Corporate espionage: protecting your enterprise from hidden threats

What are the threats facing my business?

When discussing Espionage, it often the case where opinions and viewpoints are driven by historical cases of espionage being purely isolated between state-level actors. In our modern and inter-connected world where economies are driven by trade, commerce, innovation and technological advances; state-level espionage has consequently been directed towards businesses and corporations. This evolving change presents enterprises with a clear requirement to protect their intellectual property and profitable assets from countries seeking to gain economic advantages.

Corporate Espionage threats are no longer exclusively attributed to state-level actors, an increasing number of enterprises report of continuous and often aggressive effort by their competitors to obtain privileged access to confidential and propriety information. Since businesses now have an increased reliance on cyberspace to transmit and produce corporate information – this has consequently provided corporate rivals with an additional approach when conducting espionage. Having said that, the human factor always had a central role in such covert activities. This puts the Boards of so many businesses in an uneasy situation. Countering espionage requires not only a holistic approach but an inclusive one. Such an approach should consist of extensive internal and external collaboration, communication, partnership and consistency with public and private organisations.

What can I do to address this threat?

Intel-Lytix has supported several clients not only by investigating acts of Corporate Espionage, but also by designing holistic and inclusive governance strategies to provide them with a baseline of accountability within their respective frameworks. Recognising the fact that acts of Corporate Espionage are often enabled by ‘Insiders’ – our use of Staff Vetting and Background Screening has proven to be a valuable method when measuring a person’s level of integrity in addition to unforeseen risks ranging from associations with competitors, economic irregularities and improper behaviour.

Every enterprise is different, and the internal dynamics will vary depending on its industrial market, size, location and configuration. This factor means that there is no set blueprint for enterprises to design and introduce a Counter Corporate Espionage program with any degree of success without addressing the needs of their business and additional considerations by means of a Risk Analysis Profile complete with a series of recommended actions to take. However, enterprises are strongly encouraged to consider the following:

  • Establish an enterprise security governance programme that identifies your risk tolerance levels with regards to Corporate Espionage in addition to other threat types.
  • Identify and measure the vulnerabilities that exist within your enterprise in addition to possible threats and threat actors who are capable of exploiting the vulnerabilities.
  • Conduct a thorough analysis of the operations and assets that are most critical to your enterprise and establish an understanding of how they may be targeted and exploited. For the purpose of identification and classification of those data, all business units in an enterprise need to work collaboratively and closely to focus on the most critical assets.
  • Thoroughly test the resilience of your physical security and access control procedures. Enterprises should consider consulting with a third-party that has the capability to conduct a simulated breach of business properties in order to identify what information can be retrieved and by what means.

What can I do to mitigate against this threat?

In short, there is no set answer due to the rapidly evolving and sophistication of threats and threat actors. However, within the context of physical security, we have recommended enterprises to consider the following general measures:

  • Secure properties and business premises through the use of resilient and tested access control systems, lighting, surveillance and perimeter infrastructure. Ensure that trees and vegetation do not obstruct line-of-sight.
  • Restrict employee gathering areas such as smoking areas to areas that cannot be overheard and seen by bystanders. Corporate Espionage actors have even been known to use lip-readers and positioning within view of business smoking areas in order to collect sensitive information. If this is difficult to achieve, consider positioning such areas next to areas where remote audio surveillance can be difficult, such as water fountains.
  • Implement a process where buildings and department locations are labelled by alpha-numeric numbers as opposed to functional descriptions such as ‘Research and Development’ and ‘IT’.
  • Position CCTV sparingly to ensure that sensitive areas are protected. However, lesser-obvious locations should also be monitored such as car parking areas. In several instances, Corporate Espionage threat actors have targeted business executives by attaching GPS trackers to their vehicles in order to determine the location of business meetings.

Of course, this above is just a very small number of recommendations that we have made for enterprises seeking to reduce threats from Corporate Espionage threat actors. In most regards, enterprises should ensure that security procedures are also extended to address document handling and storage processes, recruitment procedures, information security and personal security. The latter of which we have a long-standing history of addressing through the provision of Staff Vetting and Background Screening, Training and Awareness, and Risk Consulting.

What should I do if my business falls victim to Corporate Espionage?

Time is of the essence and it is essential for an enterprise to contain an incident as soon as an issue is identified. An investigation should be conducted as a matter of course in order to accurately identify the root cause of an incident; by doing so will enable an enterprise to implement measures to mitigate its impact. The investigation will further enable an enterprise to adapt and reconfigure their security arrangments to ensure that such incidents cannot be repeated.

Whether the incident is a cyber breach or an intentional leak of sensitive information to a competitor, the response that should be taken by an enterprise remains unchanged.