Preventative security — or the scaring off of potential data thieves off before they commit crimes — is inexpensive and easy to implement: Three simple measures can save companies around the world over $100 billion in lost intellectual property (IP) every year, according to Gorka Sadowski, a principal solution architect at California-based security company LogLogic.
Talking at the InfoSecurity 2011 conference in London this year, Sadowski said that while most organizations spend substantially on firewalls, intrusion detection systems, anti-malware software and other conventional security measures to defend themselves against hackers, they underestimate the threat posed by another type of cybercriminal altogether: the “opportunistic fellow.”
“He’s like the guy that finds a $100 bill and looks around to see if anyone has noticed,” said Sadowski. “He won’t spend any time or money making preparations, he’ll just take your data if he thinks he can get away with it. For example, he’s the guy who gets sacked and decides to take your company’s customer list with him.”
Companies typically seek to avoid becoming victims of the crimes perpetrated by insiders by carrying out checks to identify prospective employees with a history of fraud or data theft, and in certain industries they may also pay to have a third party carry out more specialist background checks to try to identify industrial spies. But this type of approach is unlikely to spot an opportunistic fellow because they won’t fit the profile of a criminal.
“These people aren’t bad guys, they are normal guys who display bad behavior,” said Sadowski. “They are people like you and me, making bad decisions by persuading themselves that what they are doing is okay.”
Just how big is this threat? Sadowski said it is huge. A 2004 study carried out by Ibas, a computer forensics firm subsequently acquired by Kroll Ontrack, conducted on 400 UK businesses showed that 70 percent of business professionals have stolen some form of corporate IP from their employer when leaving a job. In terms of the cost, a 2008 McAfee study, Unsecured Economies Report estimated that the total value of IP stolen though cybercrime is likely in excess of a trillions per year. McAfee got to this dollar amount by calculating the cost of data breaches resulting from theft by cybercriminals or deliberate and accidental loss by employees. Although it is not clear what proportion of the this trillion dollar loss is accounted for by opportunistic fellows, Sadowski believes that 10 percent would be a conservative estimate.
So how does preventative security work? “Preventative security involves making opportunistic fellows realize that there is a real risk of getting caught, and therefore making them think twice before they act,” Sadowski said. “It relies on the fact that opportunistic fellows only steal data when they are confident they won’t get caught. If they perceive there is any chance, they won’t do the crime.”
Compared to conventional defensive security measures, some of which can be very costly, you can implement the three key preventative security measures for very little outlay, Sadowski said.
Education and awareness campaigns – This is perhaps the most important step you can take. The education side involves spelling out to your employees the message that the customer lists, sales leads or other information that they may feel belong to them are, in fact, your property. You need to point out that taking this information is actually a form of intellectual property theft, and that anyone caught taking it will be prosecuted.
The awareness side involves convincing your staff that there is a realistic chance that they will be caught if they try to steal your intellectual property. Some organizations carry out “exit interviews” with staff that are being made redundant or who leave voluntarily, using the opportunity to present employees with printouts of recent emails or web sites that they have visited to reinforce the message that many of their actions are monitored.
Involving law enforcement agencies whenever a theft occurs – No one wants to be led out of their office in handcuffs by the police in the way that Charlie Sheen was in the movie Wall Street. Realizing that this is a possibility will go a long way to preventing opportunistic fellows being tempted to commit a crime. That means that it’s important to follow through with your warnings and actually involve the police any time you suspect that a crime has been committed.
Keep good logs to help catch the criminals – Prosecuting an opportunistic fellow that steals your data is an effective way of ensuring that other employees aren’t tempted to act in the same way in the future, but to prosecute you’ll need proof. Typically this proof will be found in your computer logs, so make sure your systems are configured to capture the data you are likely to need, Sadowski said. If your current logging practices can’t help you find evidence easily when you need it then you need to look at updating them. Investing in a good log management system will allow you to collect all your logs centrally, search them efficiently so you can find the evidence you need quickly, and ensure their integrity (guaranteeing that they can’t be changed or deleted) so they will stand up as evidence in court.
The rate of return on security dollars spent on these three preventative security measures compares favorably with the investment that is required to put off determined data thieves. “A professional cyber-criminal will spend eighteen months on average preparing to hack your company and will get you regardless of what you spend on security,” Sadowski concluded.
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.