Research by Verizon indicates that cyberattacks aimed at stealing intellectual property may be on the rise, but companies can take steps to mitigate these threats.

Cybersecurity and protecting intellectual property has long been a concern for multinational corporations. But the issue made headlines and renewed calls for legislation earlier this year after security firm Mandiant Corp. released a report alleging that a unit of  the Chinese military was conducting cyber espionage campaigns against more than 100 global organizations.

Until recently, information about the extent of cyberattacks has been largely anecdotal, with many companies fearful that releasing information about attacks would hurt them financially. In 2009, Verizon collected and analyzed information from organizations around the world for its first Data Breach Investigations Report. The 2013 report collected data from 19 organizations, which together reported 47,000 security incidents and 621 data breaches in the past year.

Though this year’s report shows that 75 percent of attacks were financial motivated, attacks by state-affiliated actors is on the rise. Efforts by state-affiliated actors—which Verizon was able to tie to China—to steal intellectual property made up roughly one-fifth of this year’s dataset.

Christopher Porter, managing principal for the Verizon RISK Team and an author of the report, spoke to the China Business Review about the report’s findings, which companies are most vulnerable, and what companies can do to protect themselves from data theft. This interview has been edited for length.

The term “cyberattack” has been in the news a lot lately, but your report calls them “data breaches.” Can you describe what we’re talking about and what gets classified as a data breach?

Porter: A data breach is when a threat actor works against an organization and steals data. The data has left the organization. The threat actor could be an insider, and the inside action could be malicious or not. An example of a non-malicious data breach might be where an insider accidentally sends a confidential contact list outside of the organization. That is considered a data breach because data has left the organization and it’s no longer under active control of the organization. We try to capture all of those things.

With this report, data breaches are events that actually happened against organizations.

You mentioned that these data breaches can be internal or accidental, but your data show that the vast majority of these breaches are coming from external actors. What are some of the trends you’re seeing now versus in the past?

Porter: Insider breaches in this year’s report were about 14 percent. It has kind of fluctuated year to year, but we believe the inside actors is a lower bound number. There are a couple of reasons for this. One, there are probably a lot of insider breaches that take place that organizations aren’t aware of. For instance, if financial data is stolen, like credit card data or bank account data, eventually it’s going to be used to buy something and that’s when the bank’s fraud algorithm identifies that as a data breach. When it comes to theft of different types of data, like intellectual property or sensitive organizational data, there are no fraud algorithms. If an insider or an outsider steals that kind of data you don’t really know it’s gone until you’ve lost a bid on a contract because they were able to underbid you because they had your bid. The tough piece, especially with insider breaches, but also with outsider breaches, is organizations often don’t know that they happened. It’s not usually the victim organization that discovers those breaches; it’s somebody else that’s found out about it and notifies the victim organization.

Second, when organizations find out about a data breach they tend to handle it internally. But year after year we see that external actors are behind most data breaches. I think there are lots of reasons for this. I think they operate in areas where the laws make it very difficult for them to be caught, specifically organized crime in Eastern Europe. You can scale a lot of attacks and monetize your attacks very easily with very little repercussions on your activities. It’s less risky for an external actor to do stuff like that. Insiders have trust within an organization and there may be logs of them accessing something.

Who should be most worried about these data breaches—individuals, governments, small businesses, or multinational corporations? Where are you seeing most of this taking place?

Porter: In our reports in the last several years, we’ve really seen a lot of small- and medium-sized businesses being hit, both by organized crime and state-affiliated actors. Organized crime has, the last few years, really targeted small organizations over larger ones. In the report we consider a large organization something that has more than a thousand employees, and anything below that is a small and medium business.

In particular, point-of-sale smash-and-grab attacks of small businesses are common. For example, a point of sale system at a small business like your local coffee show is sitting on the Internet. Organized crime groups log into that point-of-sale system, install malware, and as credit cards are scanned and swiped they’re sending that credit card data back to their servers or emailing it to themselves. Those are more opportunistic in nature, they don’t care who the small business is.

The more targeted attacks are affecting large and small businesses—it’s more dependent on the type of data that are at each of those locations. The state-affiliated attacks we saw this past year were really focused on manufacturing, professional firms, and transportation. These are both large and small organizations, but these types of companies are working on ideas that certain groups are interested in and they’re going after that data regardless of whether they’re large or small. It’s not an issue where only small businesses need to be concerned about this or only large companies or even just governments. Everybody is getting hit by something.

fig-3_Victim-industry

Manufacturing, professional services, and transportation firms are the most likely to be affected by espionage-related attacks. (Source: Verizon 2013 Data Breach Investigations Report)

There are some statistics in your report about breaches that originated in China and breaches that were carried out by state-affiliated actors in China. Can you talk more about breaches linked to China?

Porter: Typically, these are targeted attacks that look at specific intellectual property—manufacturing, professional services, and transportation organizations. There is a common formula for this type of attack. They usually start with phishing campaigns against that part organization. It doesn’t take very much to get somebody to click on a link, and then at that point malware is getting onto the system, which opens up a back door and the bad guys come in via the back door and spread out through the network. They immediately try to get passwords, so they can then log into the system and hide out as regular users. It’s very difficult to tell the difference between someone legitimately using their credentials and someone maliciously using those credentials. Then they find the data they’re interested in and they exfiltrate that data out of the organization.

In the data we’ve seen, up to 95 percent of the known state-affiliated actors were traced back to China. These weren’t just IP addresses that were emanating out of China. It’s a series of things that provide attribution back toward these particular actors.

One of the things we tried to do in our report was to not take an alarmist tone with this. We don’t believe that China is the only country in the world doing espionage. Espionage has been a problem for everybody for a long time. I think that the reason espionage is as high as it is is these threats are so much more visible, especially the last couple of years since Google uncovered the Aurora attack. It’s not something new; it’s just that when people are looking for something they find it.

Intellectual property-related theft is one-fifth of your data set this year. Are you seeing more IP theft now?

Porter: I don’t think stealing intellectual property is a new thing. It has had different modes or mediums. You see a lot of that in the physical world where they’re stealing documents or papers. And certainly in the cyber world, there are people who are hacking into organizations and stealing intellectual property. It’s a newer medium for stealing it, certainly, because before the Internet you had to physically go steal it, or you had to buy off an insider and have him steal the data for you instead of launching malware against a company. It is easier because technically minded individuals have resources available and there are very few repercussions.

Do you think that the threat different for companies that operate in China compared to those that do not?

Porter: I don’t think the threat is different. There are different methods of attacking. If you’re actually doing business in China and have employees in China and a physical presence there and network connections there, then there are a lot of things a company needs to concern themselves with. But it’s not because they’re in China, but because they’re operating in a global environment and in a country that has different laws and different cultures. Regardless of where your physical presence is, if you’re on the Internet, you have these problems.

The report mentions the importance of sharing data on these attack patterns, but many organizations have been reluctant to go public about data breaches. How can data sharing be effective but protect sensitive information? Are there incentives for sharing this information that can allow companies to protect what they need to protect?

Porter: The biggest incentive is probably a knowledge-sharing within the community. We started this report six years ago and the feedback we’ve gotten is that everyone’s really happy that there’s actual data out there that describes what’s going on with cyber crime.

Companies are really resistant because publicly disclosing that you’ve had some sort of incident could have a financial impact. We still lack information about how companies are financially impacted by these breaches. That sort of impact data—the cost of the breach—is not really well quantified. There are some numbers about how a breach is $500 per record, but what about those organizations that are losing IP? You can’t count intellectual property the same way that you can count credit card or bank account numbers. Future revenue streams are dependent upon getting a product to market, selling it, and making it better than your competitors.

Is there anything companies should be concerned about that they’re not really worried about yet?

Porter: We get asked all the time about mobile devices, but so far we haven’t seen much. I believe that when mobile devices become used more often for mobile payments that we’ll start seeing organized crime attacking those devices more often.

Is there an organization or industry that has protected, prevented, or responded particularly well to data breaches?

Porter: I have found that financial services organizations typically have very mature security programs. I think a lot of that has to do with the regulations that they have in place, but also they’re concerned with the bottom line and they can quantify better some of their losses so they can make better decisions about how to allocate resources. One of the reasons they do better is that they are better at some of the blocking and tackling kinds of things of information security. They have policies, procedures, and guidelines.

One of the most important things—all organizations that are doing better at security than others are doing this—is that they test those controls regularly. That’s something that doesn’t happen very often. You put together a bunch of controls, but if you don’t test them you don’t know that they’re working or if they’re still in place and protecting you. You have to make sure that you’re taking a programmatic approach to regular testing and making sure they are in place all the time.

Companies that have a strong incident response process also do better. If you can limit response time, the impact potentially will also be limited. Lastly, intelligence sharing even amongst your community of organizations can help. The financial services industry does a tremendous job of sharing intel among financial institutions, and I think that’s a good model for other organizations. Find a trusted group of organizations that you can share information with, especially in your own industry, because it’s likely that the types of threats you’re seeing, they’re also seeing.

Posted by Christina Nelson