Until recently, for most businesses security was a question of buying decent locks, doors and windows, installing CCTV, making sure that reception staff sign visitors in and out, and trying not to leave confidential papers in the photocopier. But attacks on their computer systems, be they by business rivals, political activists, criminals or foreign governments, are much harder to defend against—and can have far worse consequences than a physical break-in. A company can suffer a devastating blow to its reputation, its intellectual property, or its ability to serve customers—not to mention its bank balances. It may never learn who has attacked it or why, or how much information has been taken; so it may never be sure if it has done enough to plug the leak.
Cyber-security is now burning a hole in boardroom tables. Before the recent hacking of Ashley Madison, an online broker of adulterous trysts, the most notorious example in the past year was that of Sony Pictures Entertainment, in which a torrent of embarrassing e-mails, personal information about employees and copies of unreleased films was released on the internet by unknown infiltrators. But there is a steady stream of less prominent cases in which businesses suffer serious damage. Earlier this month the FBI said it had uncovered a scheme in which hackers had got into the computers of three firms that distribute corporate press releases, and made a fortune by trading on market-sensitive information before it had been officially released. Ubiquiti Networks, an American maker of wireless-networking equipment, admitted this month that it had been conned out of $46.7m by fraudsters who falsified e-mails from an executive, instructing the finance department to wire money to the criminals’ bank accounts. Customers of Carphone Warehouse, a British mobile-phone retailer, are venting their fury after large numbers of them had their financial details stolen from the company by hackers.
Many companies now hire “penetration testers” to see how strong their defences are, both online and in the real world. This can help them to identify unexpected weaknesses before someone with malign intent takes advantage of them. But as soon as one gap is plugged, the hackers will start looking for others. So, it is important for managers to adopt some of the wiles of the spy world. Counter-intelligence officers assume that their adversaries are constantly probing for weaknesses and trying to exploit them. Instead of attempting to identify every potential line of attack, their aim is to minimise the damage when someone does break in, and if possible, to turn the situation to their advantage.
The first lesson from the spymasters is that sometimes the convenience of having everything easily accessible on an internal network has to be sacrificed. Intelligence agencies’ most important stuff may not be kept on computers at all—manual typewriters and carbon paper still have their uses. Sensitive information may be kept in separate chunks, with no one person in possession of, or aware of, them all. A great deal of thought goes into who needs to know what, how the rules for information-sharing are set and who enforces them. Companies can adopt the same “defence in depth” approach, to make it hard for an electronic intruder to gather enough information to do serious damage.
More often than not, hacking attacks are facilitated by carelessness. But with the right incentives and punishments, good computer-security habits can be acquired, and bad ones shed. However, it has to start at the top—which is why spies fume about the way Hillary Clinton casually kept official e-mails on a private computer when she was America’s secretary of state. If the boss does not take cyber-security seriously, nor will her underlings.
Another lesson from counter-intelligence is the use of deception. The best way to find out if you are being attacked is to offer a tempting target. “Honeypots” are bogus but convincing computers, networks and files which will attract an attacker’s attention, while revealing his presence to the silent watchers. For example, one American bank placed a series of fake profiles of non-existent staff on its internal computer network, including e-mail addresses. Whenever a transfer request arrived, addressed to one of these aliases, it knew that the sender was likely to be a fraudster.
If you find out who is attacking you, and what they want, you have some options. You can bring in law-enforcement: breaching someone else’s network is a crime in most jurisdictions. But that may not help much if the attacker is from a lawless country. You may simply gather more information about the attacker, building a picture of his aims and capabilities. If he is trying to steal blueprints of your products, say, then make sure he gets fictitious documents that will mislead him. In 2012 spies in Georgia put a file labelled “Georgian-NATO Agreement” on a computer network that they knew a Russian reached. The document was, of course, bogus—it also contained a virus that let the Georgians spy back at the hacker, although this would be a step too far for most companies.
In paranoia we trust.
Managers could also do with practising a little of the constructive paranoia that spymasters adopt when dealing with technology. For instance, when on a business trip abroad, take a disposable laptop containing no sensitive information; and assume there will be attempts to slip spyware onto it. Spooks know that people’s private and family lives are a vulnerability to be exploited: an executive at a corporate-security firm says he knows of cases in which criminals stole the smartphones of the spouse or children of the boss of a family firm, to look for bank-account details or other exploitable information. And an unexpected message from an old friend or business associate should always be treated with suspicion: it may be a spoof e-mail from someone who has scoured your LinkedIn or Twitter account to find out who your contacts are. You don’t have to be paranoid to run a business in the age of cybercrime, but it helps.