January 8, 2014
Defending against sophisticated cyber attacks starts with awareness training.
Spies want what companies have—trade secrets, confidential business plans, and personally identifiable information. To mine this rich lode of data, foreign intelligence services, criminal organizations, and other groups have a sophisticated and varied set of tools. The use of cutting-edge technology in espionage against economic and other targets has dominated recent headlines. But intelligence collectors also employ longstanding human-based tactics, such as eliciting information from unsuspecting contacts, setting up face-to-face meetings to recruit and run sources, and “social-engineering” people into opening e-mails or accessing thumb-drives loaded with malicious code.
Our increasingly connected digital world has created several new ways for attackers to exploit their targets and, conversely, new ways to be detected and caught:
- The interconnectedness of objects and people has made possible ubiquitous and nearly invisible surveillance. Foreign intelligence services and law enforcement agencies collect a wealth of data on espionage targets—including businesspersons and technical experts—and some transnational criminal organizations are developing similar capabilities. Media and other reports have highlighted several governments’ efforts to tap massive amounts of Internet and other communications.
- These surveillance efforts are boosted by social-networking sites (SNS). People divulge personal and professional information—both inadvertently and because they have been engineered or tricked into doing so—that previously would have required months of investigation to uncover. Foreign intelligence services and others use SNS data to analyze professional and personal networks and refine their targeting.
- Video surveillance is pervasive. Closed-circuit television systems in the United States helped identify the suspects in the Boston Marathon bombing. Some 20 million CCTV cameras have been installed across China.
- Other surveillance tools include smart phones, tablets, other devices, and household appliances connected to the Internet. These are expected to grow from 10 billion in 2012 to 28 billion in 2020.
Intelligence services use Big Data hardware and methodologies to process the data that surveillance programs generate. These tools include computers that operate on the order of petaflops and data storage facilities able to hold 1 yottabyte of data (that’s 1 trillion terabytes). Senior American officials say they now have the tools to “collect the entire haystack” instead of just “looking for the needle”—meaning they can collect and analyze everything; other major powers almost certainly have similar capabilities.
For businesses concerned about protecting data, operations, and personnel from these threats, the most efficient responses are likely to be “soft” ones that focus on training, awareness, communications, and basic procedures.
This should start with comprehensive security awareness training that is updated regularly. Employees and other stakeholders need to be able to recognize threats—such as the need for discretion in social networking—and to know the company’s processes and protocols for mitigating and responding to threats as they develop.
Moreover, this training must be a two-way conversation. Security staff should go beyond lecturing and start actively listening to and learning from those most likely to be targeted by intelligence tradecraft. As reliance on networks and connected devices—including personal ones that employees use under “BYOD” policies—increases, auditing will become more critical. Finally, all security approaches must be flexible. Threats are evolving rapidly, and your response must stay ahead of the race.
William Brooke Stallsmith, Steven Klemencic, Laurie Schive, and Craig Stronberg contributed to this article.