Preventing Corporate Espionage

Michael Podszywalow


March 1, 2012

China enjoyed a monopoly on silk production for hundreds of years when, at times, silk was more valuable than gold. The Chinese closely guarded the secret and put thieves to death. But around 300 A.D., local Nestorian monks managed to smuggle the coveted silkworm eggs out of China in bamboo walking sticks. They found one attack vector that worked, and they broke the Chinese monopoly.

Stealing information is one of the oldest forms of gaining a strategic and competitive advantage. Espionage happened in the past, happens today and will happen tomorrow. The only things that change are the techniques that are applied. How do you protect against a sophisticated, motivated criminal? A professional spy who has targeted your company's trade secrets? A skilled insider with a specific purpose in mind? These types of people know that information comes in many forms, not just the digital realm, and they are trained to exploit any vulnerability. So an information security program must incorporate more than just traditional network system tests and vulnerability assessments.

Put yourself in the shoes of a criminal. With your deviant mind-set, you are willing to work inside or outside of technology and find different ways to get information.

Remember the old James Bond movies? 007 would pull out gadgets whose simplicity is comical now. Shoes with secret compartments, books with hidden tape recorders and voice-altering devices. In Goldfinger, Bond even wore a wet suit with a rubber duck on top for camouflage. Don't underestimate the power of these low-tech devices that assist in collecting non-electronic information.

Besides the cutting-edge technology we often worry about, our companies are at risk from neckties with hidden cameras, audio bugs, removable storage devices, USB gadgets, surveillance technology, hardware key loggers with built-in processors and Wi-Fi capabilities, and screen-capture tools that look like simple extension cables but record snapshots of a user's computer monitors. A simple web search reveals that most of these items are relatively inexpensive and can be acquired online. And don't overlook the obvious: copiers, fax machines and other seemingly archaic technologies that remain a potential source of information leakage even in 2012.

According to security expert Ira Winkler, information exists in four dimensions: paper, visual, oral and electronic. Winker, who has worked for the National Security Agency and wrote Spies Among Us, a book that offers advice to thwart corporate espionage, says that professional spies can obtain information through any of these channels. Deploying security technologies alone will not protect your company. An effective information security program must protect all four dimensions of information using physical, logical and operational security measures.

Unfortunately, too many companies rely solely on their network vulnerability assessments and traditional pen tests to measure the effectiveness of their security programs. Although such tools are integral parts of most security programs, they do not mimic what attackers actually do.

In some places of the world, people have the mind-set that, if you fail to protect your information, it is up for grabs. They view you as an easy target that should have had better protection in place, not as a victim who suffered criminal damage through espionage. Today, there is no universally adopted legal definition of a trade secret, so countries treat theft of intellectual property very differently.

To protect yourself, you must begin to view your organization from an attacker's viewpoint and realize that no company is 100% secure. A determined, skilled and highly motivated attacker is almost impossible to stop, but you can put measures in place that make your company less likely to be victimized.

Another fatal flaw for many companies is focusing solely on compliance. In today's regulatory environment, information security managers must comply with industry-specific, state and federal regulations that focus on customer information and privacy. Security programs that focus on privacy-related compliance requirements do not sufficiently protect your company's assets or shareholder value. Your company is not secure just because you have checked off all the items on the compliance list.

There is hope, however. With the right mind-set and the right plan, every company can better protect itself against corporate thieves. Follow these three steps to create a more secure enterprise.

Step 1
The first step to a better defense is to identify the information that, if lost, would critically harm the company, and the value of that information to your company and its competitors. These are your "crown jewels" and require the best safeguards. Information security managers must be able to identify the company's intellectual property, its location and its value. Only then can they protect and control who has access to this information. A risk assessment should then be performed to identify existing security vulnerabilities to those crown jewels.

As a side note, it is also important to establish a complete list of data items your organization owns or processes, including an inventory of all intellectual property that could affect revenue or reputation. Involve stakeholders from across the organization to identify this information. Examples of such information include copyrighted material, patents, trademarks, operating procedures, user manuals, policies, memos, reports, plans, contracts, source code, recipes, manufacturing plans, chemical formulas, design drawings and patent applications.

Step 2
Once you fortify your crown jewels, you must determine how to protect against the low-tech attack vectors. One way to do this is through an incentivized and targeted security awareness program that includes regular, enterprisewide security testing. Realistically, employees respond better to carrots than sticks. If you properly train and incentivize security awareness, you will gain a strong defense.

Step 3
The final step is to simulate an actual attack, which often occurs as a "blended threat" in your enterprise security testing. This exercise should focus on all types of information regardless of its form. You should implement testing along several attack vectors. For example, combine a network pen test with physical and social engineering assessments. The results will give you a better idea of your current attack defenses.
Michael Podszywalow, MBA, CISSP, CISM, CISA, CEH, is the founder and senior security consultant for SpyByte, LLC.