But it's not just high-profile targets that are at risk. "The intellectual property needed to build a new type of safety restraint for an aircraft is just as important as anything else," says Howard Schmidt, former CISO of eBay and former special adviser to the president for cyberspace security.
IP thieves have targeted companies as diverse as retailers and high-tech manufacturers. In incidents nicknamed "the Trojan Affair", 18 Israeli executives from several companies were arrested for their involvement in an international computer espionage conspiracy that targeted competitive information from rivals including, in 2005, the Israeli divisions of Ace Hardware and Hewlett-Packard. Also in 2005, several executives from the software company BusinessEngine pleaded guilty to hacking rival Niku's systems to access its trade secrets.
Nevertheless, some companies are more exposed than others. Large, distributed organizations provide more opportunities for attackers to gain access to corporate networks, says Alfred Huger, vice president of engineering for Symantec Security Response. Historically, the biggest risk to IP has been from insiders. A few years ago, Motorola detected suspicious unauthorized activity on its network. Boni's security team traced the activity to an employee workstation, which contained a directory populated with a complete hacker toolkit. Under questioning by investigators, the employee admitted that he'd been asked by a competitor to hack into Motorola's systems to access sensitive IP; he was terminated.
In today's global economy, the number of insiders within any organization has increased dramatically if you count external partners among them. "Organizations now have to deal with employees connecting from home offices, the local Starbucks and shady hotels," says John Bumgarner, research director for security technology at the US Cyber Consequences Unit. "They also have to deal with business partners and customers having access to their networks via VPNs, dial-up connections and Web portals, any of which can be used to compromise the organization's resources."
It was a connection to these externally based insiders that got Bailey, at the government contractor, in trouble. "The extranets pose a problem because many of them are controlled by program managers for the benefit of the customer," says Bailey. "And that can make policy enforcement problematic." But the focus on pleasing the customer backfired. "There's nothing worse than having to call up your customers and say: Because of our negligence, we've compromised your proprietary information," Bailey says.