The former president of a transportation company in Texas was sentenced in federal court last month to five years in prison for hacking into his former employer’s computer network and stealing proprietary business information he intended to use for his start-up. The case underscores the fact that much like major corporations, small and medium-sized enterprises (SMEs) are targets for industrial espionage.
SMEs are in many ways are more vulnerable than big businesses, which are capable of employing a small army of security specialists to safeguard intellectual propert, said Michel Juneau-Katsuya, president and CEO of the Northgate Group, an international security firm based in Canada.
SMEs very often perceive security as an extravagance. “In times of austerity that sin of security expense is one of the first things that get eliminated,” he told IMT.
To a certain extent, the strategic importance of protection has become even more critical for SMEs. When it comes to stolen prototypes or proprietary technology, larger companies seem more capable of absorbing the loss. “If you’re a big guy and you lose a gadget, you can probably recover from that,” he said. “But if you’re a small or medium-sized company, you lose your intellectual property, you might actually break your back and lose your company.
“There’s not a lawyer in the world that [can] bring back the value or bring back the intellectual property that you’ve lost. There is only one serious way to defend yourself against espionage activity: Awareness, awareness, awareness.”
Trade secrets, commercial secrets, and intellectual property are typically targeted. Strategic information, such as a potential bid price, is also a type of company secret that must be protected. Access to such information could obviously help a competitor win a contract.
Christopher Burgess, CEO of Prevendra Inc., a security, privacy and intelligence firm based in Washington, told IMT that information is sought by two kinds of groups.
The first includes those who are exploiting everything companies put out through social networks, whitepapers, and other public disclosures and actions. This is what Burgess calls legitimate intelligence collection.
“Then there are those who have managed to hurdle that fence of propriety and appropriateness and are engaging in illegal activities,” he said.
Industrial espionage can pit company against company. But it has also become a fairly lucrative business for organized crime. Activists with political agendas are also threats. These groups are not out to make a buck, but to embarrass or immobilize a company. The end result for the target is often the same: loss of revenue.
However, the most common agent of industrial espionage is an insider — an employee. “The wolf is in the barn,” said Juneau-Katsuya.
He estimates that 85 to 90 percent of security leaks are perpetrated by someone who has been granted legitimate access to information. Some are stealing for profit — selling information to the competition. Others are simply careless and accidentally leak information that can be used by agents of industrial espionage.
In a survey of 600 companies two years ago, Northgate found that the vast majority of security breaches from mobile devices were made by executives who have access to sensitive information. They often circumvented security protocol to accommodate a business lifestyle that includes world travel and long hours.
“The inadvertent disclosure of information is your biggest threat — as opposed to being targeted and exploited directly,” said Burgess.
Companies need to know what data employees are sharing with customers or partners and how that information is shared, he said. “I do advocate that every company have a social network guide that lays out expectations as to what is and what is not shareable,” he said.
For example, employees who post resumes and related information on such social networks as LinkedIn might inadvertently be disclosing something their employer wants to protect, Burgess said. A trip app might allow a competitor to view a company’s travel itinerary. Information can be aggregated to show patterns. “The beauty of Foursquare is you can see people checking in to their clients and where and how many trips are being made to a specific location,” he said.
Juneau-Katsuya said employees are both the weakest point and the solution to a company’s efforts to guard its intellectual property.“Information will leak and will disappear because of your employees and will be protected because of your employees,” he said. “If you don’t involve your employees into the process you’re fighting a lost battle.”