Monday 18 January 1999
Firms wage electronic war on industrial espionage
Matthew McClearn, Calgary Herald
                                   
Office break-ins, corporate hooliganism, industrial espionage and the
countermeasures game against them are nothing new in the business
world.

But in the past, such activities might have involved two guys in a
pickup keeping tabs on the competition using binoculars or diving into
dumpsters, or a disgruntled employee photocopying important documents
and mailing them to outsiders.

Increasingly, the war for proprietary information is waged on a shady
digital battlefield.

"The same things that have always happened are now happening
electronically," says Mitch Tarr, vice-president of sales at Calgary
security firm Jaws Technologies Inc.

Because security policies tend to come straight from head office,
computer security is a particularly important issue in Calgary.

"In the majority of companies in Calgary, we see that their data is
very valuable to them, and that's reflected in their IT (information
technology) budgets," says Jaws security consultant Brian Lynch.
"Securing that (data) is an additional step they need to take."

Sizing up electronic information theft is difficult. Fearing bad
press, scared customers and concerned shareholders, companies usually
keep quiet about attacks on their systems -- if they are even aware of
them.

Further, companies rarely prosecute their attackers -- partly to avoid
embarrassing publicity, but also because computer crimes are
notoriously difficult to prosecute.

An American study by the Computer Security Institute and the Federal
Bureau of Investigations in 1998 found that information thefts
resulted in losses in individual cases of between $300 and $25 million
US.

Those attacks cost domestic U.S. firms $300 billion US, and $140
billion in overseas operations.

"The fact is, corporate espionage or information gathering and
intelligence is a big business," says John Hess, senior manager at
KPMG Investigations and Security Inc. in Calgary.

"Fortunately, a lot of corporations are very ethical about how they
collect it . . . but there are (countries and businesses) that
actively collect corporate intelligence by any means."

Adds Lynch, "We're seeing more malicious forces like government- and
business-sponsored hackers. Obviously, they're very organized and
well-funded. The majority of hacks do come from hobby hackers and
curious thrill-seekers."

When companies lose control of proprietary information, there are
consequences.

A KPMG survey found that Canadian corporations suffered an average
loss of $178,000 per information theft (electronic or otherwise).

"When you have a theft of information, it could be absolutely
devastating to the company," says Hess. "Corporate Canada is still
awakening to the fact that those threats are real."

Experts say businesses large and small generally don't put enough
locks and chains between their proprietary information and outside
hands.

"It's something that, by default, businesses don't do enough due
diligence on," says Tarr. "What you see is organizations using
technologies have so many challenges . . . it's hard to keep security
at the forefront of their IT plan."

Companies expose themselves to electronic assaults on their systems in
two key ways. Firstly, there is a multitude of technological portals
through which outsiders can hack into a system. An Internet connection
or a particular department system not under a company's security
umbrella are two of many examples.

Says Tarr, "Almost all organizations using technology and attached to
the outside world are at risk."

Equally important are the ways in which employees themselves,
deliberately or otherwise, create vulnerabilities in security.

For example, a conniving attacker posing as a human-resources manager
can often get passwords from naive or unsuspecting new employees over
the phone.

Hackers call it "phreaking." Security professionals prefer the term
"social engineering."

[Hackers call it "social engineering". Phreaking refers to
hacking the phone systems.]

"It's amazing what people will tell you if you ask them nicely and in
the right way," says Tom Keenan, dean of continuing education at the
University of Calgary, who has a keen interest in information
security.

Hackers are experts at exploiting cracks technological and social.
They are an organized community with formidable knowledge. Hackers
exchange tricks of the trade and knowledge about vulnerable businesses
in chat rooms on the Internet and even at conferences like DEF CON,
held in Las Vegas every year. Security professionals are attendiung
these conferences to keep tabs on the enemy and even recruit them.

"You fight them (hackers) with knowledge and preparedness," says
Phillip Banks, vice-president of KPMG Investigations and Security.

"Your security people have to become knowledgeable as to the threat .
. . and make sure you have a system that's capable of protecting
itself."

Just as there are many ways for hackers to get in, there are plenty of
tools to keep them out.

Passwords, data encryption, firewalls (stopgates for incoming and
outgoing data) and network-monitoring tools that observe traffic and
activity are examples.

But these tools are ineffective if not implemented in conjunction with
a comprehensive security policy.

That includes personnel training and security awareness about issues
like disclosure of passwords, and storage and destruction of
information.

The level of security depends largely on the value of the data a firm
has.

There are few limits to how secure you can make your information or
how much money you can spend steeling yourself against the outside
world.

Keenan recalls a Toronto software-consulting firm that considered
placing its systems in a lead-lined room to prevent competitors from
spying "using special antennas.

Yet their phone lines weren't protected, so anyone could wiretap them
from the hall.

"The reality is, people often get hung up on the wrong thing and spend
a lot of money locking up a door when there's a window wide open
somewhere that they haven't seen."

As well, when battening down the hatches, companies need to balance
security and convenience.

Excessive security can cut into productivity,, and there's a tendency
for employees to find ways around irritating information-security
measures, much as they may prop open locked doors to avoid the hassle
of fumbling for keys.

"Security has to be balanced," says Banks. "Corporations exist to do
business and make money, and they can't be subservient to security."

No amount of security can fully protect a system from hackers, who can
and do find cracks in even the most rigourous and high-budgeted
security efforts, like those of NASA, the military and the Pentagon.

"Even organizations that have a significant number of zeros behind the
dollar sign are falling prey to this sort of thing," says Banks. "I
expect it to increase."