An article from CNBC highlights the problems of corporate espionage. They mention four steps that companies can take to help protect their information. Notably absent is any steps to defeat electronic spy devices. Electronic countermeasures sweeps should be included in all information security plans. More on that at the end.
The American Greed Report: Corporate spying costs billions, can it be stopped?
…According to the FBI, tens of billions of dollars are lost every year to corporate espionage. This may not just be a matter of how much money is lost, says Alan Brill, senior managing director of cybersecurity and investigations at Kroll. “It can be whether the business is able to continue or fail, whether all the customers are stolen away.”
Corporate espionage schemes can also occur when people already working for someone else infiltrate a company, or employees who’ve already left a company leave behind co-conspirators who send them data. Brill remembers one case where a construction organization couldn’t figure out why a competitor was just barely underbidding them — until they realized insiders were providing a former employee with their bids.
The type of information stolen can vary. “Each company has its own crown jewels of data,” Brill said, “whether that’s a business process, a chemical process, a trade secret, costing figures from the cost accounting department, bids, profitability, or future plans.”
Motives and methods
Many employees or former employees steal data purely for financial gain, but another common motive is revenge. “You’re mad at the company, they fired you, you want to get back at them. And one way to do that is by taking information,” said Brill.
Back in 1997, for example, an engineer at a company working for Gillette faxed and emailed drawings of Gillette’s new razor to rival companies. The engineer said he stole the designs because he was angry with his boss.
…Espionage happens in companies of all sizes, and can actually be easier to commit in small- to medium-sized businesses. “You would likely have more access to information than if you were in a large organization with a lot of people, sophisticated business practices and sophisticated information security,” Brill said.
…companies often don’t realize there’s a problem until it’s too late. “Customers start telling you they’re getting a call from a competitor you’ve never heard of that is amazingly underselling whatever you’re doing, or giving better terms than you have given confidentially to your customers,” he said.
What companies can do to protect themselves
While we normally trust the people we work with, Brill recommends companies move more toward a “trust, but verify” approach. “I really do believe that people are honest, but I also know that there’s a small percentage of the population that isn’t,” he said. “So I need to use technology to monitor what’s going on in my network and try to get an early warning.”
In the past, Brill says companies tended to build walls around the system, much like a medieval castle. The idea was, “I’m going to defend the perimeter, and I’m not going to let the bad guys in.”
…The strategy has shifted to having a good defense — but also monitoring the information that’s going in and out. Consult with IT and risk management professionals who can help your company put protections in place. Some important steps companies can take:
- Install technology that monitors everything going into your email system to determine if it’s a legitimate message or if it’s phishing or malware.
- Monitor for what’s going out of your email system as well by installing leakage control systems. These can, for example, tell whether data is being sent to Dropbox or personal Google, Amazon or Microsoft cloud accounts. They can also monitor for documents or spreadsheets going out.
- Use whitelisting, which lets you specify which applications are approved to run on a computer system. Anything not on the whitelist won’t run, which protects the network from malware and other harmful applications.
- Consult with labor employment counsel to make sure your agreements on who owns intellectual property and prohibiting misuse or removal of such property are up to date.
…Closely monitoring employees may seem like “Big Brother” watching to some, but keeping track of what goes in and out of your company electronically isn’t too much different from monitoring what goes on offline. “Somebody sitting at their desk late at night when it’s unusual to do that, someone’s carrying out big boxes, somebody’s going to take a look at that,” Passman said. “So it’s not too different from the physical world.”
[Read the full article at CNBC]
After thought:
If your company has valuable assets of any kind- be it information, technology, even your own valuable personnel- you can be sure there is a target on your back for someone who would like to either bring you down or at least take part of your value for themselves. Not all enemies are cyber hackers trying to break in to your computer network or people walking out with a thumb drive of documents. Many may be insiders already within your walls looking to intercept any piece of information or communications they could use for their own benefit. This information could include executive schedules, hiring and firing plans, new product development and timing, or anything else they could turn around and use against you or sell to a competitor.
Performing electronic security sweeps should be standard protocol for information protection. There is a common misconception that associates sweeps with the act of spying. A sweep does not intrude into employees’ privacy. It is looking for evidence that someone else may have been spying. To protect your company information and your employees and preserve privacy in your business you should be performing electronic TSCM sweeps on a regular basis.