There's a widespread misconception in this country that corporate espionage is a high-tech crime perpetrated by slick James Bond types or genius computer hackers. Nothing could be further from the truth. Just about all corporate penetration is accomplished with decidedly simple, and preventable, methods.
While information on a computer can be quite valuable, the same piece of information written on a crumpled-up cocktail napkin is worth just as much. It is therefore just as important to protect that napkin as it is to protect the computer. Focusing on computer-based data can leave an organization extremely vulnerable to tried-and-true espionage techniques.
Corporate spies are perfectly happy to get information from the easiest and most overlooked sources--including the trash or a vulnerable telephone. As a matter of fact, those sources are even preferable, because they involve less risk to the operative. A good spy always looks for the path of least resistance before trying anything fancy or high tech.
Thanks to unlocked offices, neglected computers, and the like, I was able to steal billions of dollars' worth of sensitive information from a large corporation in about a day and a half. And the people in charge never even knew I'd been there. (Of course, I told them all about it and gave the information back. The target company was a client of my security business.) Actually, I "steal" most of my information by simply asking for it, looking on desktops, going up to computers that are left on all day, and digging through the trash. With few exceptions, all real-life James Bonds get their information exactly the same way.
Most information managers and company owners don't believe their organizations will be targeted. If a company is not in the defense industry or the organization is relatively small, the thinking goes, no one will come after it. That all-too-common attitude is a spy's best weapon. In fact, small businesses tend to be targets more often than large corporations, simply because they have more competitors. No company or organization is immune to being targeted for attack. And to a small company, a $1,000 loss could be much more devastating than the loss of billions would be to a large company. According to the FBI and similar organizations, industrial espionage costs U.S. companies anywhere from $24 billion to $100 billion annually. Technical vulnerabilities are responsible for less than 20% of all losses or compromises of information.
Moderately skilled criminals can get well-meaning employees to hand over just about any piece of information they want. The damage from your employees' lack of awareness of general security issues is compounded by a lack of understanding of the value of your company's information.
Take your sales-and-marketing department. Its job is to get the word out about your products or services. In this highly competitive marketplace, salespeople often leak information about upcoming offerings to potential customers. They give up key details, scheduling information, and product specifications, all in the service of making the sale. They don't do it to cause problems. For the most part, it's a matter of honest enthusiasm.
Your sales-and-marketing people have a job to do, but you have to make sure they're not undermining your security efforts when they do it. At trade shows anyone expressing a sincere interest in a marketer's products can get just about any information he or she could want from that person. Salespeople are supposed to give out information, not protect it. On almost all occasions, if a sale is in jeopardy, sensitive information will be revealed. Trained corporate spies know how to pose as interested customers and how to drag out a purchase negotiation until they get the information they want.
Most businesspeople recognize the value of formal documents and take appropriate steps to protect them, but they often treat the draft forms of those documents as worthless. Typically, a draft document contains the same hard facts as the final document; it's only the presentation that changes. Much of the information is very valuable indeed, and corporate spies know it.
Other pieces of paper with potentially unnoticed valuable information include travel tickets, credit-card receipts, invoices, and shipment manifests. They may not give a competitor the big picture, but they can help fill in the pieces. A purloined appointment calendar can show me that an important executive meets frequently with an individual from another company, which could indicate a possible merger or joint venture in the offing. That's extremely valuable information. With enough scraps like those, I can put together all I need to know to cause a lot of damage.
Internal company correspondence also contains an incredible amount of information. Companies produce their own newsletters, policy-meeting minutes, and so on, filled with project data, details about people, company-status updates, and other information. Often, the people producing those documents have no idea they're generating sources of sensitive information.
Telephone records--which are not that difficult to get--can reveal a lot about what you and your organization are doing. Think about it this way: if you gained access to the telephone records of a young woman and found that she had placed numerous calls to caterers, bridal stores, and photographers, you might rightly conclude that she was getting married, even if you knew nothing else about her. Think about your own telephone calls. What could a record of your calls tell a competitor about what you're up to?
Telephone conversations, too, can be compromised. People can overhear what you're saying just by standing nearby--or sitting in the next cubicle. If your employees are aware that there is a vulnerability, they can minimize your company's risk by watching what they say and whom they call, especially when using cellular and portable telephones.
The casual conversations that take place both inside and outside the office every day may be the most overlooked source of valuable information. People can't help talking about their work. Sometimes they're just getting together with coworkers for a few beers, and work is the natural topic of conversation; sometimes they're trying to impress others by talking about sensitive company matters. The smoking areas outside major office buildings are great places to pick up information through casual conversations. I've heard of spies taking up smoking specifically to exploit that vulnerability.
Whenever you work outside the office, you never know who's watching. When you're out in public, you have little control over your environment, and it's impossible to implement even the most basic security measures. If your people are taking work home every night, you've got a vulnerability. Look around the airplane the next time you fly. You'll see open laptops and documents spread out and spilling onto the floor. Your fellow passengers' bosses would be pleased, but the corporate spies reading company secrets over their shoulders are positively giddy.
Of course, some vulnerabilities are simply unavoidable. Businesses must exchange information with other businesses, companies must bring new people into the corporate fold, and organizations of all kinds are using the Internet in myriad ways. I'm not suggesting that you can achieve some kind of perfect information security in your organization or that such a goal is even worth attempting. Vital organizations can't function well in a paranoid security death grip. What you should be going for are reasonable security measures that minimize your risk. The basic principle to keep in mind is that the most successful corporate-espionage crimes result from many small successes, several seemingly unimportant incidents that add up to major losses.
Copyright © 1997 by Ira Winkler, from the book Corporate Espionage , Prima Publishing, Rocklin, Calif. Ira Winkler is an information-security-systems consultant. To order the book call either 800-632-8676 or 800-531-2343 in the United States, or 916-632-4400 from outside the country.
Ira Winkler's Corporate Espionage: What It Is, Why It's Happening in Your Company, What You Must Do About It ($26) is available in bookstores. If you'd like to order copies directly from the publisher, call Prima Publishing at 800-632-8676.