Focus on protecting the most critical information and resources

We have already indirectly stated, when we covered risk methodology in Chapter 1, that it is important to not try to protect everything all of the time. If you try to protect everything, your security can be stretched so thin that you are really not protecting much of anything well. I see this very often and it shows that the business entity is really not that committed to the specific protection of their most sensitive information. They often know they are not doing a good job of protecting their business secrets and sensitive information but they cannot bring themselves to admit it. So, instead, they turn to lots of euphemistic phrases such as “we want to have the highest levels of security for everything we do” or “our physical security and IT security staff work together very closely.” While that might make them feel a bit better, if it is not completely true it can be a very dangerous mode of thinking because they will not be making needed improvements in their approach to security.

That is why it is important, early on in the business espionage risk assessment process, to identify and map business processes and then focus on the most important and critical information and resources—those where the loss could have the most catastrophic adverse impact on the business. The best way to start this discussion may be to simply ask key people questions such as “What do you do for a living?” “Why should someone choose our company or product over a competitor(s)?” “What makes us better than your competition?” This can help people to understand that there are things of value in the organization. Once you have achieved that basic level of understanding, it is time to determine which specific functions and types of information are the most important to your business. This will enable you to focus on protecting your most critically important resources.

Do not be side-tracked by someone saying, “There is really nothing that sensitive in our business. We use the same equipment everyone else uses and we do the same things.” If that is really true, then you are right to not worry about protecting anything. You will soon be out of business as you are clearly not competitive.

Another infamous put-off I regularly hear is something like, “Our business changes so fast that by the time someone steals this information it will be outdated.” While it may be true that some aspects of it will be “outdated” the spies will have profited from how you learned and where and how you progressed in earlier phases of development. Eventually they can copy the processes that helped you be so successful. Many businesses do not understand the basic tenants of intelligence, which is to gather pieces, put them together, and allow a picture to emerge.

The truth is that your company undoubtedly has some skills or techniques that work well and you need to identify and recognize those in order to protect them. You should take steps to protect what positively differentiates you from your competition. Is it quality assurance? Is it customer attention? Is it a methodology you use well? Is it the equipment you have and how you use it? The next question is, “What would the impact be on the business if the competition did this too or used this same process or technique?”

Once this truly sensitive information and these valuable resources are identified, the protective measures should be aligned so the highest standards of protection are allocated to the information with the highest potential adverse business impact. In fact, some businesses have done away with the traditional labels of “secret,” “confidential,” or “sensitive” (that were patterned after the military/government labels of “top secret,” “secret,” “confidential,” and “for official use only”) and have gone with “high business impact,” “medium business impact,” and “low business impact.” These labels more accurately drive home the point of the classification. The high business impact information/processes/equipment should have the most layers of protection and most effective security standards and measures. Medium business impact warrants some protective standards and measures. The low business impact information, then, is the lowest priority for protective resources being expended.

One of the ways to determine the potential adverse impact is to look at the estimated value of information or other resources. This, of course, sometimes easier said than done. Physical assets are regularly assigned values, usually using a “market value,” which may be determined based on replacement costs or expected revenue that will be generated. Unfortunately a lot of physical assets, and certainly most information, have value greater than just the cost of replacing the asset/information that is lost.

A laptop or a thumbdrive might have a monetary value to replace but the loss of the information stored on the device will often be far more than the value of the stolen computer or damaged file cabinet where the information is stored. This perspective requires a different way of thinking than enterprises are used to but it is an important change.

Begin an assessment by going through the information and other assets the company possesses. Identify them and make certain all of the assets and resources are listed. Then discuss the value of these assets, including the cost to research, develop and create the resource, the cost to replace the information/asset, and the value of the information to competitors or thieves. If possible, try to determine the value of lost business if a competitor is able to use this information and thus can sell the product or service at a lower price having minimal research and development or other costs invested. This is not only an important step in determining the protective measures to be employed, it is also important if there is ever a need for legal remedies.

When compiling the value of information you will have to deal with potential complacency. Staff, even leadership, of many companies are used to dealing with sensitive information during the normal course of business operations and often do not think about its value. After all, if the document jams in the printer, just pull the jammed paper out, throw it in the trash, and print another copy. The important thing is to keep going because there is likely a deadline that must be met. There is work to be done! It is difficult to get people to realize that the piece of paper or sticky note they just threw in the regular trash, which had part of the enterprise’s customer base, could be of value or do damage to the enterprise if a competitor had it.

In 2014 a company reported to me that multiple external hard drives had been stolen. Company leadership was concerned about the information on one of the hard drives that contained process related information, a valid concern. However, they casually, almost nonchalantly, advised that the missing hard drive with information from the accounting division was of “little value.” After probing a bit further, it was apparent that the drive with “financial information” had, among other things, a full customer list and detailed pricing information. When asked if this would not be of value to competitors, the leadership thought for a moment and then revised their assessment. They determined that the financial information was of value and actually was of major concern. This kind of questioning will probably be necessary before leadership and staff truly understand the value of what needs protected. They are not used to thinking in these terms.

Additionally, company staff members are used to dealing with day-to-day activities and, like most of us, make decisions based on a number of factors. Sometimes these day-to-day problems result in knee-jerk reactions that would not make sense months later, especially to an outsider. But that is also the value an outsider brings. For example, recently (2013) I did an assessment and found that the most sensitive information at a particular client site was undoubtedly in servers located on the top floor of a high-rise building, but there were few protective security measures in place for them. When we discussed having a security officer and monitored CCTV coverage added to enhance server room security, leadership was concerned about additional cost. When we calculated the various values of the information and compared it with the cost of additional security measures, there was no comparison as the value of the information was in the millions of dollars, while the costs measured in thousands of dollars.

Furthermore, I pointed out that there were three security officers deployed in the parking garage—one on each of the three levels in the underground parking for the building. I asked if it might not be possible to move one of those three security guard positions to the top floor where the servers were located. Management initially balked at the change because all managers wanted to make certain their reserved parking spots were protected and they were upset that, on occasion, there were people parking in them. My question was, “If someone parks in a reserved spot, what is the cost and impact on the company? On the other hand, if someone steals information from, or damages servers, what is the cost and impact on the company?” I asked if management could really say it made more sense to protect private parking spots than the server room. At that point, the senior managers all said, “When you put it like that, we need to protect those servers and it makes sense to move at least one of the guards to protect the server room.” As this example illustrates, to see the forest through the trees, you have to measure all of the resources to determine which are the most critical and most valuable.

Again, start with identifying all the intellectual property and any other sensitive information. Determine all locations where that information is located and stored, which might include executive offices, finance, legal, IT, research and development, human resources, operations, and manufacturing. There may be others but as you work with each of these business entities you will find the most critical information and its location. You can then work with leadership to try and put a value on that intellectual property, sensitive information, and other assets.

Finally, in this consequence/criticality phase of the assessment it is also good to try and determine the ramifications and implications that go with the loss of any particular intellectual property and sensitive information. This is the adverse consequence or business impact aspect of the process, and can include a loss of competitive advantage and a loss of market share, or a loss of customer confidence and orders. It can also mean damage to your brand and reputation or result in loss of qualified employees and legal or regulatory problems.

One of the biggest potential adverse consequences or negative business impacts could be on the nebulous future business side of things. When you are consistently losing bids on proposals, the reason might be your ability to meet needs and your pricing, but it may also be that you are losing because competitors know your bidding process and the numbers you are submitting. It is not hard to undercut you when armed with that information.

The French were quite good at seeing the positive economic impact of their business espionage operations. Pierre Marion boasts that during his tenure as the head of France’s external spy agency, France won a $2 billion airplane deal with India thanks to the business-espionage-derived information that was gathered by French intelligence. The late French spy chief Count de Marenches typified the French view when he wrote in his memoirs that economic espionage is “very profitable…. In any intelligence service worthy of the name you would easily come across cases where the whole year's budget has been paid for in full by a single operation.”¹

It is wise to look at the potential adverse consequences in a similar manner. If the French won a US$2 billion airplane deal due to business spying, an American company lost a potential US$2 billion airplane deal due to business espionage. That’s a major adverse impact. If spies are paying for themselves in a business sense and are justifying their annual budgets based on this kind of business gain, the counterespionage operations can have the same impact. If a counterespionage element of a business is able to keep the company’s business secrets protected and enable the company to successfully make competitive bids and sell new, innovative state-of-the-market equipment and services, it has easily paid for itself.

It is also of value to determine if a potential business partner shares your concerns about integrity and protecting intellectual property. I was impressed with a U.S. firm who asked me to come along with their legal and security staff as they checked out a potential manufacturing partner in Taiwan in 1996. The company, which manufactured a specialized type of sports equipment, went to the Hsinchu Industrial Park in Taiwan to check out a company that manufactured the same type of sports equipment for use within that country. After viewing their manufacturing facility, the U.S. company representatives sat down, in a conference room, with the Taiwan manufacturing firm’s leadership. The lead attorney for the U.S. company advised that they would expect a separate and closed off manufacturing line. The Taiwan company leadership responded, “no problem.” Then the legal team from the U.S. pointed out that the company had never manufactured any of its products outside of the U.S. and made the comment, “All of our products must say, “made in the USA.” At that point the Taiwan company chairman said, “No problem. We can put ‘made in the USA’ on what we manufacture.” At that point the leader of the due diligence team said he had heard all he needed to hear and asked his team to gather up their things and head to their vehicles. The Taiwan manufacturing chief seemed puzzled. As the Americans walked out the door he kept asking his staff, “What did I say that was bad. I agreed to do anything they wanted?” Sometimes it is good to see where a company and its leadership draw the line and where their levels of business integrity are before becoming a partner with them and sharing valuable intellectual property.

One other concern is worth mentioning here. You should work legal professionals to determine if any of the sensitive information qualifies as a legal “trade secret.” The precise language defining a trade secret varies from jurisdiction to jurisdiction, but there are generally three factors common to all information that qualifies as a trade secret:

• It is not generally known to the public;

• It confers some sort of economic benefit to its holder (where this benefit must derive specifically from its not being publicly known, not just from the value of the information itself);

• Has the owning entity made “reasonable” efforts to protect it from compromise?

Interestingly, these three aspects are also incorporated in Article 39 of the TRIPS Agreement.² What it means to an enterprise is that they must take specific steps to establish that this sensitive information (trade secret) is especially protected and is not generally known to the public. This usually is a matter of classifying and marking information with an appropriate protective caveat such as “secret” or “high business impact.” Then there has to be a value, an economic benefit. This is where you use the information concerning the amount of money that was invested and the amount of business that could be lost if the trade secret were compromised to a competitor that used it. Finally, there is a “reasonableness” test. The questions to be answered include: “Has the company taken measures to protect these trade secrets?” “Are these measures reasonable for the value of the trade secret?” Some benchmarking might be needed to answer the latter question. Finally, has the cost/benefit analysis determined?

When you have determined the criticality/business impact and the value of the sensitive information you can then work to determine if existing security practices provide the protection it warrants. If enhanced security measures are needed, you have some of the key information needed to do a cost/benefit analysis. Now you are truly ready to design appropriate countermeasures and determine a cost/benefit analysis for those countermeasures.

While it is difficult to determine the adverse impact of business espionage, some rather astounding numbers have emerged from a number of studies. A great deal of the current estimated economic losses attributed to business espionage are based on surveys and estimates by various government agencies, quasi-government agencies, academia, and security experts. This is due in part to the fact that business espionage is not necessarily a crime in some countries. But even more importantly it is because even where it is a crime (such as in the United States), many businesses do not want to report losses to business espionage because it could undermine the value of the company, its stock prices, brand, and reputation. As a result, the numbers vary considerably. But regardless of whether you take the lowest estimates or the highest estimates—and the best practice is probably to take an average—the numbers are astoundingly large and appear to be growing.

For example, the U.S. Commerce Department estimates that the annual intellectual property theft loss topped $250 billion a year for businesses in the United States during 2010. This means, for example, that intellectual property losses cost the United States at least 750,000 jobs in the same period, according to the U.S. Commerce Department.³

Furthermore, the International Chamber of Commerce puts the global fiscal loss attributed to intellectual property theft at more than US$600 billion a year.⁴ The National (U.S.) Intellectual Property Law Enforcement Council did an extensive survey and put losses in one month at more than US$250 billion globally. At that rate, the business losses would be US$3 trillion a year, although the council estimates it is more likely half that, or realistically about US$1.5 trillion a year.⁵

Other countries and organizations have different estimates. The British Broadcasting Company said a study they did indicated global business losses to industrial espionage exceeded US$300 billion a year in 2012. The British MI5 security agency reported that one incident alone cost a British company more than US$1.2 billion and they say the annual business spying losses within the United Kingdom, by itself, were estimated at more than US$16 billion in 2012.⁶ The Canadian Security and Intelligence Services (CSIS) put the losses to business spying for Canadian businesses at between US$50-150 billion a year in 2011.⁷ The CSIS opined that the lack of a law to make business espionage illegal contributed to Canada becoming an easy place to target a company's Trade Secrets. According to Peter Schweizer, in Foreign Affairs magazine, the Australian Security and Intelligence Organization has estimated that Australian companies lose close to US$3 billion a year to intellectual property theft. Germany counterintelligence officials have said the country’s intellectual property losses are estimated to be in excess of US$80 billion, which they note, translates to at least 30,000 German jobs.

Recently the Center for Strategic and International Studies completed a study with help from McAfee, the computer security company. The director of technology and public policy, Andrew Lewis, challenged a US$1 trillion figure McAfee had cited based on the results of its surveys. Lewis criticized the survey methodology and instead recommended using actual economic modeling. As a result, the center found the losses to be between US$20 billion and US$140 billion, and pegged the job losses at 508,000 globally.⁸ This modeling was based on models used to estimate the economic effects of threats such as car crashes and ocean piracy. They then tailored their study to business espionage The problem with that approach is that intellectual property losses are not the same as a car crash—where the vehicle has a known value and is reported to law enforcement—and even piracy where hijacked products on a ship have a known quantity and value based on a manifest. Because of this, many experts argue these figures are low for the U.S. when it comes to intellectual property, with all its economic nuances and reporting issues. In many ways it is like comparing apples and oranges, especially when you consider that this study was focused on the cyber-losses, which are only a fraction of the total losses resulting from business espionage. Even though this is the lowest figure that has surfaced, the losses are still extremely high.

Regardless of the exact amount, it is important to understand the significance of annual global business losses to business spying that are potentially close to, or in excess of, a trillion US dollars a year worldwide. Add to that job losses that may exceed a million jobs worldwide, these losses are significant. And as most everyone realizes, the threat of business espionage is continuing to grow.

A 2008 survey of more than 7000 CEOs, CFOs, CIO, CSOs, and vice president/directors in some 119 countries conducted by PriceWaterhouseCoopers entitled “Safeguarding the New Currency of Business” focused on cyber-security. According to the survey, “When data breaches occur, they hurt.” A significant percentage of respondents cited negative business impacts from the loss of their intellectual property, including financial losses (nearly 40%), and nearly a third reported damage to their brand and reputation. As the title indicates the study also reported that, “Information has become the new currency of business—and its portability, accessibility and mobility back and forth across international, corporate and organizational boundaries are crucial components of a collaborative globally connected business world.”⁹

In spite of these numbers, as was noted earlier, employee theft is ranked way above business espionage as a concern of business, yet the American Management Association puts losses due to theft at less than US$200 billion a year.¹⁰ While this number is significant, it is nowhere near the global losses experienced due to business espionage. As for business continuity, the most expensive hurricane in U.S. history, Hurricane Katrina, centered in New Orleans, is estimated to have cost between US$108 billion.¹¹ All of these threats ended up more significant than business spying in the Securitas survey of Fortune 1000 companies but losses attributed to business espionage are at least that much and are probably several times greater than threats attributed to natural disasters and internal theft combined.

The obvious question is, “How can the losses due to business spying be so severe business yet leaders are apparently so unaware of the impact?” Obviously, businesses need to look closely at the business espionage threat, the business impact of espionage losses, and then make decisions that include reducing the overall risk business spying poses.

Another way to help decide on what needs to be protected is to determine what types of information have been stolen by business spies in the past. Historical data can help to determine what information your business has that could be of interest to business spies. This book has discussed a number of case studies and examples that will help. A survey of Fortune 1000 companies disclosed that the following types of information had been targeted:

• Sales forecast and strategic plans

• Client information and customer lists

• Financial information

• Organizational plans

• Research data

• Design library information

• Product information

• Manufacturing processes and recipes

• Personnel information¹²

Of that information, companies were asked to estimate the value of information lost to business espionage. The participating companies reported that the loss of strategic plans costs the most at about US$1.4 billion; the loss of research and development related data was valued at US$1.35 billion; the loss of manufacturing process related information was valued at US$566 million; the loss marketing plans was valued at US$460 million; the loss intellectual property was valued at US$440 million; the loss of financial information was valued at US$360 million; the loss of information about upcoming mergers and acquisitions was valued at US$179 million; the loss of customer lists were valued at US$167 million; and the loss of personnel information was valued at US$114 million.¹³