Intellectual property theft fuels underground cyber economy

It used to be that cyber criminals hacked into accounts to steal credit card numbers or social security numbers. Now they’re moving upscale, building a huge underground economy around stealing more valuable intellectual property.

The Underground Economies report being released today by McAfee and SAIC reveals that cyber thieves are now stealing secret company information so they can sell it at much higher prices to competitors and foreign governments. Once the data is stolen, the underground economy has become very efficient at exploiting it. The report concludes that companies have to make it a priority to protect their assets and anticipate rising attacks.

A company’s legal documents can fetch far more money than a list of credit card numbers, which go for something like $6 a piece on the internet.

The problem outlined by the report is that many companies have too little security protecting their secrets. Cyber criminals are making money selling trade secrets, marketing plans, research and development findings and even source code.

“Cybercriminals have shifted their focus from physical assets to data driven properties, such as trade secrets or product planning documents,” said Simon Hunt, vice president and chief technology officer, endpoint security at McAfee.

One of the most sophisticated attacks was Operation Aurora, a coordinated attack against Google and 30 other companies, allegedly orchestrated by Chinese authorities. Another was a less sophisticated but still damaging cyberattack known as Night Dragon. Starting in November, 2009, Night Dragon attackers conducted cyber raids against oil, energy and petro-chemical companies. Those attacks also allegedly originated in China and involved attackers observing and lurking within compromised systems for a period of months, collecting gigabytes of highly sensitive data. The latest incidents involving Wikileaks and the theft of Bank of America’s internal documents also highlight the trend. Those attacks demonstrated that hackers could penetrate some of the most well-protected companies in the world.

Often, insiders make the attacks much easier. In 2008, three people were convicted of stealing marketing plans from Coca-Cola, and in 2009, a former Goldman Sachs computer programmer was arrested for stealing computer code used to perform proprietary trading. On average, data breaches now cost $1.2 million, compared to $700,000 in 2008.

“A single mistake by an unaware employee can have dire consequences,” said Dinesh Pillai, chief executive officer of Mahindra Special Services Group, a leading corporate security risk consulting firm in India.

Antivirus vendor McAfee and engineering firm SAIC collaborated with marketing firm Vanson Bourne to survey more than 1,000 senior information technology decision makers in the U.S., U.K., Japan, China, India, Brazil and the Middle East. The study is a follow-up to a report released in 2008 called “Unsecured Economies,” which found that companies lost $1 trillion due to data leaks.

“The distinction between insiders and outsiders is blurring,” said Scott Aken, vice president for cyber operations at SAIC.  “Sophisticated attackers infiltrate a network, steal valid credentials on the network, and operate freely – just as an insider would. Having defensive strategies against these blended insider threats is essential, and organizations need insider threat tools that can predict attacks based on human behavior.”

The results of the attacks have been severe. A quarter of the companies and other groups surveyed said they have had a merger or product launch disrupted, stopped, or delayed by a data breach. But not every company that was hit took corrective measures to stop a repeat attack.

One of the contradictions among security policies is, despite the risk of foreign theft, half of all organizations are considering storing sensitive information abroad. That’s because overseas storage options are often cheaper.

Companies in the U.S., China, and India are spending more than $1 million a week to secure sensitive information that is stored abroad.

The report says that the United Kingdom, Germany, and the U.S. are perceived to be the safest places for storing data. China, Russia and Pakistan are perceived to be the least safe.

Only three in ten organizations report all data breaches suffered, presumably out of embarrassment or the need “to keep things quiet.” Six in ten selectively choose which breaches to report. A large number of companies are failing to conduct frequent risk assessments. About a quarter of organizations assess their risks for data loss only twice a year or less.

One of the big challenges is protecting data that is stored on mobile devices such as iPads, iPhones and Android mobile phones or gadgets. Sixty-two percent of respondents agree that securing such devices is a challenge.