Monday 18 January 1999 Firms wage electronic war on industrial espionage Matthew McClearn, Calgary Herald Office break-ins, corporate hooliganism, industrial espionage and the countermeasures game against them are nothing new in the business world. But in the past, such activities might have involved two guys in a pickup keeping tabs on the competition using binoculars or diving into dumpsters, or a disgruntled employee photocopying important documents and mailing them to outsiders. Increasingly, the war for proprietary information is waged on a shady digital battlefield. "The same things that have always happened are now happening electronically," says Mitch Tarr, vice-president of sales at Calgary security firm Jaws Technologies Inc. Because security policies tend to come straight from head office, computer security is a particularly important issue in Calgary. "In the majority of companies in Calgary, we see that their data is very valuable to them, and that's reflected in their IT (information technology) budgets," says Jaws security consultant Brian Lynch. "Securing that (data) is an additional step they need to take." Sizing up electronic information theft is difficult. Fearing bad press, scared customers and concerned shareholders, companies usually keep quiet about attacks on their systems -- if they are even aware of them. Further, companies rarely prosecute their attackers -- partly to avoid embarrassing publicity, but also because computer crimes are notoriously difficult to prosecute. An American study by the Computer Security Institute and the Federal Bureau of Investigations in 1998 found that information thefts resulted in losses in individual cases of between $300 and $25 million US. Those attacks cost domestic U.S. firms $300 billion US, and $140 billion in overseas operations. "The fact is, corporate espionage or information gathering and intelligence is a big business," says John Hess, senior manager at KPMG Investigations and Security Inc. in Calgary. "Fortunately, a lot of corporations are very ethical about how they collect it . . . but there are (countries and businesses) that actively collect corporate intelligence by any means." Adds Lynch, "We're seeing more malicious forces like government- and business-sponsored hackers. Obviously, they're very organized and well-funded. The majority of hacks do come from hobby hackers and curious thrill-seekers." When companies lose control of proprietary information, there are consequences. A KPMG survey found that Canadian corporations suffered an average loss of $178,000 per information theft (electronic or otherwise). "When you have a theft of information, it could be absolutely devastating to the company," says Hess. "Corporate Canada is still awakening to the fact that those threats are real." Experts say businesses large and small generally don't put enough locks and chains between their proprietary information and outside hands. "It's something that, by default, businesses don't do enough due diligence on," says Tarr. "What you see is organizations using technologies have so many challenges . . . it's hard to keep security at the forefront of their IT plan." Companies expose themselves to electronic assaults on their systems in two key ways. Firstly, there is a multitude of technological portals through which outsiders can hack into a system. An Internet connection or a particular department system not under a company's security umbrella are two of many examples. Says Tarr, "Almost all organizations using technology and attached to the outside world are at risk." Equally important are the ways in which employees themselves, deliberately or otherwise, create vulnerabilities in security. For example, a conniving attacker posing as a human-resources manager can often get passwords from naive or unsuspecting new employees over the phone. Hackers call it "phreaking." Security professionals prefer the term "social engineering." [Hackers call it "social engineering". Phreaking refers to hacking the phone systems.] "It's amazing what people will tell you if you ask them nicely and in the right way," says Tom Keenan, dean of continuing education at the University of Calgary, who has a keen interest in information security. Hackers are experts at exploiting cracks technological and social. They are an organized community with formidable knowledge. Hackers exchange tricks of the trade and knowledge about vulnerable businesses in chat rooms on the Internet and even at conferences like DEF CON, held in Las Vegas every year. Security professionals are attendiung these conferences to keep tabs on the enemy and even recruit them. "You fight them (hackers) with knowledge and preparedness," says Phillip Banks, vice-president of KPMG Investigations and Security. "Your security people have to become knowledgeable as to the threat . . . and make sure you have a system that's capable of protecting itself." Just as there are many ways for hackers to get in, there are plenty of tools to keep them out. Passwords, data encryption, firewalls (stopgates for incoming and outgoing data) and network-monitoring tools that observe traffic and activity are examples. But these tools are ineffective if not implemented in conjunction with a comprehensive security policy. That includes personnel training and security awareness about issues like disclosure of passwords, and storage and destruction of information. The level of security depends largely on the value of the data a firm has. There are few limits to how secure you can make your information or how much money you can spend steeling yourself against the outside world. Keenan recalls a Toronto software-consulting firm that considered placing its systems in a lead-lined room to prevent competitors from spying "using special antennas. Yet their phone lines weren't protected, so anyone could wiretap them from the hall. "The reality is, people often get hung up on the wrong thing and spend a lot of money locking up a door when there's a window wide open somewhere that they haven't seen." As well, when battening down the hatches, companies need to balance security and convenience. Excessive security can cut into productivity,, and there's a tendency for employees to find ways around irritating information-security measures, much as they may prop open locked doors to avoid the hassle of fumbling for keys. "Security has to be balanced," says Banks. "Corporations exist to do business and make money, and they can't be subservient to security." No amount of security can fully protect a system from hackers, who can and do find cracks in even the most rigourous and high-budgeted security efforts, like those of NASA, the military and the Pentagon. "Even organizations that have a significant number of zeros behind the dollar sign are falling prey to this sort of thing," says Banks. "I expect it to increase."