Kaspersky Lab recently published a new survey called “Who’s spying on you” to describe the arising problem of cyber-espionage. In our previous article we pointed out that any company or organization may actually become a target of an attack. It is rash to expect that the small size of a company or, perhaps, a little-known product would ward off hostile visitors.
Another important factor is that a sudden attack at any company could cause collateral damage itself because the primary target is a different structure. The most obvious examples are attacks at small companies including the supply chain of a major defense contractor. Its defenses are hardest to penetrate, because its cyberdefense is likely to be very sophisticated and always ready. However, the desired information could be stolen from other sources like suppliers whose cyberdefense are less advanced than the main target.
In 2011, unknown assailants attacked the U.S. defense systems manufacturer Lockheed Martin. The raid was not very successful: the attack was quickly discovered and blocked. But further investigation revealed that the same hackers had previously attacked two suppliers of Lockheed at once, including the company RSA. The information obtained from them helped the criminals aim at their apparently primary target. And this is not the only story of that kind.
Accordingly, in order to successfully protect yourself against cyber-espionage you need three things. Firstly, you should realize that nobody is immune to it; even the smallest companies are not. The only probable difference (and a slight one, too) is the likelihood of attack. Those companies somehow included in the supply chains of corporations that draw the attention of intelligence agencies from other countries are at a higher than average risk of becoming a target of cyber spies. Secondly, you have to understand the potential attack vectors. In most cases these are exploited vulnerabilities in very common software products like Java, Adobe Reader, Microsoft Office, Internet Explorer, Adobe Flash, social engineering techniques, and drive-by infections.
Thirdly, there is a need to secure your own infrastructure, which cannot be limited just to installing an antivirus or a more advanced security solution. You should develop a general corporate security policy that includes personnel training and other activities to provide assured effective protection.
More about the ways to do this in the new Kaspersky Lab’s survey “Who’s spying on you”.