Most large-scale espionage has state affiliation, but not all, says Niemela. There are also instances where criminals breach an organisation and put the information up for sale on the darkweb - so businesses themselves aren't engaging in espionage but are happy to pay money for it.
Matters become decidedly more complicated when attribution is factored in - it is very difficult to say with certainty where an attack came from. Educated speculation and gluing together various pieces of evidence is about as good as it gets: nothing can be 100 percent certain.
The methods used by state or state-sponsored groups are really not very different to the kinds of attacks criminal gangs would put into the wild. The goals can be similar too: compromise systems to monitor networks and collect as much useful information as possible.
"If you have a server with interesting information visible to the internet and it has a vulnerability they will hack in there, monitor what happens in that server, and spread into your internal organisation," Niemela says. "If that doesn't work they will use phishing, watering holes, browsing exploits or some other method of getting access to a workstation, and from there they'll obtain credentials of administrators and move between machines.
"They will get the domain administrator's credentials then they are in your network, once again, observing and collecting information.
"It all depends on how interesting a target you are because even spies have budgets and bosses," Niemela explains. "And they need to make their bosses happy."
Those budgets might be bigger and those bosses more politically powerful but they are budgets and bosses all the same.
"What we have gathered from Snowden and other prior evidence is that it's rare an espionage agency is given a mandate at a certain company - they operate on sectors of industry," Niemala says. "For example, some intelligence team is tasked with trying to access the energy sector operating in the Middle East, or the banking sector in Syria. It's extremely rare to be the only target."
"There's an old joke: when you are in the savannah, you don't need to be faster than the lion - you need to be faster than the friend next to you."
That means organisations that don't take security quite so seriously are low-hanging fruit for intelligence gathering.
"You need to pay a lot of attention to the various aspects of security and you need to make your security layered," Niemala explains. "There needs to be passive preventative measures, active preventative measures, limiting measures, containment measures, detection and response.
"When you have your security stack and layers in place you are going to be a hard target - which means that then, provided you are significantly harder than targets of equal value, it's very likely that you will not be hit with sufficient resources to cause a significant breach."
"They are going to try you, but if you detect them and kick them out, pretty soon they are going to decide that guy is more trouble than it's worth."
Sign up for Computerworld eNewsletters.