Today, most employees know emails from the “Nigerian prince” are fake, but a new threat — emails that mimic a coworker or CEO — is much harder to detect. An employee can unknowingly open what she thinks is a legitimate email and in seconds, a retailer’s Intellectual Property (IP), security and millions of other assets are fully exposed. That email that looks so real, from your CEO or co-worker, is a way into the network. While employees are getting better about not opening, or at least reporting that they opened the email, the newest threat emerging is more frightening and corporate IP is at even greater risk.
In the retail industry, where corporate brand employees receive hundreds of emails a day from different vendors, recognizing hacked emails can be especially tricky.
Let’s be frank: in many of today’s breaches, the intended target isn’t always the most obvious. For example, foreign intelligence agency actors weren’t interested in earning a free night’s stay at a Marriott property when hackers breached 500 million records earlier this year.
Heads of state and other political VIPs are also no longer the sole marks on a foreign intelligence agency’s hit list. Today, they are going after IP and ordinary people, like you and me, to get it, especially those of us who have unfettered access to troves of company IP that a foreign government may want for their domestic industry.
As state-sponsored hackers piece together a person’s identity and habits, combining breached records and personal posts, employees with secrets become an easy target for IP espionage. And make no mistake: these agencies will leverage any and every perceived weakness against you, based on what they’ve already cultivated about you online. Making debt payments online? Joining eHarmony because you are getting a divorce? Complaining about work issues on Facebook? Expect these hackers to use every vulnerability in recruitment attempts. In many of these cases, employees may be reluctant to report the incident as their secrets could lead to humiliation, dismissal and even legal action.
The fact is, data collected from breaches are but one piece of a larger, darker puzzle. Stolen customer data, when combined with other sources of online personal information (i.e., what we share across social media platforms), enable intelligence agencies to build profiles on individuals. These profiles can then be leveraged to recruit potential informants in companies with valuable patents, track foreign intelligence officers, as well as check the travel of their own government and intelligence officers against foreign intelligence to identify moles.
Indeed, the entirety of the digital footprint we create, which can be used to impersonate us or to profile/create leverage on us, is greater than the sum of the individual data parts. The average employee likewise doesn’t typically consider the bigger picture their personal data paints, regarding their travel patterns, purchasing habits, hobbies, (not so) hidden secrets, social causes and more. Add in breach burnout, wherein the public has become desensitized to countless stories of data exposure, and a perfect storm for harvesting operatives and stealing IP emerges.
Counter to what the company would want, employees who fall into this trap are often hesitant to go to their IT departments due to fear of the consequences or fear of their own secrets getting out. Indeed, the compromised employee, one who doesn’t understand the ramifications of letting those hackers in, can be the biggest threat to business.
Until enterprises view data holistically and realize that any company with valuable IP could be the target of a foreign government on behalf of that company’s foreign competitors, they will continue to play into the hands of transnational threat actors at the expense of consumer safety and national security.
It is critical that organizations incorporate cybersecurity into every fabric of the business, from the C-level down, including training and education, as well as seeking expertise from security service companies that understand how to protect organizations from the capabilities of foreign intelligence groups. And that education must include an understanding of how personal, government and business-related information can be used in combination by foreign intelligence agencies, and how corporate IP may be of value to foreign competitors. For retailers in particular, organizations must empower employees to ward off these attacks and encourage a security-first culture to ensure their company and customer information stays secure.
Michael O’Malley is VP of Strategy at Radware. He brings 20 years of experience in strategy, product and business development, marketing, M&A and executive management to Radware. Currently, O’Malley is the Vice President of Carrier Strategy and Business Development for Radware. In this role, he is responsible for leading strategic initiatives for wireless, wireline and cloud service providers. O’Malley has extensive experience developing innovative products and strategies in technology businesses including security, cloud and wireless. Prior to Radware, O’Malley held various executive management positions leading growing business units at Tellabs, VASCO and Ericsson. O’Malley holds a Master of Business Administration degree, a Master of Science in electrical engineering, and a Bachelor of Science in electrical engineering from the University of Illinois. He also is a graduate of the Executive Strategy Programs at the University of Chicago.