Business
Calgary Herald
Front Page
Monday 18 January 1999
Firms wage electronic war on industrial espionage
Matthew McClearn, Calgary Herald
Office break-ins,
corporate hooliganism,
industrial espionage and
the countermeasures game
against them are nothing
new in the business world.
But in the past, such
activities might have
involved two guys in a
pickup keeping tabs on
the competition using
binoculars or diving into
dumpsters, or a disgruntled employee photocopying important
documents and mailing them to outsiders.
Increasingly, the war for proprietary information is waged on a shady
digital battlefield.
"The same things that have always happened are now happening
electronically," says Mitch Tarr, vice-president of sales at Calgary
security firm Jaws Technologies Inc.
Because security policies tend to come straight from head office,
computer security is a particularly important issue in Calgary.
"In the majority of companies in Calgary, we see that their data is very
valuable to them, and that's reflected in their IT (information technology)
budgets," says Jaws security consultant Brian Lynch. "Securing that
(data) is an additional step they need to take."
Sizing up electronic information theft is difficult. Fearing bad press,
scared customers and concerned shareholders, companies usually keep
quiet about attacks on their systems -- if they are even aware of them.
Further, companies rarely prosecute their attackers -- partly to avoid
embarrassing publicity, but also because computer crimes are notoriously
difficult to prosecute.
An American study by the Computer Security Institute and the Federal
Bureau of Investigations in 1998 found that information thefts resulted in
losses in individual cases of between $300 and $25 million US.
Those attacks cost domestic U.S. firms $300 billion US, and $140
billion in overseas operations.
"The fact is, corporate espionage or information gathering and intelligence
is a big business," says John Hess, senior manager at KPMG
Investigations and Security Inc. in Calgary.
"Fortunately, a lot of corporations are very ethical about how they collect
it . . . but there are (countries and businesses) that actively collect
corporate intelligence by any means."
Adds Lynch, "We're seeing more malicious forces like government- and
business-sponsored hackers. Obviously, they're very organized and
well-funded. The majority of hacks do come from hobby hackers and
curious thrill-seekers."
When companies lose control of proprietary information, there are
consequences.
A KPMG survey found that Canadian corporations suffered an average
loss of $178,000 per information theft (electronic or otherwise).
"When you have a theft of information, it could be absolutely devastating
to the company," says Hess. "Corporate Canada is still awakening to the
fact that those threats are real."
Experts say businesses large and small generally don't put enough locks
and chains between their proprietary information and outside hands.
"It's something that, by default, businesses don't do enough due diligence
on," says Tarr. "What you see is organizations using technologies have so
many challenges . . . it's hard to keep security at the forefront of their IT
plan."
Companies expose themselves to electronic assaults on their systems in
two key ways. Firstly, there is a multitude of technological portals
through which outsiders can hack into a system. An Internet connection
or a particular department system not under a company's security
umbrella are two of many examples.
Says Tarr, "Almost all organizations using technology and attached to the
outside world are at risk."
Equally important are the ways in which employees themselves,
deliberately or otherwise, create vulnerabilities in security.
For example, a conniving attacker posing as a human-resources manager
can often get passwords from naive or unsuspecting new employees over
the phone.
Hackers call it "phreaking." Security professionals prefer the term "social
engineering."
"It's amazing what people will tell you if you ask them nicely and in the
right way," says Tom Keenan, dean of continuing education at the
University of Calgary, who has a keen interest in information security.
Hackers are experts at exploiting cracks technological and social. They
are an organized community with formidable knowledge. Hackers
exchange tricks of the trade and knowledge about vulnerable businesses
in chat rooms on the Internet and even at conferences like DEF CON,
held in Las Vegas every year. Security professionals are attendiung these
conferences to keep tabs on the enemy and even recruit them.
"You fight them (hackers) with knowledge and preparedness," says
Phillip Banks, vice-president of KPMG Investigations and Security.
"Your security people have to become knowledgeable as to the threat . .
. and make sure you have a system that's capable of protecting itself."
Just as there are many ways for hackers to get in, there are plenty of
tools to keep them out.
Passwords, data encryption, firewalls (stopgates for incoming and
outgoing data) and network-monitoring tools that observe traffic and
activity are examples.
But these tools are ineffective if not implemented in conjunction with a
comprehensive security policy.
That includes personnel training and security awareness about issues like
disclosure of passwords, and storage and destruction of information.
The level of security depends largely on the value of the data a firm has.
There are few limits to how secure you can make your information or
how much money you can spend steeling yourself against the outside
world.
Keenan recalls a Toronto software-consulting firm that considered
placing its systems in a lead-lined room to prevent competitors from
spying "using special antennas.
Yet their phone lines weren't protected, so anyone could wiretap them
from the hall.
"The reality is, people often get hung up on the wrong thing and spend a
lot of money locking up a door when there's a window wide open
somewhere that they haven't seen."
As well, when battening down the hatches, companies need to balance
security and convenience.
Excessive security can cut into productivity,, and there's a tendency for
employees to find ways around irritating information-security measures,
much as they may prop open locked doors to avoid the hassle of
fumbling for keys.
"Security has to be balanced," says Banks. "Corporations exist to do
business and make money, and they can't be subservient to security."
No amount of security can fully protect a system from hackers, who can
and do find cracks in even the most rigourous and high-budgeted security
efforts, like those of NASA, the military and the Pentagon.
"Even organizations that have a significant number of zeros behind the
dollar sign are falling prey to this sort of thing," says Banks. "I expect it to
increase."
|
