The days of James Bond and his world-saving exploits are over. In today's reality, nation-states and their criminal partners can disrupt commerce and defenses in the free world from the safety and comfort of their computer desks. Their prime targets are not top-secret space weapons but everyday businesses and business systems, and healthcare organizations are just as vulnerable as any other industry. Hospitals, smaller providers, health plans, and business associates can all become targets of cyber-espionage, so it is up to every business decision-maker to understand the threats.
Cloak and ledger
Cyber-espionage against businesses is safer, easier and often more effective than targeting governments. Industrialized nations compete for world dominance in economic markets, so cyber-espionage is being used against businesses to gain competitive advantage.
Of special concern is the fact that cyber-warriors target small and mid-size businesses because they tend to have weaker defenses than critical government or military organizations. Business systems now connect with partners of all sizes, so a mid-size or small business network may provide the opening that offers cyber-attackers a path into a business partner's networks, either immediately or in the future. According to Gary Loveland, a principal in PricewaterhouseCoopers' Consumer, Industrial Products and Services group, "Today's hackers are farsighted and more tenacious now when it comes to midsize and smaller companies. They might hack a high-tech startup, thinking, 'When you get bought by a big company, the first thing you'll do is connect to their networks, and then, bam! I'm in.' You don't want your company to be that conduit."
Smaller organizations can also hold personal data on customers or employees that could be used to coerce individuals into revealing security codes and other sensitive information. For example, if medical records revealed an official in a key position had an alcohol problem or financial records revealed a gambling problem, that person might be coerced into revealing industrial plans, network passwords, or other sensitive information.
Part of the beauty of cyber-espionage, from the standpoint of nation-states, is that it uses the same methods as any other kind of cyber-attack--skills, tools, and techniques that are abundantly available and hard to distinguish from any garden-variety cyber-criminal. However, cyber-espionage attacks are more likely to be multi-stage as opposed to attacks by cyber-criminals seeking saleable information such as credit card numbers or medical records.
For example, an attack might start with spear phishing, an e-mail spoofing fraud to gain user passwords or other confidential data, or a watering hole attack, hijacking of a legitimate community of interest site, to introduce malware to the computer or device of employees or customers. From there, the attackers will go on to quietly explore the compromised networks, looking for additional vulnerabilities and back doors into the networks of business partners and data that may be useful for competition or coercion. While the common cyber-criminal may "smash and grab" for a quick payoff, and hacktivists may quickly publicize stolen data to embarrass the target, cyber-spies play the long game.
Four defenses against cyber-espionage
How can an organization defend against the growing threat of cyber-espionage? The good news is that the tactics of cyber-warfare are the same as any other kind of cyber-crime, even if the ends are different, so defensive best practices are also the same. The key element is awareness. Consider these strategies:
When you conduct your risk analysis, think about how your organization might be targeted by state actors. Consider which employees, customers, or business partners might have access to particularly sensitive data and which might be most vulnerable to coercion, and capture that information in your risk profile. (For example, staff members who hold network passwords should always be considered as potential targets.)
Identify the data that might be targeted for cyber-espionage and figure that into your spending priorities for security programs.
Because most cyber-espionage attacks are multi-stage, you need awareness programs and training programs to help employees and possibly customers avoid becoming victims of social engineering, and you should keep them informed about new social engineering scams. (Part 2 of this series, listed some good resources for news on security threats.)
Figure cyber-warfare into your incident response plans, as you would for any other breach risk. What partners and agencies would need to be brought into an investigation, and which should notified right away? How can you protect breached individuals against coercion? How can you mitigate damage from stolen information? These can be tough questions, and the answers won't always be obvious, but the threats are real, and national security and your organization's survival may rest on them.
Rick Kam is president and co-founder of ID Experts.