The Covert Devaluation of US Businesses – Hackers Getting Their Hands on Intellectual Property Proving Costly
The Center for Strategic and International Studies recently released a report estimating the cost of cybercrime and how it has been affecting economies and businesses around the world, evaluating everything from direct theft of funds, to the much harder to gauge ramifications on business due to things like the loss of Intellectual Property, as well as the effect on employment. Drawing on years of experience and some of the conclusions relayed in the report, GDF’s founder talks about how businesses can be devalued without anyone, from those running businesses, to those investing in them, even knowing it’s happening.
Cybercrime costs hundreds of billions annually - that we know of
The Center for Strategic and International Studies (CSIS) was commissioned by MacAfee to gather data and crunch the numbers on the global economic impact of cybercrime, and on Monday, June 9th, the report, Net Losses: Estimating the Global Cost of Cybercrime, was released. While the number making headlines from the report is the almost half a trillion dollar tally ($445 billion), “the numbers which could not be well gauged are probably the scariest, because they are the ones that are devaluing US businesses every day, often completely undetected and unknown to anyone in, or involved with the organization,” said Joe Caruso, founder and CEO/CTO of Global Digital Forensics (GDF), a leading provider of cyber security solutions for clients ranging from small businesses, to Fortune 500 companies.
Unknown, unseen, but not unfelt.
After spending over two decades in the cyber trenches helping clients beat back the constant onslaught of cyber attackers, Caruso and his team of cyber security specialists and emergency responders have seen just about everything. “What really leapt out at me from this particular report was that they really went through some exceptional effort to explain some of the critical aspects of cybercrime and cyber security that often go unnoticed and never seem to be talked about, yet can be devastating to businesses of virtually any size, although small to medium sized businesses often take the hardest blows because they simply can’t afford to weather the storm; I’m talking about the loss of IP (Intellectual Property), which in today’s “plugged in” world is often the meat that makes the meal. When a business invests in R&D (Research and Development), whether it’s in manufacturing, engineering, the pharmaceutical industry, technology, or any one of countless other industries, it’s both a financial and personnel investment they are counting on to yield dividends. But all of a sudden, a company right in their backyard or halfway around the world comes out of nowhere and is somehow moving at light speed, offering stiff competitions with very familiar ideas. Or somehow, a new competitor seems to be breathing down their neck and getting in contact with that “gold list” of clients that took years to nurture and cultivate, all without the paying the blood, sweat and tears it took the victim to get there. All it takes for disasters like these to wreak havoc on an organization is an undetected intrusion which yields the right data, be it blueprints or design plans for the next big breakthrough, manufacturing secrets that reduce costs and increase output, or even private customer lists. The fact that it can be going on right under their noses without anyone in the organization having a clue it’s happening just rubs salt in the wound once it’s discovered, which hopefully happens before they have to downsize their workforce, or worse, close the doors for good.”
Couple low risk and high reward, safe havens, and anonymity, and it’s easy to understand why cybercrime is such an explosive growth industry.
“The report hit the nail on the head,” Caruso said, “hackers often have little to fear, especially those operating in places where either law enforcement routinely turns a blind eye, like in Russia and other Eastern Bloc countries, India and Brazil, or where the government is funding and/or supporting the attacks, like the coordinated corporate cyber espionage campaigns to gain economic advantages China likes to engage in. Even attackers on the home front can leverage routers and botnets from these areas to fly under the radar and function with near impunity. Add in the growing underground black market where exploit kits and botnet access can be easily bought and sold by anyone with a little cash and the will to plunder, using anonymous currencies like Bitcoins, and it’s a perfect storm everyone has to somehow weather, from the largest corporations in the world, to a grandparent staying in touch on Facebook. So calling it an explosive growth industry is certainly not overstating things by any stretch, because for hackers, they know it’s mostly reward with very little risk. In our business we see the fallout every day, and if we’re called in too late, it can be gut-wrenching to watch the aftermath of a successful attack unfold.”
Testing networks regularly and raising everyone’s social engineering awareness within an organization are the keys to cyber survival.
“We see it just like the rest of the cyber security industry,” said Caruso, “the most common entry vector for attackers is usually a successful phishing or spear phishing campaign. And with the magnitude of information at hackers’ disposal like publically accessible registry databases, and the wealth of informational available on social media platforms like Facebook, Twitter, and LinkedIn, gathering information which lends the perfect personal touch to make a spear phishing email seem legit has never been easier. When we do penetration tests for companies, we put them through a live fire spear phishing campaign as part of the process, many times using nothing more than the publically available information we can gather. We’ll use letterhead we find on papers and reports published online, we’ll use signatures we find on corporate documents posted online, friends or vendors of the business we find in social media, and anything else we can get our hands on to make things look like the correspondence is coming from a trustworthy source; and we’ve never failed to get the credentials we need to gain access to the client’s network. It’s a hard hitting lesson that really serves as an eye-opening wake up call, and when we’re done, we help them remediate their weaknesses on everything from both a technology standpoint, to raising awareness enterprise wide and showing them what to look for. The human element is almost always the weakest link, and if it does not get the attention it deserves, you may as well flush away the money you spend on inadequate vulnerability assessments and penetration testing, which must be done regularly if a business doesn’t want the value of their company to sink to unfathomable levels due to long term cyber campaigns that are sucking the lifeblood out of them without anyone having a clue it’s even going on.”
The right cyber security professionals are just a phone call away.
*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit our cyber security page.