Tech firms vulnerable to spying and industrial espionage
Data security experts agree that Irish companies of all sizes, not just multinationals and governments, are at risk of being targeted for data
Eye spy: contractors can be “passed a USB key” and money to supply company data, says Europol Cybercrime Centre adviser Brian Honan. Photograph: Getty Images/iStockphoto
Last month it was reported that British intelligence agency MI5 had, in a series of high-level meetings, painted a worrying picture for leading British corporations in which their IT workers may become targets for foreign powers seeking sensitive data.
The idea of an IT department infiltrated with double agents may sound a little fanciful but the threat of a rival nation trying to influence them is far more realistic than many may think according to Uri Rivner, vice-president for cyber strategy at Israeli security company BioCatch.
“Obviously there are cases like this,” says Rivner, who compares the situation to having “someone on the inside” of a bank before committing a robbery. Of the companies or organisations that will be targeted, he says that “whatever a nation is good at, that’s interesting to other nations”.
In the case of the UK, he says this may be the financial sector, while in Scandinavia two industries in particular, telecommunications and mining, “have been targeted”.
So where does that leave Ireland? “I would guess multinational companies working in Ireland would be a target,” he says.
Rik Ferguson, Trend Micro’s global vice-president for security research, says staff in call centres could be another target to be “turned”. Whether identified by rogue nation states or corporate rivals, “staff with access to data in any location are potential targets for insider attacks or being recruited into any type of cyber- attacks,” he says.
Peter Tran, RSA’s worldwide senior director for advanced cyber defence, says that “defence and aerospace contractors” who have manufacturing and component facilities in Ireland could become targets for such threats as well. Ireland, he adds, is also “a hotbed for intellectual property development, so that’s a target”.
Eamon Noonan, technical director with Dublin-based cyber security company Digicore, is in no doubt that the MI5 warning should ring true for Irish businesses, adding that it’s “a little sad” companies here don’t seem to take such threats seriously.
“It would naive to think it doesn’t happen. It happens quite a lot. The difficulty is that it’s a hard thing to prove,” he says.
“I know of several cases where issues have been raised in relation to this point . . . I’m not saying there’s been cover-ups but they may not make much out of it as it may ruffle certain feathers.”
Noonan added that while Ireland is unlikely to be involved at the higher echelons of corporate or nation-state cyber espionage “we are involved” from the “midstream upwards”.
Throughout the security industry, many think along the same lines as Noonan, believing it’s naive to think employees with access to valuable data have not been targeted by interested parties, though details related to such incidents are often sketchy at best.
USB key and money Brian Honan, a member of the advisory group on internet security at Europol’s Cybercrime Centre says it is logical to imagine a situation where a member of a company’s IT staff or a contractor could be “approached and passed a USB key” as well as some money to supply internal data on a targeted company.
Social media could offer a route for attackers to target potential “allies”, says Ferguson. One tweet by a person working for a particular company on “how their credit card is maxed out” can give malicious actors “an opportunity to approach them more openly and offer financial assistance in return for their material assistance”, says Ferguson.