What comes to mind when you think of industrial espionage — or economic or corporate espionage? Is it something like foreign spies sneaking into a defense contractor facility to steal fighter jet technology?
Of course, that does happen. State-sponsored spying is responsible for the theft of billions of dollars of intellectual property annually, according to estimates. But many cyberattacks on industrial organizations don’t fit that mold.
Top 10 Corporate Espionage Fallacies
Here are the top 10 myths and misconceptions about the state of industrial espionage in 2019.
1. Industrial Espionage Is a New Phenomenon
Information being stolen for financial gain has been a reality for centuries, but it really picked up steam with the industrial revolution. Britain industrialized first, and everybody else wanted to steal their secrets. As a result, Britain banned both the export of industrial machinery and the emigration of skilled workers.
The American founding fathers were big fans of stealing Britain’s secrets. Alexander Hamilton and Benjamin Franklin called for Americans to steal British technology and for skilled workers to emigrate to America. One famous immigrant, Samuel Slater, built America’s first water-powered textile mill using stolen British technology — the English press even called him “Slater the Traitor.”
This trend of theft naturally continued through the 20th century. In the 1920s, visitors from the Soviet Union stole blueprints and parts for a tractor during a visit to a Ford factory in the U.S. In the 1990s, the Gillette razor company caught an employee from a partner company stealing designs. Because the thief sent the trade secrets via fax and email, he was also charged with wire fraud.
In short, industrial espionage is pretty old. What’s new is globalization, global travel and the universally used internet.
2. Industrial Espionage Only Occurs Through Hacking
All the usual methods for hacking and breaches are employed in espionage attacks, of course. Others, however, are laughably low-tech. Dumpster diving, crashing investor meetings, getting employees drunk at a bar — there are thousands of methods that don’t even involve computers.
3. Industrial Espionage Is Conducted Mainly by Spy Agencies
Many cyberattacks on industrial organizations are conducted by private companies, but others are conducted by universities or even employees. Unethical employees who realize the monetary value of information they have access to could try to sell that information to the highest bidder, or employees could be singled out and bribed.
4. Industrial Espionage Is Mostly Overseen by Foreigners
It also happens domestically between companies. It’s common to see lawsuits filed by one Silicon Valley company against another where the plaintiff alleges that an employee hired by the defendant brought company secrets with them to their new job.
One new opportunity for data theft arises from the growth of coworking spaces. It’s trivial for rivals to set up shop in the same spaces as some of your employees and either hack into the employees’ systems through the Wi-Fi there or physically compromise devices after hours.
5. Industrial Espionage Is Always Illegal
In the book, “Broker, Trader, Lawyer, Spy: The Secret World of Corporate Espionage,” author Eamon Javers notes that some companies use unexpected tools to steal company secrets from competitors. And some of these methods, while unethical, aren’t exactly illegal.
Among these are interviewing an employee for a job they have no intention of offering and using the interview to find out company secrets. Unscrupulous companies can also attend company parties undercover, hoping to extract information from intoxicated people who think they’re talking to a fellow employee.
6. Industrial Espionage About Your Company Is Conducted Against Your Company
Sometimes, actual corporate espionage efforts are targeted toward a third-party organization with information about your company. Your law or accounting firm, your partners or even journalists who cover your industry could be manipulated or tricked into giving up facts about your company.
7. Industrial Espionage Hacking Is Just Like Other Hacking
One quality of industrial espionage attacks that makes them different from, say, ransomware attacks, is that corporate spies try hard to make sure you never find out about them. That’s actually one reason why they often fly under the radar. So many companies have been stolen from and don’t know it, so they underappreciate the threat.
Your R&D lab may be under lock and key, but what about the contract manufacturer who makes your products, your patent lawyer’s office and your accounting consultancy?
8. Industrial Espionage Is Relatively Rare
The U.S. Department of Justice, the Canadian government, NATO and the U.N. all say that industrial espionage is on the rise. Studies conducted by the German Association for Information Technology found that more than half of all German companies were victimized by espionage, data theft or sabotage between 2016 and 2018, at a loss of $50 billion. And around 20 percent of all European companies have suffered spying attacks, according to the European Union (EU). As it turns out, industrial espionage is pretty common.
9. Industrial Espionage Always Involves the Theft of Intellectual Property
Many acts of industrial espionage do involve theft of intellectual property, especially in industries where the development of that property is difficult or expensive, like aerospace or pharmaceuticals. Other times, the aim is financial information, client or customer data or other sensitive information.
10. Most Companies Are Protected Against Industrial Espionage
Actually, the opposite is true. Most companies are exposed to the threat. While protecting against common cyberattacks can also help protect against espionage attacks, it doesn’t necessarily guard against theft by disgruntled employees or low-tech methods.
How to Protect Against Industrial Espionage
Now that we’ve clarified how threats can manifest, here are some steps you can take to protect your organization from industrial espionage attacks:
- Identify the company’s most valuable information — the data that, if it were stolen, would lead to a catastrophe. Find out where it is stored and who has access to it, including third-party organizations and individuals.
- Set up a comprehensive program for protection and hold security awareness trainings to safeguard valuable assets. Focus not only on hacks but also on low-tech theft methods, such as stealing machines or capturing secrets on video as a visitor. In other words, focus on both digital and physical security.
- Simulate various attacks in a cyber range to ensure your technological defenses and incident response plans are sound.
- Use advanced monitoring software to track file transfers, downloads and email attachments to make sure employees aren’t grabbing and removing data they shouldn’t be touching.
- Partner with artificial intelligence (AI) to assess possible threats and respond more quickly to actual breaches.
- Make sure employees use wiped phones and laptops that do not contain any data during business travel, especially when they are traveling abroad. They should only access cloud-based data through encrypted channels and company data through a trusted virtual private network (VPN).
Industrial espionage is real, it’s common, and it can be very costly for your organization. Don’t fall for the myths around this serious issue — start preparing for the threat today.