In the early 1700s, a French Jesuit missionary in China sent detailed porcelain manufacturing information back to France. In the 1800s, the British East India Co. hired Robert Fortune, a Scottish botanist, to travel to China and smuggle tea to help India gain a competitive edge in the tea market. And in 2018 and 2019, two Apple Inc. engineers were accused of stealing valuable trade secrets (photos and electronic files) related to Apple’s autonomous car program, Project Titan. Clearly, just as business has changed along with the technology we use daily, so too have the methods of spying. But the essence of corporate espionage–known also as industrial or economic espionage–remains unchanged.
The entire process still involves someone taking a major risk and getting their hands dirty, and the goal remains the same: find a company’s valuable trade secrets and share them with a rival in the interest of making money, seeking revenge, and decreasing a company’s competitive advantage.
Normally, the word “espionage” makes people think of dark dealings and famous fictional characters such as James Bond or other mysterious men in suits sneaking around, stealing information, or completing missions far too dangerous for the average person. In real life, however, we know very little about spies and, for obvious reasons, spies would like to keep it that way. If you imagine they’re working only for governments, it’s easy to not think twice about what spies do, but espionage has been a part of the business world as long as business itself has existed (competition only increases the desire to get ahead), and today corporate espionage continues to plague organizations of every size.
Cyber Attacks Versus Spying
We spend a lot of time talking about cyber security risks and how to best mitigate them, so it’s worth looking at what makes corporate espionage different from a typical cyber security breach. At their core, the two are the same. Spying and cyber attacks often both aim to steal valuable information, but espionage is arguably more nefarious and can be even more difficult to notice because it’s typically conducted by an insider threat. In the Apple example mentioned earlier, both of the accused were Apple employees, both had access to one of the company’s most guarded projects, and both used this access to take information for use outside the company covertly.
Spies focus on more than gaining unauthorized digital access. Espionage also involves the theft of physical components or documents by transferring proprietary files to a personal storage device, taking photographs of sensitive materials, or any number of tech-savvy and not-so-tech-savvy means suppliers, employees, or business partners find necessary to get their hands on valuable information.
In 1996, the U.S. Congress officially recognized the threat posed by corporate spying, and the economic importance of trade secrets and intellectual property, with the enactment of the Economic Espionage Act of 1996. The act is divided into two provisions, with the first directed at foreign espionage performed to benefit a government and the second directed and the most common threat: commercial theft regardless of beneficiary.
Who and What Are at Risk
Though cyber attacks are often aimed at larger organizations or government entities, espionage affects companies of every size. If someone sees potential value in the information, even if that value is only for personal gain or exacting revenge, there’s a risk of espionage. Typically, information ripe for stealing includes trade secrets (current or future products), financial data that can help competitors undercut prices or target potential acquisitions, and customer information or vendor details.
Policies governing on-site security and behavior provide additional security and peace-of-mind. Further, though physical security efforts may not be enough to deter all threat actors, these measures can be exactly what you need to detect theft and act with confidence.
Four Easy Ways to Reduce Loss from Espionage
- Do your due diligence – Growth in the global market leads organizations to hire at every level for international locations and pursue partnerships with multinational footprints. Perform due diligence to vet these potential growth resources, especially foreign companies, and leadership hires, to identify risks before bringing these risks onboard.
- Initiate a clean desk policy (CDP) – A CDP dictates how employees leave their desks at the end of the day or during extended time away during the day. Often, these policies require all computers are logged off, and there are no documents left on the desk surface. This helps keep eyes off sensitive materials and reduces the likelihood of something being taken. Regular cleaning of the desk also helps employees keep track of their documents and will make it easier for them to flag things that might be missing or disorganized.
- Restrict personal device use – An excellent cyber security policy should have protocols in place for personal device use regarding connections to secure networks, but limiting the use of devices onsite is also essential. For employees, these restrictions should limit the use of external storage devices, including flash drives, with any company device and the use of mobile devices in restricted or sensitive areas, should not be permitted. The recorders and cameras on today’s mobile devices can easily and covertly be used to gather information in meetings, on-site tours, or even while passing through a room. It is also a good idea to disable cameras and audio recording functionality on corporate-owned devices. Finally, this restricted-use policy should extend to visitors (vendors and partners alike) by requiring that cell phones be handed over before viewing sensitive materials.
- Remain committed to cyber security – A robust cyber security policy is at the heart of every genuinely secure organization in today’s connected world. Threats continue to evolve as fast as technology itself, and it’s important to guard your networks and ensure every connection is as safe as possible.
Of course, it’s important to note that not every employee with a phone in his/her hand is a spy. Most people want to do well at their job and help their company succeed, but remaining aware of this risk can help you guard your information and know exactly who’s looking at your IP.