When competitive intelligence turns into corporate espionage, companies can’t afford to be caught off guard.
By Clare Fitzgerald
Think that friendly airplane passenger chatting with you about your job is just passing the time? Think again.
Whether marketing plans, design blueprints, manufacturing processes, formulas, software codes, client backgrounds, or personnel records, there are unscrupulous competitors out there who will go to any lengths to gain the inside knowledge necessary to predict your company’s next move.
Economic espionage can take place at any level, in any industry. Companies large and small have lost thousands of research hours and millions of dollars through carefully planned acts of corporate and industrial espionage. According to a recent report from the SANS Institute, an information security cooperative research and education organization, total losses from theft of trade secrets are estimated in the region of $100 billion.
That number, however, is extremely difficult to pin down, since many companies would rather eat the costs than notify authorities—fearing that admitting to a security breach will result in plummeting stock prices or a failed deal. Small companies especially may worry that trade partners will not do business with them if their systems have been breached. The 2003 Computer Security Institute and Federal Bureau of Investigations Computer Crime and Security Survey reports that, of the companies that suffered a computer intrusion in the previous 12 months, only 50 percent reported it.
As potential costs mount, companies can no longer afford not to make information and physical security a high priority. Brian Breton, product marketing manager at the Bedford, Mass.-based computer security firm RSA Security, warns, “If you don’t invest in security, you’re taking your chances that your systems may be compromised. And the cost to plug the hole after the fact is far more than if you put in the precautions up front.”
As today’s corporate infrastructures handle more sophisticated applications and remote users, they become more open and complex, and consequently more susceptible to intrusions and information theft. Extremely mobile employees doing as much work at the coffee shop as they do back at the office make it difficult for companies to control their systems, opening the door to corporate spies.
CI or dirty tricks? The majority of companies rely on perfectly legal forms of corporate intelligence gathering through public records, public databases, patent filings, and the like. The Society of Competitive Intelligence Professionals, for example, describes its function as a “necessary, ethical business discipline for decision making based on the competitive environment.”
But there are those who opt for a more underhanded approach, such as physical and electronic surveillance. In doing so, they enter the murky zone that lies between aggressive competition and ethical transgression. “Covert surveillance may not be illegal but may be considered unethical, whereas electronic surveillance is against the law,” explains Paul Bielicki, VP of Mid-West Protective Service, Inc., a St. Louis, Mo.-based corporate security firm providing both national and international security and intelligence-gathering services.
Actual occurrences within the past few years illustrate the reality of espionage in today’s corporate arena. In September 2000, for example, Oracle Corp. found itself defending its decision to hire detectives to dig up confidential information on Microsoft. In another high-visibility case, Procter & Gamble’s (P&G) haircare business engaged in a corporate espionage program against Unilever, a primary competitor in the area. P&G admitted to hiring operatives that violated their business policies. Last summer, Verizon Wireless filed a corporate espionage lawsuit against Nextel, accusing the company of improperly obtaining confidential information. And in another lawsuit filed in a San Francisco federal court last December, Taiwan Semiconductor Manufacturing Co. accused rival Semiconductor Manufacturing International Corp. of stealing trade secrets by hiring away employees and urging them to bring proprietary information with them.
Kevin Richards, director at Denmac Systems, Inc., a Deerfield, Ill.-based network and security-consulting firm, says some of the new technologies developed to advance the workplace also are being used to steal data. He cites the tiny USB, or “pen,” drives that can store huge amounts of information as one example. “Someone can come in, store thousands of documents on these drives, slip it in a pocket, and no one would know,” he explains. Personal digital assistants, or PDAs, also can be abused to synchronize with a company’s network information. “As the devices are getting a lot smaller and more advanced, frankly, it’s a lot easier to commit corporate espionage,” says Richards, who also is VP of chapter relations for the Information Security Systems Association (ISSA), a trade association for security professionals promoting information security best practices.
Corporate intruders will enter any way they can, but they’ll look for the path of least resistance—which time and time again has proven to be right through the front door. According to the SANS Institute, physical hackers may roam a building looking for vacant offices or unsecured workstations with employee login and passwords lying out in the open. In other cases, they may seek access to a server room in order to gain information on the systems used, or they may try to place protocol analyzers in wiring closets to capture data, user names and passwords.
And don’t forget dumpster diving, an easy and often successful technique to find phone books, organizational charts, memos, company policy manuals, information about events and vacations, and printouts of sensitive data. “I find there are executives in corporations today that still don’t use a shredder,” Bielicki says with surprise.
James Bond or Joe Average? Spies committing these corporate intrusions may be insiders or outsiders; they may be trained professionals—such as executives, IT personnel or contractors—or everyday employees, including janitorial staff—all of whom have access to facilities, data and networks. This makes the corporate spy all the more difficult to identify and catch.
Spies from the outside may enter via the Internet or dial-up lines, or from partner (vendor, customer, reseller) networks that link to another company’s network. They’ve also been known to physically break in, or be a planted hire using his or her intelligence-gathering abilities to obtain proprietary information.
Companies should be especially weary of contractors and consultants entering their offices, says Richards. “A lot of companies don’t extend due diligence to contractors and consultants that still have access to so much information.” Citing himself as an example, he explains that, “I’ve walked into major, multi-million dollar companies and have basically been given free access. They really don’t know me from Adam.” Richards urges companies to start asking more questions. “A little bit of due diligence might find something,” he says.
Why do corporate spies risk it? “The risk is worth the reward,” says Bielicki. It’s possible to obtain intelligence on companies without breaking the law, but even if spies use unethical practices, obtaining the right information can pay off. A story about information leaks on 60 Minutes or the Today Show can virtually take down an entire company by having a huge impact on stock price. Any intelligence gained or lost during a negotiation, buyout or merger far outweighs the risk of getting caught in the act of corporate espionage.
Companies that suspect they’ve been victims of corporate espionage should make every attempt to determine the source of the leak. If a competitor suddenly issues your slogan or product before you’ve released it, company executives must go on the offensive to find out who’s committing the surveillance. Counter-surveillance may be the best option, says Bielicki, and enlisting the help of trained security professionals is key to identifying and plugging a leak before more proprietary information is lost. Covert video surveillance can catch perpetrators in the act, and state-of-the-art digital camera systems allow executives to monitor an office from their homes or hotel rooms using laptop computers. Bielicki also suggests that executives take security classes to learn how to recognize threats of corporate espionage.
The defensive line So how do you begin to counter the threat? First and foremost, security needs to be more than an afterthought—an idea that has proved elusive to many companies. Although 55 percent of information security professionals say their companies have active information security awareness and training programs for employees, only 16 percent say their company’s workers are adequately trained, according to the BSA/ISSA study.
Controlling access and knowing your employees is also critical, says Bielicki. He recommends first conducting detailed background checks on new employees, then performing a security audit by scanning for eavesdropping devices and restricting access to proprietary areas of the office. “It’s very important to document who’s coming and going after hours and on weekends, and to trust the employee responsible for monitoring that.”
On the computer security side, Breton confirms that identification and access are two important factors around which to build your line of defense, especially as more companies rely on remote users who require access to their systems. He emphasizes that companies need strong authentication systems that call for both remote and internal users to “prove who they say they are.” RSA Security uses a “two-pronged” approach in their security solutions, meaning that, rather than simply using a password, users need two forms of identification to gain entry—something they know, such as a PIN, and something they have, like a one-time, password-generating token. Once entry is authorized, Breton says organizations need to control “what the user can see and do,” requiring strong application access-control security measures.
Richards refers to this as the “least privileges” security theory. ”Give people access only to what they need in order to do their jobs and no more,” he says. He also notes that technology is available to monitor network activities and alert IT staff to irregularities. For example, he says, “The sales force doesn’t need to enter the finance server.”
Above all, warns Breton, encrypt important data. “If an intruder gets though all your other defenses, you don’t want critical, valuable assets sitting out there to be read.” If assets are encrypted, even if a corporate spy steals your information, he or she won’t be able to read it.
In its Corporate Espionage 101 report, the SANS Institute also recommends that companies lock all doors, cross-shred all paper documents before trashing, post “no trespassing” signs around dumpsters, keep audit logs when sensitive information is accessed, conduct routine security awareness, escort visitors through the office, instruct employees to report repair people who show up without being called, and keep an inventory of equipment.
Is it possible to completely prevent corporate espionage? Not really, says Breton. “It’s all about mitigating—not preventing. But you need sound security policies to mitigate this risk.”
No company wants to have its name and logo flashed across the newspaper with a headline reading: “Everything Stolen.” But the risk is there. “Did you lose corporate secrets? Did you lose money? Did you lose your reputation?” asks Breton. “These are the things you need to protect against.”
你可以使用这个链接引用该篇文章 http://publishblog.blogchina.com/blog/tb.b?diaryID=5783297