 |
|
|
|
|
||
Sponsored Sections
Corporate Espionage
An information-security-systems consultant explains what corporate spies are looking for and how to protect yourself.
Published June 1997
EMAIL THIS ARTICLE
PRINTER FRIENDLY
COMMENT ON THIS ARTICLE
BUY A REPRINTFurther Reading
There's a widespread misconception in this country that corporate espionage is a high-tech crime perpetrated by slick James Bond types or genius computer hackers. Nothing could be further from the truth. Just about all corporate penetration is accomplished with decidedly simple, and preventable, methods.
While information on a computer can be quite valuable, the same piece of information written on a crumpled-up cocktail napkin is worth just as much. It is therefore just as important to protect that napkin as it is to protect the computer. Focusing on computer-based data can leave an organization extremely vulnerable to tried-and-true espionage techniques.
Corporate spies are perfectly happy to get information from the easiest and most overlooked sources--including the trash or a vulnerable telephone. As a matter of fact, those sources are even preferable, because they involve less risk to the operative. A good spy always looks for the path of least resistance before trying anything fancy or high tech.
Thanks to unlocked offices, neglected computers, and the like, I was able to steal billions of dollars' worth of sensitive information from a large corporation in about a day and a half. And the people in charge never even knew I'd been there. (Of course, I told them all about it and gave the information back. The target company was a client of my security business.) Actually, I "steal" most of my information by simply asking for it, looking on desktops, going up to computers that are left on all day, and digging through the trash. With few exceptions, all real-life James Bonds get their information exactly the same way.
Most information managers and company owners don't believe their organizations will be targeted. If a company is not in the defense industry or the organization is relatively small, the thinking goes, no one will come after it. That all-too-common attitude is a spy's best weapon. In fact, small businesses tend to be targets more often than large corporations, simply because they have more competitors. No company or organization is immune to being targeted for attack. And to a small company, a $1,000 loss could be much more devastating than the loss of billions would be to a large company. According to the FBI and similar organizations, industrial espionage costs U.S. companies anywhere from $24 billion to $100 billion annually. Technical vulnerabilities are responsible for less than 20% of all losses or compromises of information.
Moderately skilled criminals can get well-meaning employees to hand over just about any piece of information they want. The damage from your employees' lack of awareness of general security issues is compounded by a lack of understanding of the value of your company's information.
Take your sales-and-marketing department. Its job is to get the word out about your products or services. In this highly competitive marketplace, salespeople often leak information about upcoming offerings to potential customers. They give up key details, scheduling information, and product specifications, all in the service of making the sale. They don't do it to cause problems. For the most part, it's a matter of honest enthusiasm.
Your sales-and-marketing people have a job to do, but you have to make sure they're not undermining your security efforts when they do it. At trade shows anyone expressing a sincere interest in a marketer's products can get just about any information he or she could want from that person. Salespeople are supposed to give out information, not protect it. On almost all occasions, if a sale is in jeopardy, sensitive information will be revealed. Trained corporate spies know how to pose as interested customers and how to drag out a purchase negotiation until they get the information they want.
Most businesspeople recognize the value of formal documents and take appropriate steps to protect them, but they often treat the draft forms of those documents as worthless. Typically, a draft document contains the same hard facts as the final document; it's only the presentation that changes. Much of the information is very valuable indeed, and corporate spies know it.
Other pieces of paper with potentially unnoticed valuable information include travel tickets, credit-card receipts, invoices, and shipment manifests. They may not give a competitor the big picture, but they can help fill in the pieces. A purloined appointment calendar can show me that an important executive meets frequently with an individual from another company, which could indicate a possible merger or joint venture in the offing. That's extremely valuable information. With enough scraps like those, I can put together all I need to know to cause a lot of damage.
