Here is Part 2 of my conversation with Robert Jones which we taped last March. You can find the entire interview on the March Second Sunday Crime show here.
We touched briefly on cybersecurity when I asked which is more common: hackers looking for credit card data or corporate spies? Mr. Jones said that as far as the FBI is concerned, hackers trying to steal customer data is more common. However, corporate espionage costs businesses much more and is a bigger threat. When I asked whether planting malicious software to damage corporation systems is dangerous, he replied: Sure, it happens, but corporate espionage can be more damaging, and said the issues surrounding hacking would be investigated by the FBI’s Cyber Intelligence Division.
According to Jones, it makes sense for corporations to form a relationship with their local FBI field office and its leaders, especially the special agent in charge. Employee training in policies designed to protect trade secrets is vital, including abiding by the NDAs many employees are required to sign. It’s all about protecting your company’s “secret sauce.” If you have the recipe and you’re dependent on it to drive your business, you need to protect it. If the formula is a trade secret and it’s available to all 40,000 of your employees, it isn’t secret! Information should be limited to those who really need to know.
Hacking and Encryption
Encryption provides an answer to many security weaknesses. If a company has adequate encryption it can often bypass hackers. The FBI is certainly a fan of making sure information is properly protected. The most important thing for a company is to run a non-connected network that isn’t connected to the internet, which means there’s much less risk of being hacked.
What about so-called ethical hacking? It isn’t something the FBI does. Ethical hackers are sometimes hired by corporations to find the flaws and holes in a security system, but the FBI doesn’t have its own cyber crime people who can do that, certainly not from a counter-intelligence perspective.
One issue front and center in today’s environment is a company’s ability to spy on its own employees – sometimes referred to ‘monitor and investigate’. Is that OK? It depends on the company. If you run a defense company with secret data, you want your people to sign an NDA. This consents to having all your work monitored, regardless of what you’re doing on the system, and can even affect private emails. Some companies search people’s backpacks, others put CCTV in parking lots. It’s down to the individual company how much or little they choose to “monitor” their people
Part 3 is coming soon.