Introduction
Espionage has, by its very nature, always been a mysterious and secretive activity. The very words “espionage” and “spying” conjure up all kinds of images in most people’s minds. Since espionage usually involves covert and clandestine activities, many people’s eyes glaze over when the subject is mentioned. As a result, when it comes to espionage or spying in the business sense, there is often a great deal of confusion and a very real lack of understanding.
Business espionage is often cited as being one of the oldest businesses in the world. It certainly goes back a long time and most historians will cite the loss of the silk secrets from China to Japan, Korea, India, and Europe as the oldest documented cases of business espionage. That means, at the very least, it goes back to around 300 B.C.
This book was written because, in the twenty-first century, business espionage is a major threat to businesses and economies around the world. It is vitally important for the business leaders to better understand it in order to devise countermeasures to protect their most sensitive business information. If businesses continue to think that business spying is the stuff of James Bond and that it does not threaten them, they will continue to suffer massive and even catastrophic consequences.
Before one can effectively address the topic of spying in the corporate/business world, it is important to understand the terminology. Currently there are at least five English-language terms used to describe the same general business threat. They include:
2. Corporate espionage
3. Industrial espionage
4. Commercial espionage
5. Economic espionage
All five of these terms refer to the same general subject area. Economic espionage is often used to differentiate between government/military national security espionage (which is what many people think of when thinking of the subject of espionage) and economic-related spying (which takes place in the business sector). However, because business technologies can have dual or military applications and because some governments own businesses or directly control businesses, it is not always possible to clearly differentiate government spying from business spying. At least this term makes it very clear that the espionage has an economic aspect to it.
In fact, there are many who believe that the national security of any nation-state is so closely tied to its economic well-being that even the more exclusive business espionage has a national security aspect.
Generally speaking, however, the terms “industrial espionage,” “economic espionage,” or “corporate espionage” are all used when spying is conducted for commercial or business purposes and not purely national security purposes. Economic espionage is often used to refer to spying conducted or orchestrated by governments and it is usually international in scope. The terms industrial or corporate espionage are more often more intra-national and occur between companies or corporations who are competitors. Business espionage can include both sectors when the government is directly involved in the business sector, and, again, this happens in many places around the world. For example, in some countries there are state-owned enterprises that are a part of international business but a nation-state controls the business. Additionally, in an increasingly global economy, it is difficult to differentiate between international and intra-national.
For purposes of this book, all five terms will be used somewhat interchangeably to refer to the theft or misappropriation of sensitive proprietary information for businesses, especially intellectual property. The latter will usually be called “trade secrets.”
The term trade secret refers to one of the four major categories of intellectual property:
2. Trademark
3. Copyright
4. Trade secrets
Trade secrets are the main focus of business espionage and can include a formula, pattern, compilation, program device, method, technology, technique, or process that has value and is not generally known—at least when it is stolen. Additionally, in most jurisdictions, in order to get legal protection there must also be a documented, provable effort expended to keep this information secret and known only by those who need to know the information to effectively do business. While patents, trademarks, and copyrights are also subject to theft and/or misappropriation, it is trade secrets that are most often the target of business spies. While there are important legal definitions and distinctions, this book will refer to trade secrets as sensitive business information even if the owner did not take appropriate steps to protect that valuable information, which means it may not legally be a trade secret. These are all important terms to understand as we explore the world of business espionage.
Business espionage misunderstood
As mentioned earlier, there are a number of misconceptions and misunderstandings that impact the lack of effective security for sensitive business information. Some of the most significant include what we will call the silo syndrome, the James Bond syndrome, an exclusive cyber-security focus, and the ostrich syndrome. Since they are so common, I think it is important to discuss some of the typical barriers faced in more detail.
Silo Syndrome
During a security conference (U.S. State Department’s Overseas Advisory Council, or OSAC) in Washington DC in 2012 a panel of experts in counterespionage identified this syndrome as one of the biggest issues facing those who must deal with business espionage. Many companies look at business spying as a problem that needs to be assigned to some isolated organizational functional silo within the corporate structure. Common departments it gets pushed to include security, IT, legal or human resources, where business spying becomes their problem. “It’s a security problem” or “it’s an IT problem” are frequently heard. The conference’s panel of experts agreed that business spying should be considered as a business problem, not just a security or IT problem. This means the business entity, as a whole, must deal with the problem and the approach must cut across multiple organizational functions or silos. That is, it must be embraced by a leader in the organization who has the power and ability to cut through these functional silos and bring the entire organization together to address the problem.
James Bond Syndrome
There are also widespread misconceptions that industrial/corporate/business espionage is only a high-tech crime perpetrated by James Bond types who are envisioned as rappelling into a business office or manufacturing site suspended from thin special wire cables in an air conditioning duct. Or, if that’s not the case, at least it is viewed as a crime perpetrated by nerdy but genius computer hackers. Neither one could be further from the truth. As we will learn, just about all corporate spying is accomplished using decidedly simple, and preventable, methods. Regretfully, because so many companies have a poor understanding of, and protection from, business espionage it means that a bumbling Maxwell Smart (Note: Maxwell Smart was a spoof character also known as Secret “Agent 86” on a television series called “Get Smart,” which was a situational comedy spy show that was on television in the United States from 1965–1970) rather than a James Bond could easily steal valuable business secrets from all too many businesses.
Exclusive Cyber-Security Focus
The IT world has done such a good job addressing intellectual property loss issues that some experts have erroneously concluded that cyber-security is the focus of countering business espionage. While information on a computer can be extremely valuable and definitely warrants protection in any counterespionage approach, the same piece of information written on a scrap of paper can be worth just as much. Especially since business spies often gather bits of the puzzle and begin to assemble it into viable and useable intelligence. It is therefore important to protect all forms of sensitive business information regardless of how it is stored. The sensitive information can be in a cyber-based form, but it can also be paper/document based, photographic, observed, or oral/spoken. It can be formal documents, draft documents, working papers, or scrap, and it can be internal correspondence or communication, even financial, legal, or regulatory. It can also be conversations that are part of formal meetings, informal meetings, or casual conversations. While there is definitely a cyber-security component and IT security has to be involved in any twenty-first century counterespionage program, focusing on computer-based data protection alone can leave an organization extremely vulnerable to other basic business-spying techniques.
The core target of business espionage is “information.” In the world of business espionage, sensitive information is best defined as any knowledge that can hurt your organization and/or help your competition. Again, that information can be in any form.
According to the U.S. Federal Bureau of Investigation (FBI) and similar international law enforcement organizations, industrial espionage costs U.S. companies alone anywhere from $24 billion to $250 billion annually.1 Experts concur that the technical (usually cyber) vulnerabilities are responsible for less than 20% of all losses or compromises of sensitive business information but most agree that the cyber-threats seem to be growing. Again, cyber-security is critically important but a business should definitely not put all of its counterespionage efforts into the IT realm alone because that leaves up to 80% of threat vectors unaddressed.
Most business spies are perfectly happy to get information from the easiest and most overlooked and, hence, least protected of sources—including trash, a vulnerable telephone, or an employee that talks too much and too freely. As a matter of fact, those sources are even preferable, because they often involve less risk to the spying operative. A good spy always looks for the path of least resistance and the least likely to be detected. Those methods will be tried first before trying anything fancy or high tech. These methods can also make it easier to exploit IT security. It might mean social engineering or observation to get a password, but it might also include planting a spy inside the company or recruiting a spy who has some legitimate access to IT systems. Or it might involve exploiting physical security vulnerabilities to get direct access to a server or communications line.
Ostrich Syndrome
Sadly, many business executives (and this includes information managers and security officers) do not believe their organization will be targeted, a belief based primarily on “hope” rather than factual analysis. It is very similar to the ostrich sticking its head in the sand when a threat emerges. Assuming that if their company is not in the defense industry or is not highly technical… or if it is relatively small, no one will try and steal its business secrets. In fact, one of the most frequently expressed misconceptions is, “Our business has nothing worth stealing or our technology is changing so fast that by the time it is stolen, it will be obsolete.” This all-too-common attitude gives business spies their best opportunities. In fact, small businesses tend to be targets more often than large corporations, simply because there are more of them (and more competitors) and they tend to have far less security. No company or organization is immune to being targeted by business spies. To a small company, a $50,000 loss could be much more devastating than the loss of billions would be for a large company. If you truly have nothing worth stealing (hence worth protecting), you probably should not be in business because you are not really competitive. When conducting a security risk assessment, this attitude frequently surfaces, but after talking in business terms about what the company does, how they do it better than their competition and what their objectives are for the next 1–5 years, it soon becomes clear that they do have trade secrets, even if they have not identified them as such. It also often means they may be missing key legal qualifications for their trade secrets and do not have measures in place to protect their sensitive information.
Another aspect of the ostrich syndrome has to do with a desire to quickly implement changes and programs. For example, when a company decides to move some of their manufacturing to another country, they want it done quickly and they do not want to see or hear any “evil”—that is, anything that might slow the process down. As a result, many companies make catastrophically bad decisions that are made without even considering business espionage and loss of intellectual property as a part of the overall decision-making process.
Objective
The main objective of this book is to make it clear to businesses of all types and sizes, all around the world, that business espionage is very real and is a threat that can significantly impact a business. Business spying is pervasive and it can do grave damage to businesses. But it is probably more important, armed with that kind of knowledge, to understand that it also possible to protect yourself and your business from the threat of business espionage.
How to Use This Book
This book is organized into two major parts:
1. The problems posed by business espionage
2. The countermeasures that can protect a business entity from spying
The first part provides insight on why business espionage is an important business issue. It examines the threats, typical vulnerabilities, and the business consequences (or, when these components—threat, vulnerabilities, and consequence/business impact—are combined is considered the “risk”) through a series of case studies and other background information. The second part covers cyber and physical countermeasures. But most importantly it stresses the importance of having integrated countermeasures for the most effective risk-based protection possible.
The purpose of all of this is to provide an understanding of the threat that can be used for pro-active planning or education/awareness. It includes identifying any gaps or vulnerabilities in effective security for business spying so a business can close these gaps and reduce its vulnerability to the threats. Looking at these two components (threat and vulnerability), along with business impact issues, this book will provide guidelines for reducing your risk to business espionage threat.