A recent study by technology consultants Detica for the Cabinet Office found that intellectual property (IP) theft costs British businesses £9.2bn a year.
The companies most at threat include those in software, financial services, pharmaceuticals, electronics and mining. They are targeted by criminal gangs that use a complex array of online hacks and offline scams to breach corporate IT perimeters.
Most major corporations have probably experienced IP theft. According to a study by consultants Booz Allen Hamilton and analysts the Economist Intelligence Unit, most large businesses had no idea of the extent of their losses through IP theft and were too embarrassed to publicly admit to it happening.
“Many online attacks are denials of service, but the actual impact is not significant,” says Prof David Stupples, the director of the Centre for Cyber Security Sciences at City University London. “What is more worrying is the use of espionage worms like Gauss and Duquo, which can secretly steal confidential information. This is much more damaging.”
These sinister-sounding infections are complex software “worms”. The software’s core, known as a rootkit, is small and can be installed via a memory stick or email. Once installed, it scans the host PC before downloading modules designed to seek out specific types of information.
“They can hunt out patents, blueprints, passwords and information about a takeover,” adds Stupples. Worms such as these can reside on a system for months before detection by even the best anti-virus software. By then, the secrets are out.
Being aware of what is valuable – such as research and development work – and how and where it can be accessed is the first step to protecting yourself.
Most companies could do a lot more to secure their intellectual capital. According to experts, the best way to hide sensitive information from prying eyes is encryption, which limits who has access. Strong encryption is almost uncrackable so the weak point is the cryptographic information and how you manage it.
And this is a weakness that cybercriminals seek to exploit. They may use LinkedIn to identify and contact senior executives at an organisation they want to steal from. Or they may trawl through comment boards for unhappy staff. The targets can then be either tricked into downloading an espionage worm’s rootkit or bribed to install it directly from a USB stick.
Once the worm is installed it can seek out cryptographic keys on PCs, servers, remote hosts and cloud storage. All this can happen under the radar of the corporate anti-virus software.
“So when the breach has happened it’s often too late to take legal action to prevent it going further,” explains Tom Scourfield, partner at legal firm CMS Cameron McKenna.
His advice: get a good insurance policy against the losses, make IP theft a board-level issue, and ensure that third-party suppliers know they will be held liable should they prove to be at fault in a breach.
This article first appeared on the Guardian Media Network