Are your employees leaving the door open for cyberspies?

Cyberes­pi­onage con­jures up night­mare sce­nar­ios for pri­vate and pub­lic organ­i­sa­tions alike. While its true extent is hard to cal­cu­late, as intel­lec­tu­al prop­er­ty (IP) cybertheft has large­ly remained in the shad­ows with those affect­ed pre­fer­ring not to report loss­es pub­licly, its dev­as­tat­ing impact is unde­ni­able.

A for­mer head of the Nation­al Secu­ri­ty Admin­is­tra­tion has described cyberes­pi­onage as “the great­est trans­fer of wealth in his­to­ry”. Accord­ing to the CNBC Glob­al CFO Coun­cil Sur­vey, one in five US-based com­pa­nies said Chi­nese com­pa­nies stole their intel­lec­tu­al prop­er­ty in 2018, an ongo­ing issue that has been at the heart of trade ten­sions between Chi­na and Amer­i­ca. 

Covid-19 created new risk environment for cyber threats

At the end of last year, the Euro­pean Court of Audi­tors (ECA) warned that the pan­dem­ic is going to exac­er­bate cyber threats, because many busi­ness­es and pub­lic ser­vices have moved from phys­i­cal offices to remote work­ing. 

“The COVID-19 cri­sis has been test­ing the eco­nom­ic and social fab­ric of our soci­eties. Giv­en our depen­dence on infor­ma­tion tech­nol­o­gy, a ‘cyber cri­sis’ could well turn out to be the next pan­dem­ic,” says Klaus-Hein­er Lehne, pres­i­dent of the ECA. 

Not only busi­ness­es, but gov­ern­ments and pub­lic insti­tu­tions are at risk. At the end of last year, Lon­don local author­i­ty Hack­ney Coun­cil was hit by a cyber­at­tack. Else­where, doc­u­ments and data relat­ed to the Pfiz­er-BioN­Tech coro­n­avirus vac­cine have been stolen in a cyber-attack on the Euro­pean Med­i­cines Agency in Ams­ter­dam. 

Since the out­break of the pan­dem­ic, Chi­na and Rus­sia-backed hack­ers have been accused of tar­get­ing research insti­tu­tions. But as per­pe­tra­tors of cybertheft evolve their tech­niques, so do com­pa­nies when it comes to pro­tect­ing their data.

Expert advice

James Poo­ley, mem­ber of the Cen­ter for Intel­lec­tu­al Prop­er­ty Under­stand­ing and for­mer deputy direc­tor gen­er­al of the World Intel­lec­tu­al Prop­er­ty Orga­ni­za­tion, under­stands the full seri­ous­ness of cyberes­pi­onage.

Poo­ley agrees that COVID has cre­at­ed a riski­er envi­ron­ment because employ­ees are away from their usu­al offices. But the prob­lem is not entire­ly cur­rent, he notes, explain­ing that a new risk envi­ron­ment emerged in the last 15 to 20 years, as we moved into an infor­ma­tion-based econ­o­my, where the asset base shift­ed from tan­gi­bles to intan­gi­bles. 

In addi­tion, “the imper­a­tives for shar­ing infor­ma­tion and trust­ing oth­er peo­ple went up like crazy because of glob­al­i­sa­tion”, he says. Sup­ply chains have become longer and more com­plex, as com­pa­nies shift­ed to ven­dors abroad and there­fore have to man­age their oper­a­tions at a dis­tance. 

Dur­ing the ear­ly-1970s, “all that a com­pa­ny need­ed to do to pro­tect its infor­ma­tion assets was to guard the pho­to­copi­er and watch who went in and out the front door, because there were no net­works, no inter­net and records were stored on paper”, says Poo­ley. But, over the last decades, dig­i­tal­i­sa­tion cou­pled with glob­al­i­sa­tion has changed the play­ing field. Some of the most valu­able assets have become intan­gi­ble, open­ing up a whole new world to hack­ers. 

So how does sen­si­tive data end up in the wrong hands? Poo­ley argues that swathes of valu­able infor­ma­tion is lost because of employ­ee inad­ver­tence. In rough num­bers, he says, “some 80 to 85 per cent of infor­ma­tion loss occurs through employ­ees, as opposed to hack­ers worm­ing their way in from out­side”. While organ­i­sa­tions can spend effort and mon­ey on secure IT infra­struc­ture, they neglect employ­ee behav­iour at their per­il. 

Training employees is key to protecting company IP

“I see it over and over again,” says Poo­ley. “I get hired as an expert to cri­tique the pro­tec­tion sys­tems for com­pa­nies in lit­i­ga­tion over trade secrets, because they have to prove they took rea­son­able steps to pre­vent the things from hap­pen­ing.” What he sees is com­pa­nies neglect to train their employ­ees on how to iden­ti­fy and han­dle con­fi­den­tial data. 

Mean­while, hack­ers look for the weak­est link in a company’s infor­ma­tion chain, for instance when employ­ees use the pub­lic wifi of a restau­rant near their office for work pur­pos­es. He men­tions the 2014 hack of Tar­get, when the company’s heat­ing and air con­di­tion­ing con­trac­tor was used as an entry point by hack­ers, who exploit­ed the vendor’s weak­er sys­tem to gain access to the Tar­get sys­tem.

“It’s just aston­ish­ing to me that more com­pa­nies don’t pay bet­ter atten­tion to these issues, but there we are,” says Poo­ley. “Maybe I’m a Cas­san­dra, but remem­ber, Cas­san­dra was right.”

How can com­pa­nies train their employ­ees to be more vig­i­lant? “Pre­vent­ing bad behav­iour is usu­al­ly about aware­ness, because peo­ple want to do the right thing and they want their jobs to be pre­served,” he says.

When Poo­ley advis­es com­pa­nies, he begins with a high-lev­el strate­gic exam­i­na­tion of what the company’s most impor­tant infor­ma­tion assets are, what risks or vul­ner­a­bil­i­ties they face and what mech­a­nisms there are to reduce these risks. 

“Being real­ly atten­tive to where the risk points are will alert you to pay spe­cial atten­tion to areas that are like­ly to be used as points of entry,” he says. Com­pa­nies need to set up poli­cies and pro­ce­dures to ensure their IP is pro­tect­ed and train­ing employ­ees is a big part of that.

“I worked with one com­pa­ny that built a con­sumer prod­uct pri­mar­i­ly man­u­fac­tured in Chi­na, so there were obvi­ous leak­age risks con­nect­ed to that.” As they went through the process of devel­op­ing a com­pre­hen­sive sys­tem to pro­tect their IP, Poo­ley asked for all the senior man­agers of the com­pa­ny to get togeth­er in one room to dis­cuss the mat­ter. Even though this was not easy to arrange, he insist­ed. 

Overcoming silos can provide valuable insights

Once all senior man­agers came togeth­er, includ­ing the sup­ply chain man­agers, who talked about issues they expe­ri­enced direct­ly, shar­ing infor­ma­tion trig­gered insights for man­agers across the board. 

“‘Wait a minute, I don’t think I’ve ever real­ly looked at the non-dis­clo­sure agree­ment that we have with com­pa­ny x and when it expires.’ All of a sud­den, they’re see­ing vul­ner­a­bil­i­ties, where they had­n’t real­ly thought about them before,” says Poo­ley. “No one expect­ed the spe­cial­ty arm of the organ­i­sa­tion that dealt with all these com­pa­nies in Chi­na would have some­thing to say to the oth­er busi­ness units, but vul­ner­a­bil­i­ties can over­lap.”

Are silos and inef­fi­cient com­mu­ni­ca­tion part­ly to blame for com­pa­nies’ vul­ner­a­bil­i­ty when it comes to coun­ter­ing cyberthreats? Poo­ley argues organ­i­sa­tions need to con­front the fact that sep­a­rate units with­in their busi­ness may have set up unnec­es­sary walls. In real­i­ty, infor­ma­tion flows and risks are usu­al­ly shared across the busi­ness. 

Part of the solu­tion could be found through automa­tion, he says, because automa­tion includes behav­iour­al ana­lyt­ics and insight tools that help com­pa­nies mon­i­tor what exact­ly it is employ­ees do on their plat­forms. How­ev­er, using these tools always has to be bal­anced with indi­vid­u­als’ expec­ta­tions of pri­va­cy. 

Poo­ley con­cludes: “The mes­sage that I often give is cyberes­pi­onage is scary and ugly, and we need to do every­thing we can to pre­vent it and deal with it. But if we’re not man­ag­ing our employ­ees in a smart way, it’s almost like we’ve left a cou­ple of doors open.”