Danger lurks in data theft
- 29 August, 2003 08:08
A connected corporate environment has exposed companies to the menace of data theft particularly when it involves multimillion dollar tenders or mergers and acquisitions.
Citing a litany of real-life examples as proof that the 'business of doing business' is fraught with danger, Tenix Datagate general manager Peter Croft said there are very few Australian companies using bullet-proof IT security practices to protect data.
An IT manager doesn't have to read the latest statistics on security breaches from AusCert or the FBI, he said, to be aware of the increasing prevalence of information theft which ranges from stealing a laptop to more sophisticated hacking techniques.
While there is only a small pocket of competitive intelligence gathering that involves a high level of hacking activity, Croft said it is well targetted and most importantly, very valuable in dollar terms.
He said often such info theft may involve the use of social engineering techniques or headhunting staff from a direct competitor during the takeover or tender phase.
"You can't get around others poaching your staff, but you can protect salary information which can be used strategically by competitors," he said.
The best intelligence with espionage, Croft said, isn't always high tech, but of the trusty brown paper bag variety, depending on which country a company is operating in; he pointed out, however, the environment in Australia is fairly ethical.
"There is a level of concern in the marketplace that is driving customers to come to us wanting to protect this type of corporate information; most organisations are preparing tender documents on a standard PC and firewalls are not 100 per cent secure," Croft said adding that the bulk of information theft is still occurring at a government-to-government level.
He referred to a recent case of an insurance firm bidding for a financial services company during which the amount the acquiring company was willing to pay was leaked via an e-mail.
This led to the asking price jumping $500million.
"So what price do you put on good information security? In this case I'd say $499 million," Croft said.
As the region's largest defence contractor even Tenix has stringent processes in place.
"Australia has the largest defence budget in the region and there are very few players for big prizes," he said explaining that Tenix is currently involved in a tender worth $1 billion so "the stakes are extremely high".
To implement the range of Tenix separate network security (SNS) products, dubbed Veto, customers must also classify their data to determine the levels of protection required.
The products are based on a network separation architecture which organisations can use to isolate networks that contain their most valuable data.
Veto has its own servers, hubs, switches and cabling, thereby eliminating data theft from popular attacks such as worms and Trojans. The technology is the norm in military installations but is now available commercially.
"It is easy to target companies that do not classify information, obviously the Christmas club membership isn't classified the same way as tender information," Croft said.
"Before implementing this kind of technology you need to start by classifying data, because the uptake of technology has made all the doors to the company open; we start with the paradigm that all doors are closed and then we decide what to open so a company can operate." Tenix has also developed an IT security policy framework based on the government's Protective Security Manual.
The company developed a commercial version of this manual and Croft said about half a dozen customers in Australia have implemented the multi-level security framework in the past 12 months.
"Implementation of our technology involves a product architecture change so is best suited during a technology refresh so we can establish a hierarchy of importance for a company's data; our equipment can be installed within hours, the hard part is the policy which can take months.