Corporate Espionage Easier and Lucrative as Companies Under-Report Breaches: Survey

Cyber-criminals are making money with intellectual-property theft, stealing trade secrets, marketing plans, research results and source code, according to a McAfee report.

Cyber-criminals are increasingly targeting intellectual property and trade secrets, according to a new research report from McAfee.

Cyber-criminals are making money stealing trade secrets, marketing plans, research and development findings, and even source code, according to a report released March 28 by McAfee. As attacks on intellectual property increase, organizations are also less willing to publicize or thoroughly investigate the incident, the report found.

Hacking into corporate networks and stealing information is proving easier and more lucrative, said Chris Drake, CEO of Firehost.

"Cyber-criminals have shifted their focus from physical assets to data-driven properties, such as trade secrets or product-planning documents," said Simon Hunt, vice president and chief technology officer, endpoint security at McAfee.

The report is quite timely, considering the recent attack against RSA, which resulted in the compromise of sensitive data related to the company's SecurID two-factor authentication technology. Many corporations in both the private and public sectors rely on the technology to guard their systems, and after the RSA breach, many are wondering if they will be targeted next.

More than half of organizations decided at one point or another not to investigate further a breach because of the cost of the investigation, the report found. Small incidents are often investigated internally instead of getting a third-party expert, which increases the chances that the breached organization won't properly close security holes or sufficiently beef up the defenses, the researchers noted in the report. Future penetration is possible if the threat persists, and in the case of an inside attack, the responsible party is not stopped, the report found.

Recent attacks such as Operation Aurora and Night Dragon have shown that some of the largest and "seemingly most protected" corporations are vulnerable, according to Hunt. "Criminals are targeting corporate intellectual capital and they are often succeeding," he said.

Botnet and malware-driven attacks looking for sensitive personal information, such as names, addresses, birth dates, and financial details, will continue, but corporate espionage is gaining currency among the cyber-criminal underground, according to the report.

The number of states with breach-notification laws mandating that financial and health care organizations publicize when customer information is compromised means it's harder for miscreants to fly under the radar, the report said. On the other hand, if marketing plans or technical specifications are stolen and sold to a competitor, companies are generally likely to keep the incident quiet.

Intellectual-property theft and data breaches are not publicized because businesses are concerned that admitting to a vulnerability could attract unwanted attention from other attackers, the report found. About half the organizations studied also were concerned about their reputations, as publicizing the incident could damage their brand reputation and have an impact on shareholder value, the report found.

"Today, a public company can lose a top-secret recipe, a go-to-market plan or other key secret, and they are reluctant to report it, given the potential backlash from customers, shareholders and the market," the researchers wrote.

Approximately 60 percent of surveyed organizations said they "pick and choose" which breaches to report, "depending on how they feel about them," according to the report. Only 30 percent reported all data breaches and losses related to intellectual property to government agencies, stockholders and law enforcement. About 10 percent claimed to report breaches and losses only when legally required to do so, according to the survey.

Leaked emails showed a number of companies, including Morgan Stanley and Walt Disney, had chosen not to publicize having been attacked in 2010.

Even though it's not always possible to trace the source of attacks because of IP address spoofing and other techniques, respondents considered China, Russia and Pakistan as the least-safe countries to do business with, according to the survey. The United States, United Kingdom and Germany were considered the safest.

The report, entitled "Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency," surveyed 1,000 technology managers in the United States, the United Kingdom, Japan, China, India, Brazil and the Middle East.