Contributing Authors: Eric Celidonio and Lauren E. Perna
In the first two parts of this series we talked about real cases of IP theft, including our own. These cases are extreme, but still the threat should not be taken lightly. There are many precautions you can take to protect your company. Forbes outlines a list of ways companies typically shield themselves from corporate espionage. The best practices list takes into consideration both internal security issues, arising from current and past employees being able to access and leak data, as well as outsiders who are trying to get access to company information.
The most reasonable precaution is to conduct a security audit of both physical spaces and intellectual property (which can include anything from ideas being floated around the office to data located on your company’s servers). The audit should also work to secure sources of data, such as USB drives or laptops, that could be stolen by a corporate spy walking through your building.
The list also suggests organizations take into consideration the ability of outsiders to visit their company. For example, major tech companies such as Apple and Google are typically located on a private road that is away from main thoroughfares in order to reduce visitor traffic and reduce spying and data loss.
Other ways companies can protect themselves include:
Universally adopt a well-written Confidentiality or Non-Disclosure Agreement (NDA) requirement for all interviewers in order to discourage would-be spy agents.
Make IP security a part of your corporate culture. Remind personnel with access to sensitive information what is in need of protection and how they can protect it, how to protect it as well as the potential consequences of sensitive information loss.
Make sure visitors and interviewers are accompanied by an internal staff member and not be left alone places where sensitive information is stored such as offices and lab space.
Advise individuals without access to IP what they should do if they inadvertently come across IP or sensitive information.
Limit the number of copies of sensitive information as well as general access to printers, encrypt sensitive information whenever possible.
Consider implementing user and entity behavior analytics (UEBA). UEBA utilizes machine learning and artificial intelligence-powered analytics to monitor activity and detect unusual behavior; it can be very effective in thwarting cyber spying and sabotage attempts.Consider implementing user and entity behavior analytics (UEBA). UEBA utilizes machine learning and artificial intelligence-powered analytics to monitor activity and detect unusual behavior; it can be very effective in thwarting cyber spying and sabotage attempts.
Have role-based access privileges that are frequently reviewed and that are changed INSTANTLY with promotion, re-assignment, termination, re-organization, need to know, or other changes in employment status.
Roger Johnson, CEO of Right Brain Sekurity, in an interview with Digital Guardian recommended deploying effective insider threat countermeasures with a focus on disgruntlement detection and mitigation techniques. He indicates that there are many motivations for an inside attack, but disgruntlement is one of the easiest to address. He recommends fair, effective, and widely used grievance and employee assistance programs. Treat all employees and contractors well (not just “fairly”), especially those with sensitive IP access and those who have been terminated. As we suggest in a recent article, there are different ways managers can appreciate their employees that are not to be overlooked.
When it comes to the candidate process, it’s about knowing what to look for:
The questions asked by the candidate are not relevant to the job–instead, they are focused more on intellectual property.
There is an insistence on seeing the lab, manufacturing facility, or cleanroom.
The job candidate’s LinkedIn seems incomplete (e.g., no picture, or very little information is included) or their resume lacks specific details.
Your company’s computer network is accessed from an unfamiliar location (i.e., indicating that spies or other malicious entities may have infiltrated your organization’s servers).
Conclusions
Corporate espionage may seem like something out of a Hollywood movie, but it is real and more common than you might think. Unfortunately, the candidate interviewing process can serve as a unique opportunity for spies to gain access to sensitive and confidential information including company IP. That doesn’t mean you need to stop interviewing highly qualified candidates on the concern they might be spies. With proper precautionary measures and ongoing vigilance, you can mitigate risk and still build a stellar (spy-free) team.
Contributing Authors: Eric Celidonio and Lauren E. Perna
In the first part of this series, we told the story of a candidate that used the interview process to steal proprietary information from a potential employee. The interview process can provide a perfect opportunity for IP theft, but it can take place under other clever circumstances. For example, previous employees of your organization may still be able to access sensitive corporate data on your company’s servers. Or current employees can be bribed and or offer sensitive detail in interviews or social settings. Some other examples include:
Trespassing on company property
Posing as an employee to gain on sight or IT access
Recording a phone conversation
Email phishing and server hacking
Technologies used in corporate espionage technologies can include hacking USBs, which can contain malware which allows malicious entities to access corporate servers to steal data. In 2013, hackers working for the Chinese government stole trade secrets from U.S. and European aviation companies. Chinese hackers who visited the Suzhou headquarters of French aviation company Safran left a USB drive containing malware which allowed them to access corporate data.
However, corporate espionage technology doesn’t have to be sophisticated. Recall that, in the example we related at the beginning of the article, Marc brought a pen camera with a microphone to record conversations and obtain trade secrets. Corporate spies can steal computers or thumb drives, or use video or audio recording, to facilitate their intellectual property theft.
According to CSO online the most common IP breaches occur through:
External email like a Gmail or Yahoo account (51%)
Corporate email (46%)
File sharing via FTP (40%)
Collaboration tools like Slack or Dropbox (38%)
SMS or instant messaging apps like Whatsapp (35%)
Recent Cases of Corporate Espionage
Just a few weeks ago, a striking case of corporate espionage hit the local news. On December 10th, a Chinese National medical student was caught at Logan Airport smuggling vials of research specimens in his luggage. Zaosong Zheng, 29, came here on a Harvard University sponsored visa and spent the past year doing cancer research at Beth Israel Hospital. Zheng was also caught with the laptop of a fellow Chinese researcher, who was in on his plan to steal the specimens, continue the research at home, and take credit for the work. This may sound rather brazen, but according to the Boston Globe it is not uncommon, as there have been about 18 similar cases at Logan Airport.
This case comes just a few months after several biotech leaders wrote an open letter to the NIH admonishing the dismissal of five Asian-American scientists from MD Anderson Cancer Center and Emory University on the basis they did not report their foreign ties. These dismissals were part of a larger NIH campaign to address concerns of IP theft among foreign nationals, especially those from China. The target is often oncology, and with China encroaching on the U.S.’s progress, NIH feels their concerns are valid. The biotech leaders worry the campaign is xenophobic and could hinder progress.
The NIH began their campaign in 2018 after several major cases of biopharma corporate espionage were made public, including one out of GSK’s Philadelphia R&D facility. A researcher pleaded guilty to stealing confidential research and sending it to China; she was working in conjunction with several other Chinese nationals. The other highly publicized case involved three scientists at Genetech transferring trade secrets to a Taiwannese competitor.
These cases illustrate how easily proprietary information can get into the wrong hands. The good news is that there are ways to make sure this doesn’t happen. In the final section of this piece, we’ll talk about how to protect yourself against such threats.
Interested in getting the entire 3 part series in your inbox? Enter your details below:
In the first two parts of this series we recapped and analyzed MassBioEd’s 2019 Massachusetts Life Science Employment Outlook. In this final part, we’d like to offer our take on the matter. As recruiters, we are conduits between these employers struggling to find the best talent and the talent pool. Our job is to not just place candidates into somewhat suitable roles; we want to make the best match for both client and candidate. Yet, with the narrow pool of candidates that can be a challenge.
In fact, we have people on staff whose entire job is to scour the web to widen that pool—they’re called sourcers. We do have a vast database of candidates who submit their resumes through our website and other sources, but still many of the jobs we are tasked with filling are extremely specialized. Thus, we look to our data wizards (the sourcers) to identify appropriate candidates with Boolean searches, plug-ins, and other complex methods. Through these methodologies and other candidate search tactics we’re able to find candidates who aren’t actively applying to jobs or candidates who may not have put the full extent of their experience on LinkedIn.
There’s no guarantee we can find local candidates, so sometimes we are quite literally plucking candidates from their lab elsewhere in the US to fill a role here in Massachusetts. Since life sciences isn’t exactly the most remote-friendly work, employers are then faced with providing relocation packages. For some of our smaller clients, it can be hard to compete with the larger companies in this area.
We’re also seeing more candidates have two or three good offers to choose from, which means our clients need to sell their company as a great place to work. Again, this can be a challenge for some of the smaller companies who can’t offer the same benefits as larger ones can. Those smaller employers try to emphasize culture and hope that they can bring someone on board who really believes in the mission.
The need for stronger connections between academia and industry, and better career development is apparent in our everyday work. We see everything from poorly formatted resumes and ill-prepared interviewees to talented scientists simply lacking direction—all shortcomings that could be solved with some of the solutions mentioned in the report.
We have a unique vantage point of the industry and it’s pretty clear the talent shortage and the lack of industry exposure is causing a strain not just here in Massachusetts, but all across the U.S. We will work hard to be a part of the solution by continuing to speak about scientific career paths, by volunteering with science education programs, and by being an advocate for the industry in our professional and personal circles. What will you do to help? Let us know!
In the first part of this series, we provided a quick glance at the top facts derived from MassBioEd’s extensive 2019 Massachusetts Life Science Employment Outlook. Before we go further into what appears to be a grim outlook, let’s take a step back to think about the bigger picture. The talent shortage is happening, in part, because the life sciences industry is growing so quickly. Growth in the life science industry means more lives saved, healthier people, longer lives. And even better news–Massachusetts is at the helm.
CBRE’s US Life Sciences Clusters Report states that Boston-Cambridge is the leading life science market in the nation. MassBio’s Life Science Industry Snapshot offers a few other bragging points:
Four of the top five NIH funded hospitals are here in Massachusetts.
$4.8B in venture capital investments were made in Massachusetts life science in 2018 (an increase by five-fold since 2009).
18 life science IPOs in 2018 were headquartered in Massachusetts.
Massachusetts researchers are currently researching or developing products for over 400 medical indications.
The digital revolution has propelled the industry even further over the last two decades. With the introduction of new modalities, the industry is on pace to continue its rapid growth here in Massachusetts and across the U.S….unless there aren’t enough workers.
The Bad News
If the talent shortage continues, then that rapid pace of discovering cures and sending therapies to market will surely slow down.
The authors of the MA Life Sciences Report offer the following warning:
“In short, there is no end in sight to the talent shortage when only traditional means of preparing tomorrow’s workforce are utilized. The future of this industry depends on a robust pipeline of talented and passionate people to make the next generation of scientific discoveries and technical breakthroughs.”
The Action Steps
The report does not end there. The authors provide clear action steps to help remedy the issue. The following recommendations were made:
Strengthening partnerships between industry and academia to help bridge the gap between what students learn and what employers are seeking.
Generating more awareness around the industry early on in students’ academic careers.
Creating more opportunities in industry exploration for college students studying a science-related field.
Providing more support to pre-and postdoctoral students, who often struggle transitioning between academia and industry.
Offering more professional development opportunities to existing employees.
Strengthening workers’ soft skills, which do not always come naturally to scientists.
Implementing different types of training methods that cater to non-traditional workers.
Also, just a note that while not identified under the list of recommendations the report does also say that we must continue to support immigration so that foreign-born workers can grow the workforce.
The report makes it clear that there is a real need to create more awareness around the industry at all levels. In The Boston Globe’s coverage of the report, Jonathan Saltzman hones in on the lack of exposure at the high school level. There is also a glaring need to pursue non-traditional training and development methods, a topic that was recently explored in depth by Biospace. The article offers an extensive list of ways for life science workers to enhance their professional development.
For an industry that is making such strides in technology, it’s being lagging in workforce development. The Baker Administration is addressing these concerns in its latest economic development plan. The plan focuses on workforce development and calls for steps to build on the growth in several sectors including life sciences and healthcare. Organizations like MassBioEd and Science Club for Girls are also working hard to be part of the solution. Still, there is more to be done.
In the final section, we’ll wrap up by providing our commentary on the report and the outlook.
Contributing Authors: Eric Celidonio and Lauren E. Perna
Marc was the perfect candidate for a principal scientist job that we were having a difficult time filling. On paper, he was a well-qualified molecular biologist with degrees from top universities and impressive biochemistry skills. When our lead recruiter reached out to him, he played hard to get, but after a couple of attempts, he agreed to come in for an onsite interview.
Marc acted strangely during his interview–he was more interested in the facility than the actual job, frequently glanced around at his surroundings, and he asked a number of questions not related to the role. Marc also requested a tour of the lab, which was provided by a junior team member. By the end of the interview, it was clear that he wasn’t a fit for the role. In fact, despite his impressive credentials on paper, he didn’t seem to have any transferable skills or interest in the role.
While most of the interviewers chalked up Marc’s strange demeanor to just being a poor candidate for the job, it turns out that Marc wasn’t there for a new job. He was using the interview process to access intellectual property for a foreign competitor.
Marc used the opportunity to gain access to key, confidential information. He even stole a couple of USB drives as well as documentation when he was left alone in an interviewer’s office and when he walked unescorted to the restroom. He also brought an inexpensive pen camera with a microphone to record the discussion, effectively delivering accurate, sensitive detail with minimal effort.
Intellectual property (IP) theft via corporate espionage, also called industrial espionage, involves the theft of data meant for economic gain. This type of spying occurs between companies, corporations, and sometimes foreign governments. The candidate interview process creates a unique opportunity for these transgressions. Many interviewers might not even notice a stealth candidate taking a picture of a confidential whiteboard, stealing a USB drive, or taking a sensitive document left on a common printer.
Marc had signed a confidential disclosure agreement (CDA), meaning that he had agreed not to share the information learned in the interview with others. So the interviewers thought it was perfectly fine to share confidential information with him. By the end of the interview, Marc knew platform secrets, what compounds were being investigated, and what programs were being advanced. The CDA he had signed was meaningless–he provided the “lifted” information to an officer at a direct competitor outside the U.S.
Corporate Espionage: A Very Real and Expensive Threat
Corporate espionage can take many forms and can have a devastating impact on a company. While it is outlawed by the Economic Espionage Act of 1996, unfortunately, it’s still a relatively common practice. Some companies manage to spy on their competitors under the radar. The reverse situation of the one we encountered can also happen–an unsuspecting employee goes to a competing entity and is interviewed on the basis of “leaking” proprietary or sensitive information. Many corporate spies do not get caught or are caught after it’s too late and the intellectual property has been transferred.
According to the U.S. Commission on Theft of American Intellectual Property, the annual cost to the U.S. economy is on the order of hundreds of billions of dollars. This cost continues to exceed $225 billion and could be as high as $600 billion to U.S. corporations. Life science companies are some of the hottest targets. China alone has stolen IP from one in five US companies in 2019 according to a CNBC Poll.
This high cost includes not only lost IP but also financial information, marketing strategies, projects in development, pricing, and employee personal information. In addition to a potential competitive setback, such losses can additionally tarnish a company’s reputation as a leader and an innovator. Biotech is uniquely susceptible to espionage due to its fast pace, frequent directional change, and often poorly governed processes.
Now that we’ve told our real-life tale of a biotechnology spy, in the next section we’ll review other ways companies could open themselves up for IP theft.
Interested in getting the entire 3 part series in your inbox? Enter your details below:
