Go beyond the gray zones
Other countries may have vastly different ethical and legal guidelines for information gathering. Almost everything we've talked about so far is legal in the United States, or at least arguably so in the hands of a clever lawyer. There's another realm of corporate sleuthing, using bugs, bribes, theft and even extortion that is widely practiced elsewhere.
In his days as a global security consultant, Bill Boni, vice president information security at T-Mobile USA, saw several things happen that probably wouldn't happen in the U.S. A bank in South America that suspected espionage brought in a security consultancy to sweep the place of bugs. When the loss of information continued, the bank hired a different security team. "They found 27 different devices," Boni recalls. "The whole executive suite was wired for motion and sound. The first team that came in to look for bugs was probably installing them."
Espionage is sometimes sanctioned - or even carried out - by foreign governments, which may view helping local companies keep tabs on foreign rivals as a way to boost the country's economy. That's why no single set of guidelines for protecting intellectual property will work everywhere in the world. The CSO's job is to evaluate the risks for every country the company does business in, and act accordingly. Some procedures, such as reminding people to protect their laptops, will always be the same. Certain countries require more precautions. Executives traveling to Pakistan, for example, might need to register under pseudonyms, have their hotel rooms or work spaces swept for bugs, or even have security guards help protect information.
Use the Internet of Things (IoT)
One of the most vulnerable environments is the health care industry. At many hospitals, each bed may have up to 15 IoT bio-med devices, with potentially half connected to the internet. Hackers are getting wise to the fact that the value of protected health information (PHI) is much more valuable than personally identifiable information (PII).
Weakness in a hospital network via these IoT devices makes it an easier target than in the past. It becomes critically dangerous to patients if the hacker starts changing drug administration protocols on an IoT internet-connected pump.
Most will agree that IoT manufacturers have rushed their devices to market to fill demand, without thinking about how to secure them. Among the problems: Processors in these devices are too small to house IDS, and few devices can be updated. Manufacturers are working to make devices easy to update or automatically updatable since many consumers don’t bother to perform updates on their own.
That said, most hackers are not geographically close enough to stay within range of the device and target the weakest link, the end-server. Organizations need to develop and implement their own strategies that might include securing end-servers, central servers and wireless access points since they’re most the most likely to be the target for a break-in.
Sign up for CIO Asia eNewsletters.