Attackers are increasingly focusing on stealing intellectual property from companies and governments, but details of the losses continue to be scarce, concludes a survey of experts released by two security companies Monday.
The report -- conducted by security firm McAfee, now part of Intel, and technology giant SAIC -- found that companies worry so much about the reputational damage caused by a data breach that they tend to keep leaks of proprietary information a secret. Only one in four companies perform a forensics investigation following a breach, despite the fact that analysts have estimated that proprietary business information is twice as valuable as the custodial customer data that companies store.
The result is that companies are poorly prepared to deal with the perceived shift in cybercrime, the report argues.
"We've moved away from kiddies in their bedrooms, to semi-organized professionals to organized professions," says Simon Hunt, vice president and chief technology officer of endpoint security at McAfee. "And now, we have people realizing here they can send 100,000 emails out and make $10,000 or they could target somebody like Google or RSA and make $100 million dollars. The reward for the effort is there now and people are willing to spend it."
This month, security firm RSA acknowledged a breach of its systems that resulted in attackers accessing critical intellectual property pertaining to the security of its one-time password technology, SecureID. And last week, Internet security firm Comodo warned that an attacker coming from an Iranian network was able to fraudulently reserve SSL certificates for major domains.
The survey is based on interviews with more than 1,000 senior information technology managers in Brazil, China, India, Japan, the Middle East, the United Kingdom and the United States. While the report argues that intellectual property is increasingly targeted, it provides little evidence to back up the claim.
"There is data out there, but a lot of it is being disputed," acknowledges Scott Aken, vice president for cyber operations at SAIC. "If you go into some of the forums, the information being stolen and put up for sale that is intellectual property is as easily monetized as credit cards are."
At least one analyst agrees with the assessment, however. In his early research, Josh Corman of The 451 Group found that more than 50 of the Fortune 100 have had intellectual property lost within the last 18 months.
"We, the security industry, have not given proper attention at intellectual property," Corman says.
According to the McAfee-SAIC report, the average organization in China, Japan, the United Kingdom and the United States, spend about $1 million a day on their information technology, while companies in China, India and the United States spend $1 million a week on securing data outside their own countries. Worries about the safety of their business data has caused the most companies to refrain from doing business with Pakistan, China and Russia. The United Kingdom, the United States and Germany are perceived as being the safest havens for data.
Companies have considering different strategies to protect critical information assets. Nearly 70 percent of companies have deployed new systems, such as deep packet inspection, while almost half of respondents said they would take data off the network and make it unavailable, just to protect it.
In fact, McAfee takes that approach to some of its own information, Hunt says. "We have a lot of airgaps," he says. "Some aspects of our source code is totally airgapped."
About half of all organizations plan to increase their investment in securing critical business information, while only 5 percent are looking to decrease spending, the report says.
Mobile devices continue to be a major worry for companies, with almost two-thirds of firms saying that securing data from exfiltration via mobile devices is a "challenge," according to the report. The convergence of the greater business efficiency allowed by mobile devices and increasing use of social networks in business, risk to data has increased dramatically, the report says.
"These two forces represent an astronomical increase in the level of risk organizations face with regard to leaked data," the report states.