- Interception and surveillance: The nation-backed surveillance malware ‘Gauss’ is an example. The tool was designed to monitor bank accounts and was reported as the creation of one or more governments.
- Insider spies: According to the CERT database, insider theft of intellectual property most frequently occurred in banking and finance (13 percent) along with information technology and chemical industry sectors.
- Sabotage and Internet of Things (IoT): Adversaries may tactically install contaminated software during the manufacturing process of devices ordered by financial firms. Also, IoT networks and devices in case of financial firms generate large amounts of data but they’re not easy to secure and therefore can become the source of corporate espionage.
- Blackmailing/extortion and bribery: FBI’s Cyber Division reported that 90 percent of U.S. corporations are vulnerable to cyber extortions, which involves hackers hosting data intelligence of a firm and blackmailing them to perform a specific action (such as transferring black money). Cyber criminals may also bribe someone in the security team to find an endpoint to conduct espionage through.
OCIE (Office of Compliance Inspections and Examinations)Operated by the US Securities and Exchange Commission, the office issued a ‘risk alert’ that covered a summary of risk management issues, including protection of information systems, identification of risks, and detection of risks associated with third parties.
FINRA (Financial Industry Regulatory Authority)The regulator, concerned with the cyber health of the finance industry, provides guidance on risk controlling issues such as staff training, intelligence, information assurance, risk assessment, and incident response. As regulators highlight the significant risk of cyber espionage and cyber security being reported as the number one risk to the finance industry, financial firms should allocate more resources to invest in this area of risk management. They should also address documentation failures which lead to lapses in compliance and poorly written risk management procedures. While every firm will have its own approach to risk management, the business discipline has a common workflow based on threat acceptance, severity mapping, impact determination, and implementation of control recommendations. For addressing corporate espionage, financial firms should draw a risk management framework that appears like this:
- Acceptance of threat: Financial firms need to acknowledge the presence of corporate espionage.
- Centralize risk management: The entire hierarchy must imbibe responsible attitude towards cyber risk management and maintain it. When everyone takes risk management as a personal responsibility, it becomes centralized, which makes espionage and other attacks difficult to get through.
- Penetration testing: This is performed to scrutinize the vulnerability of current security systems. It is applied to network addresses (to determine the topology of the cyber environment), network perimeter devices, wireless devices, web-based applications, in-house applications, and off-the-shelf software.
- Social engineering: Social engineering assessments in risk management identify weakest links and give organizations an insight of the possibilities if the espionage is conducted via a corporate website. Assessment results can be used to conduct targeted training programs and educate employees on the threat of corporate espionage.
- Technical audits: These are audits of system-wide security configurations. Default installations may leave holes for adversaries to exploit corporate data, so technical audits are conducted to prevent compromise. Technical audits may also be conducted with physical security audits to secure all means of corporate espionage.
- Background screening: A large number of corporate espionage cases involve malicious insiders who sell intelligence about their organization to external adversaries. Their access is linked to sensitive endpoints, so background screening is important to reduce the risk of espionage through insiders.