective obsession with Chinese hacking and espionage attempts, an obsession that you found misplaced in a broader discussion of corporate espionage trends. For most companies operating globally, should they care about China and are there any lessons to be learned from their approach to hacking and espionage?
Ira Winkler: China is a dragon. Dragons are mythical creatures, who the population fears at the mention of. However, while they are paralyzed with fear at the thought of the dragon, they ignore the snakes and rats that are constantly causing them small amounts of harm. I am not saying that the Chinese threat is mythical per se, but that the threats that are causing people damage are employees, both well meaning and malicious, who cause damage intentionally or accidentally. If China was the only threat you had to worry about, consider yourself lucky, as the damage they cause is not immediate nor costly, unless they use the information to directly compete with you or use against you. In short, companies really need to focus their attention on preventing damage caused by small but plentiful incidents that aggregate to cause a devastating loss.
Cari Guittard: You noted the pervasiveness of what you call a ‘security stagnation’ culture whereby many large organizations take the viewpoint that their threats are largely external and all of their security countermeasures, if they have any in place, are largely focused on outside, existential threats. Can you elaborate on this concept and advise where an organization should redirect their focus and resources to better protect their information assets?
Ira Winkler: An insider knows exactly where and how to hurt you. There have been many cases where a disgruntled employee created crippling losses after leaving the organization. Companies need to focus their attention on basic computer security and operations. While everyone wants to hear about “Advanced” persistent threat, the reality is that most attacks are not technologically advanced. Bad passwords, poor permission settings, failure to deactivate accounts of departing employees, easily guessable or written passwords, failing to monitor data stores, etc. have been exploited exponentially more frequently than seemingly sophisticated attacks. Even the nature of the “Advanced” threat is rarely that it is technologically advanced, but that it is advanced in its organization and persistence.
Cari Guittard: What are some simple countermeasures you would advise to help organizations and individuals protect themselves against espionage and human hacking attempts?
Ira Winkler: Enabling automatic updates of software, installing anti-malware and anti-virus software and enabling automatic updates, being mindful of suspicious e-mails and websites, creating strong passwords that are not shared or written down, setting account permissions properly. I really wish there was some magical advanced countermeasure I could recommend to stop attacks, but the reality is that information security is very much like the 80/20 Rule, where you can solve 80 percent of your problems with 20 percent of the effort. The reality is that studies of incidents show that the 80/20 Rule is much more like the 99/1 Rule, where you can stop 99 percent of attacks with 1percent of the effort.
Cari Guittard: Your new company, Secure Mentem, focuses on creating, nurturing and measuring an effective foundation for a security awareness culture within an organization. Security Awareness should be something every organization invests in and pays attention to but few do it well if at all. Why is this and why so much controversy in this space?
Ira Winkler: I equate the supposed controversy about security awareness to the Westboro Baptist Church and hatred of our troops. The media loves to give attention to any media whore who takes an outlier position, no matter how rare or illogical it may be. The reality is that a small group of people on a slow news day can garner a lot of attention, and then the outraged public keeps a non-issue alive by expressing their outrage instead of letting the controversy go into oblivion where it belongs. There is no real “controversy” about the importance of security awareness. The articles criticizing awareness are written by outliers who know little about the science of security awareness. When you actually see the responses to the articles these people write, you see almost unanimous condemnation of the articles.
If you actually read the criticism of security awareness, and substitute “computer security” with “automobile safety” you would find that they essentially argue that despite immense spending on driver safety, there are still accidents, so let’s abandon driver safety and rely on cars that drive themselves. The arguments are absurd, or specious at best. The only thing these people are correct about it that there are many security awareness programs that are bad.
[Read More]
