When we think of economic espionage, we hardly every think of our competitors as being a part of the equation. Yet our competition comes to us in many flavors. It includes the ethical people, who conduct their research and development without the infusion of ill-gotten input or engaging in nefarious behavior, as well as those who have already crossed the moral chasm to unethical behavior. The former will consume what you make available, while the latter’s mantra is, “What’s yours is mine.” We will address both.
Competitive Intelligence: The Scrupulous
The world of economic espionage is often referred to as competitive intelligence gone awry. The scrupulous competitor, operating within the parameters of moral ethical behavior, will be encountered far more than the unscrupulous. Yet their ability to ferret out information of value from the trove of information you share with your employees, partners, clients and customers can be foreboding in its enormity.
Indeed, the lack of security controls on research and development activity within one’s own organization may find competitive advantages protected through trade secrets skewered by employees activities. Some examples include:
The era of employees staying with a single company from day one until retirement are long gone. Employees move and grow from company to company, and they use a myriad of social network and employment portals to be discovered. In doing so, their resumes or curricula vitae (CV) are kept up to date, and occasionally examples or discussion around their current projects are detailed. This includes scope, team size, tools used, resources, funding, subcontractors, etc.
To remedy this, remind employees what may and may not be included in resumes and CVs during security and awareness refresher training.
An employee may be invited to speak and present at industry conferences. Such presentations often contain cutting-edge research, which is good for the community as a whole. But it’s not so good when a presentation includes information that was being protected as a trade secret. The public disclosure outside the protection of a nondisclosure agreement (NDA) rendered the trade secret protection null.
To avoid this, include a review process on any presentations that mention company research, products, methods or techniques.
There is no doubt travel has been reduced via the adoption of teleconference technologies, which allow us to have office-to-office meetings without the need to board a plane, train or ship. Yet face-to-face meetings, especially within the sales engagement cycle, continue to be of tremendous value. The number of apps that help these road warriors track and share their travel on social networks continues to grow.
The astute competitor knows who the shared customers or prospective customers are, and is no doubt collecting travel data that the individual is providing to their social networks. Updates such as, “I am in Bentonville, Arkansas, today,” or, “Had a great meal at the Crab Shack in Naples, Florida,” are all bits and pieces of the mosaic.
The solution is to implement a travel security program and include a segment on the art of information aggregation.
One needs only read the financial pages to see scoops on the financial results of company X or company Y released by a media outlet well ahead of the intended release date. Yet companies X and Y did release their information — just perhaps not in the manner in which they intended.
Persistent searches on your website and any content should be expected. This persistent updating will help you discover your staged information. It will also unveil your nonprotected data stores that you create for use by your sales employees or support personnel so they may self-serve their sales-in-a-box for any given customer.
Never let convenience trump security. If prepositioning information — be it the financial results in anticipation of the quarterly call or sales decks — put it behind the private wall and not where it is publicly accessible.
There is no easier way to learn what a competitor is doing than to ask them. There are no fancy elicitation techniques required. People love to talk about their work, and the art of the open-ended question produces treasure troves of data.
During security and awareness training, include a segment on oversharing. TMI, or too much information, doesn’t just apply to our personal lives — it can impact the business world as well.
Competitive Intelligence: The Unscrupulous
As we noted above, the unscrupulous have already decided the business norms of ethical behavior need not apply. They want what they want, and are hellbent on acquiring your information to advance their research and development or sales. They also may simply wish to set you back a few steps so that they may step forward.
Employment shenanigans come in a variety of flavors, but the three most prevalent are the fictitious job scam, the fake social network persona and the hire-to-deny scheme.
Fictitious Job Scam
The fictitious job scam is pretty straightforward: The competitors do their homework, usinh social listening tools to learn about your employees, their tasks, jobs, likes and dislikes. Then, they craft the perfect job description designed to attract your employees like bees to pollen. During the interview process, the targeted employee is asked detailed questions about current work and demands are made to show current finished work — and maybe even your trade secrets.
While discerning the fake from the real may be difficult, knowing what falls under the NDA between you and your employees is not. This should be reviewed on a regular basis and any restrictions shared with employees.
Fake Social Network Persona
Within the last few months, the fake social network scheme has been in growth mode within the LinkedIn social network. Two separate warnings to two separate target audiences were issued — one to government employees who had security clearances, and the other to security researchers.
The goal of these fake personas is twofold: First, they wish to access your employee’s contacts and enjoy the umbrella of implied trust. Second, they want to move the desired engagement with the targeted employee forward.
The solution is to trust but verify. Before you begin sharing personal information with an unknown individual, verify his or her identity using all available means.
Hire to Deny
There are have been a good many civil lawsuits where company X hired an employee from company Y, and the condition of employment was that the employee would lift and carry the intellectual property, trade secrets and customer lists of company Y to advance the interests of company X. While ugly in the whole, we are conditioned to understand that individuals break trust. For this reason we have security awareness programs and internal security protocols and procedures.
The area that doesn’t get as much attention but is often used with deadly affect is the hiring to bench your star performer. This scenario involves the hire of your employees with a salary straight from the stratosphere with the sole purpose of removing them from your bench, even though they are of no use to your competitor. In fact, they place them on a two-year sabbatical and effectively place your team two steps back.
Avoiding this scheme is a matter of keeping your employees engaged, satisfied and challenged in such a manner they know they are already where the grass is greener.
You may not have been expecting to share your knowledge with competitors, but you are. They engage the petty criminal to snatch and grab your employees’ devices. The modus operandi ranges from simply entering your office spaces and grabbing any devices that are not bolted down to the more elaborate breaking and entering.
The Many Types of Elicitation
For instance, criminals may take advantage of a group dinner, where an entire team goes to a restaurant and leaves their devices in their vehicles — only to return to the parking lot to find that all vehicles were broken into and all devices missing. Another tactic is the dropped USB in the parking lot. It is absolutely low tech, yet highly effective. Criminals are counting on your employee to want to do the right thing and return the device to the rightful owner, but they use this opportunity to plant malware on your network.
Whether acting in person or via phone, these are professional criminals. Drawing from this author’s own work, “Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage,” elicitation comes in many flavors.
Direct conversation is highly effective. The unscrupulous will often times attempt to socially engineer your employee into taking action as a direct result of the conversation. Motivations may include requests like, “Put your latest presentation on my USB stick,” (a stick that has a preloaded malware payload waiting to be launched) or obtaining additional company information to be used in a separate approach on a different target. For instance: Who picks up our garbage? Who are the contractors who do the office cleaning at night? Do we have a private shredder or is this contracted out?
Train your employees on what to share, what to do and how to respond to elicitation. Testing their knowledge from time to time is necessary, as is ensuring the employee knows that erring on the side of protecting the company is not a punishable offense.
Criminals may contact employees and identify themselves as colleagues. The names they use are those of real employees. They claim to be out of the office, on vacation, at a client’s location, etc. They request the immediate provision of an employee directory, the latest customer deck, the email the CEO sent last week, etc. They will ask that these be immediately forwarded to their personal account as well as their company email account since their company email is temporarily inaccessible.
Train employees to never provide internal information via a means not associated with the company infrastructure. This includes the emailing of company data to personal email accounts or uploading internal information to nonsanctioned third-party storage devices or environments.
Dumpster-Diving and Recycling
Every company, including your own, produces sensitive data and uses equipment that requires eventual destruction or recycling. Those papers, which contain company confidential information, should be destroyed on-premises if at all possible. Investment in a cross-cut shredder ensures you know what has been destroyed. The use of a third-party for contract destruction on their truck at your loading dock is another option, as is the hauling of your confidential paper to a centralized locale.
The unscrupulous have been known to disguise themselves as those representing the contractors you are used to seeing on your campus, engaged in activity you are accustomed to seeing. Maybe they remove the blades from the on-site disintegrator, which will crumple paper but still give an observer the sound of paper being pulverized.
Recycling equipment is a green practice and should be a part of every company’s replenishment regime. The unscrupulous competitor wants you to recycle your laptops, computers, servers, copiers and more, preferably with a company with which they also have a relationship. As many organizations have learned, there is data stored on those devices ready for harvesting.
The closer your employees can be to the actual destruction of the paper documents, the more likely that the document will be destroyed. Similarly, the recycling of devices requires more than just tossing them in the to-go bin. A process needs to be implemented to remove drives and memory chips from laptops, tablets, smartphones, computers, servers and copiers for separate secure destruction.
A Final Thought on Economic Espionage
The future is green for most every company that minimizes the potential sharing of information with competitors. All sorts of data can be harvested by the ethical or unethical competitor, but executives could greatly reduce the prospect of becoming a victim of economic espionage by developing the training programs and corporate policies that support secure operations.