Are risk managers identifying spyware in the supply chain?

Accusations that Russia tried to spy on delegates at the G20 summit held last September in St Petersburg with compromised USB sticks and mobile phone chargers have led to fears simple hardware bought by companies could put their secrets at risk.

Russia’s President Putin denounced the allegations made by two Italian newspapers but the idea of such technological potential does raise important questions for risk managers.

How can you be sure equipment bought and used by your company and your employees is not being used against you to steal information or eavesdrop?

With corporate espionage on the rise, you can never be 100% sure of your security and safety and current policies to prevent IT hacking may not cover this outcome.

And with several high profile technology companies caught up amid fears some products could have potential backdoors built in during the manufacturing processes, the question becomes what risk management procedures do you have in place to guard against threats from out of the box equipment and machinery?

According to the 2013 Kroll Global Fraud Report, there is now an increased need for greater monetary spend by risk managers on management and compliance processes to combat this.

Efforts range from thoroughly investigating the supply chain new equipment is delivered through to Bring Your Own Device policies for employees. There are also the potential pitfalls over the acceptance of technology to try or sample when offered by third parties.

Tommy Helsby, Chairman, Kroll Advisory Solutions, Eurasia, says: “Perpetrators of fraud are often thought of as faceless hackers in a distant land but our experience shows that to be the exception rather than the rule; the greatest vulnerability is to those who have already got past most of your defences by virtue of being an employee, partner or contractor.

“It is vital that as well as investing in technology, businesses mitigate the insider threat by focusing on areas like staff screening and due diligence on partners, clients and vendors.”

One-two punch

Marsh’s Financial and Professional Risks Practice Leader in Asia Stella Tse says that malicious cyber-hackers know that a one-two punch of reputation damage and service disruption (and therefore lost revenue) is difficult to recover from. “This is why cyber espionage and attacks are such potentially damaging risks,” she says. “Thankfully, cyber insurance has evolved dramatically in recent years to mitigate a range of risks, but unfortunately the ‘it won’t happen to me’ attitude still prevails in many quarters.”

James Wootton, Technical Director at Information Risk Management, believes there could now be a threat from everyday electrical items such as kettles in a company’s canteen with such products used to circumvent normal security checks.

It was recently reported that Russian investigators had claimed Chinese-made kettles could contain hidden technology that may connect to a nearby Wi-Fi signal and transmit sensitive data to a third party – running off the appliance’s power source to work.

Mr Wootton explains: “The prevalence of inexpensive computing platforms and at state level, the ability to create small, bespoke devices, would suggest that embedded attacks should be on the increase.

“The device is energised when the kettle or toaster is powered and it will seek out insecure wireless networks to communicate over, performing attacks, reconnaissance or waiting for further instruction.

“Whilst on the whole, secreting such devices within batches of consumer devices would seem reactively untargeted and opportunistic, it has also been suggested that such devices have been found embedded in mobile products.”

He adds: “Companies must consider their supply line. An interested party will look for the weakest attack vector, this may be a supplier or partner organization/company that has been infiltrated and spyware secreted within control, administrative or production systems.

“The sophistication and availability of devices capable of being embedded will increase and bring with it an increase in this novel but threatening attack vector.”

Supply chain vulnerabilities

Stuart Poole-Robb, CEO of the KCSIS Group, says one major risk is not spyware embedded at source by manufacturers but instead espionage technology placed into products such as computers and phones during the supply chain at less secure moments, for instance when shipped to a distributor, transporter or reseller.

He explains: “The exploitation of supply chain vulnerabilities has become an emerging trend, it should be taken very seriously indeed, as the impact is far-reaching, costly and destructive.

“When people buy a new PC, they often expect that machine to be secure out of the box. The fact that malware is being inserted at such an early stage in the product lifecycle turns this on its head and unfortunately means that no matter how discerning a user is online, their caution becomes irrelevant if that PC is already tainted.”

He adds: “Everyday appliances are having GSM cards installed in items such as 3-way adaptors, TVs and telephones. We have even found a transmitting device in a lock on the office door of the CEO of one of our clients. 

“More recently we discovered an electronic eavesdropping device under the desk of the Chairman of the Advisory Board of a blue chip German company, and more interestingly in the Executive washrooms of one of the world’s leading insurance companies.”

Other security analysts agree the fear over embedded spyware in machinery and communications technologies, such as eavesdropping abilities in mobile phone batteries, is a real and growing one.

Dominic Yau, an insurance underwriter for Markel International, says it is crucial to choose the right ‘risk’ product.

He explains: “These products can include cover for the costs of rectifying damage caused by spyware to the internal systems at factories and manufacturing facilities.”

He adds: “It is imperative that policies come with rapid response helplines to deal with these types of issues.”

Lost revenue versus risks

JLT’s managing director of professional and executive risks in Asia Ali Chaudhry says most corporates do not yet have insurance directly relevant to pure financial losses arising from industrial espionage, such as loss of future revenue or wasted research and development costs because ‘ideas’ have been stolen. 

“Most the current cyber policies deal better with the legal liability exposures businesses face from loss of customer data or their own mitigation and rectification costs but the bigger challenge for both buyers and the industry is quantifying lost revenue versus risks,” Hong Kong-based Chaudhry says.

“New and broader products are coming into the market all the time so the key is taking your time to understand what you’re buying and what perils are and are not covered and making sure you’re getting the right advice.

“I would certainly expect products that better deal with loss of revenue exposers to become more common place, but currently these still require a more tailor-made approach.”

David Emm, a Senior Security Researcher at Kaspersky Lab, says it is crucial not to be complacent.

He explains: “If your organisation has never suffered a targeted attack, it’s easy to tell yourself that ‘it won’t happen to my business’, or even to imagine that most of what is written about these kinds of threats is just hype.

“It’s important for organisations to invest in security and increase awareness of the risks throughout the business.”