Corporate data theft: an underestimated threat
Published on: 03 12 2018 | Modified on: 21 08 2019
Data theft is still largely associated with the theft of bank details or of individuals’ identity. However, with the emergence of the Internet of Things or of the Industrial Internet of Things, there are many ways of getting hold of corporate data and even of employees’ data, which may seem less important, but which can lead to devastating economic consequences.
With 2.6 billion pieces of data stolen in 2017 (according to the Breach Level Index), data theft is an increasingly powerful and growing threat (+ 88 % compared to 2016). According to the recent Kaspersky report on IT security budgets, the average cost of a data breach for companies today is just over 1.2 million dollars, representing an increase of 24% compared to 2017 and 38% compared to 2016.
Data threat: an omnipresent risk for companies
Password theft is cybercriminals’ preferred weapon for carrying out their attacks. “Password stealers are more active than ever because it is a simple and cheap technique to implement,” explained a member of Stormshield’s Security Intelligence team in charge of analysing data used in cyberattacks. This mechanism can generate money, either by using the passwords directly or by selling them on. But there is an endless choice of malicious methods. Phishing, fake websites, fake Wi-Fi networks or even infected USB sticks are all techniques used to steal or encrypt data for ransom, or sometimes simply to damage an IT system. Moreover, the boom of the Internet of Things (IoT) is paving the way for further security breaches. “IIoT has blurred traditional IT [...] infrastructure boundaries [...]. Many devices do not conform to consistent standards […], which make engineering, security, and management across these endpoints and the overall system difficult,” explains The SANS Institute and ForeScout Technologies at the end of an IIoT security report published in July 2018.
The stakes are also changing in the industrial sector. With the emergence of the Industrial Internet of Things and the integration of complex machines that have network and software sensors, OT (operational technology) processes “data which, if stolen, can have a serious economic impact: blackmail or reselling of an industrial secret, industrial espionage or human intelligence, etc.”, explained Robert Wakim, Offer Manager Industry at Stormshield. “The problem is even more critical in the health sector, where sensitive information such as personal data is manipulated frequently. “Injury to reputation (of a politician, business leader, etc.) can be a significant motive for stealing health data from hospitals, for example,” he added.
Employees at the heart of corporate data
Economic espionage, sabotage, destabilisation and CEO fraud are just some of the many malicious attacks perpetrated against companies.
But the channels used are sometimes underestimated, such as social networks. “To overcome human vigilance, cybercriminals concentrate their efforts on upstream work. They spend more time learning about the interests of employees from certain companies and send these individuals a targeted email enabling them to access the company’s system and to steal data,” explained Stéphane Prévost, Product Marketing Manager at Stormshield.
Although the CEO fraud phenomenon seems to have escaped the notice of the media so far, it poses a serious threat to companies as well as public bodies.
All employees from the company can be targeted. CEO fraud is a typical attack of this kind. It targets companies while pretending to be their CEO. Although the phenomenon seems to have escaped the notice of the media so far, it poses a serious threat to companies as well as public bodies. An example of this is the recent fraud against the Nord department, in which a cybercriminal managed to embezzle 800,000 euros [article in French] by passing off as a company taking part in the Valenciennes bypass project. In March 2018, Pathé was targeted by such an attack, losing over 19 million euros.
“Companies are still being scammed, through simpler and quicker methods. A popular technique consists in intercepting documents by hacking into emails, and then counterfeiting them by adding fake bank details or by creating fake invoices for customers. The latter was the process used for the Nord department fraud,” explained Pierre-Yves Hentzen, CEO of Stormshield, who was himself targeted by two CEO fraud attempts [article in French], which he managed to foil. In the case of the Nord department, basic information on the works ordered—which may seem trivial compared with bank data and other identity documents—was enough for the cybercriminals to carry out their malicious act.
To reinforce data protection to fight against malicious attacks, companies can carry out a few simple actions, such as implementing preventative measures and initiatives to raise awareness of staff regarding the risk of data theft. But as human vigilance has its limits, it is also essential that effective protection tools be used, such as the encryption of sensitive data.