Contributing Authors: Eric Celidonio and Lauren E. Perna
In the first two parts of this series we talked about real cases of IP theft, including our own. These cases are extreme, but still the threat should not be taken lightly. There are many precautions you can take to protect your company. Forbes outlines a list of ways companies typically shield themselves from corporate espionage. The best practices list takes into consideration both internal security issues, arising from current and past employees being able to access and leak data, as well as outsiders who are trying to get access to company information.
The most reasonable precaution is to conduct a security audit of both physical spaces and intellectual property (which can include anything from ideas being floated around the office to data located on your company’s servers). The audit should also work to secure sources of data, such as USB drives or laptops, that could be stolen by a corporate spy walking through your building.
The list also suggests organizations take into consideration the ability of outsiders to visit their company. For example, major tech companies such as Apple and Google are typically located on a private road that is away from main thoroughfares in order to reduce visitor traffic and reduce spying and data loss.
Other ways companies can protect themselves include:
- Universally adopt a well-written Confidentiality or Non-Disclosure Agreement (NDA) requirement for all interviewers in order to discourage would-be spy agents.
- Make IP security a part of your corporate culture. Remind personnel with access to sensitive information what is in need of protection and how they can protect it, how to protect it as well as the potential consequences of sensitive information loss.
- Make sure visitors and interviewers are accompanied by an internal staff member and not be left alone places where sensitive information is stored such as offices and lab space.
- Advise individuals without access to IP what they should do if they inadvertently come across IP or sensitive information.
- Limit the number of copies of sensitive information as well as general access to printers, encrypt sensitive information whenever possible.
- Consider implementing user and entity behavior analytics (UEBA). UEBA utilizes machine learning and artificial intelligence-powered analytics to monitor activity and detect unusual behavior; it can be very effective in thwarting cyber spying and sabotage attempts.Consider implementing user and entity behavior analytics (UEBA). UEBA utilizes machine learning and artificial intelligence-powered analytics to monitor activity and detect unusual behavior; it can be very effective in thwarting cyber spying and sabotage attempts.
- Have role-based access privileges that are frequently reviewed and that are changed INSTANTLY with promotion, re-assignment, termination, re-organization, need to know, or other changes in employment status.
Roger Johnson, CEO of Right Brain Sekurity, in an interview with Digital Guardian recommended deploying effective insider threat countermeasures with a focus on disgruntlement detection and mitigation techniques. He indicates that there are many motivations for an inside attack, but disgruntlement is one of the easiest to address. He recommends fair, effective, and widely used grievance and employee assistance programs. Treat all employees and contractors well (not just “fairly”), especially those with sensitive IP access and those who have been terminated. As we suggest in a recent article, there are different ways managers can appreciate their employees that are not to be overlooked.
When it comes to the candidate process, it’s about knowing what to look for:
- The questions asked by the candidate are not relevant to the job–instead, they are focused more on intellectual property.
- There is an insistence on seeing the lab, manufacturing facility, or cleanroom.
- The job candidate’s LinkedIn seems incomplete (e.g., no picture, or very little information is included) or their resume lacks specific details.
- Your company’s computer network is accessed from an unfamiliar location (i.e., indicating that spies or other malicious entities may have infiltrated your organization’s servers).
Conclusions
Corporate espionage may seem like something out of a Hollywood movie, but it is real and more common than you might think. Unfortunately, the candidate interviewing process can serve as a unique opportunity for spies to gain access to sensitive and confidential information including company IP. That doesn’t mean you need to stop interviewing highly qualified candidates on the concern they might be spies. With proper precautionary measures and ongoing vigilance, you can mitigate risk and still build a stellar (spy-free) team.
References:
https://www.giac.org/paper/gsec/1587/corporate-espionage-101/102941
https://www.thebalancesmb.com/how-corporate-spies-could-be-watching-your-business-4165210
https://usnwc.libguides.com/c.php?g=661096&p=5258510
https://www.cio.com/article/2879575/how-corporate-spies-access-your-companys-secrets.html
https://www.inc.com/magazine/201302/george-chidi/confessions-of-a-corporate-spy.html
https://blogs.findlaw.com/free_enterprise/2017/05/3-tips-to-protect-against-corporate-espionage.html
https://securityintelligence.com/articles/10-myths-and-misconceptions-about-industrial-espionage/
http://ipcommission.org/report/IP_Commission_Report_052213.pdf
https://digitalguardian.com/blog/how-to-secure-intellectual-property#Johnston