What Must You Do To Counter Corporate Espionage?

Corporate Espionage is often depicted as the stuff of movies, but in reality, organisations worldwide are having information stolen from their networks.

Corporate Espionage can be referred to as industrial Espionage, economic Espionage or corporate spying is the practice of using espionage techniques for commercial or financial purposes.

We usually think of “espionage” in terms of spies working on behalf of one government trying to get information about another. But in fact, many of the same techniques and even many of the same spies work in both realms.

Interestingly, one doesn’t hear much about corporate Espionage in the news.

If a corporation admits that it has been the victim of cloak and dagger activities, it appears vulnerable. This could potentially attract more “freelance” espionage based on the company being an “easy target.” It also shakes shareholder confidence.

Corporate Espionage is a much more compelling headline than an earnings report, so the news of a breach would almost certainly receive negative reputation publicity that would cause the company’s stock price to drop.

The simple form of corporate Espionage happens every day. People joining new organisations or leaving them tend to either take information to their new employment or start their own competing business or take to a foreign government or organisation.

What is the difference between Industrial and Economic Espionage?

Industrial Espionage

This occurs when a person or party gains access to a company’s information illegally, unethical, or constitutes unlawful business practices.

The term “espionage” is a synonym for the term “spying”.  Industrial Espionage includes the unlawful observation of company activity, unlawful listening (such as a wiretap), and unlawful access to company information, which all constitutes spying on the company.

But not all such Espionage is so dramatic. Much of it can take the simple form of an insider transferring trade secrets from one company to another. For example, a disgruntled employee or an employee who has been hired away by a competitor then takes information with them for their advantage.

Examples:

1. IBM vs Hitachi / Mitsubishi

In the 1980s, IBM won a court case against Hitachi and two of its employees and Mitsubishi for Industrial Espionage. Hitachi was charged with conspiring to steal confidential computer information from IBM and transport it to Japan.

2. Gillette vs Competitors

In 1997, a man from Washington, Iowa was charged with wire fraud and theft of trade secrets from Gillette who then disclosed technical drawings to Gillette’s competitors in the razor market.

3. Ferrari vs McLaren

In 2007, McLaren, the leading team in the Formula One championship, was fined $100 million for cheating in using data obtained from Ferrari, its main rival, to improve its car.

Economic Espionage

Is the unlawful targeting and theft of critical economic intelligence, such as trade secrets and intellectual property.

The term refers to the covert acquisition or outright theft of invaluable proprietary information in several areas, including technology, finance, and government policy. 

Economic Espionage differs from industrial Espionage in several ways. It is likely to be state-sponsored, have motives other than profit or gain (such as closing a technology gap), and be much larger in scale and scope.

Examples:

1. F-22, F-35 and the C-17

Chinese spies stole critical design information about America’s top military planes. This was verified according to top-secret documents disclosed by former US intelligence contractor Edward Snowden.

2. Tesla vs Xpeng Motors

Tesla filed a lawsuit in 2019 against a former engineer at the company, claiming he copied the source code (300,000 files) related to its Autopilot technology before joining a Chinese self-driving car start-up.

3. China Aeroplane

To establish a foothold in the aviation industry by building its own “Chinese” commercial passenger plane, they instituted a coordinated, targeted approach in gaining the necessary technology.

Using hackers, cybercriminals, Chinese intelligence as well as recruiting insiders to steal critical designs from different manufactures (Engine – CFM; Flight Control Systems – Parker Aerospace; Flight Recorder – GE; Airframe – AVIC; Fuel System – Parker Aerospace; Landing Gear – Honeywell; Tire – Michelin; APU – Honeywell; Cockpit – Eaton; etc.).

In 2018, 10 Chinese individuals conspired to steal aerospace trade secrets from 13 western companies, most of the U.S. based.

4. China vs World

In 2020, a leaked document containing a list of 1.95 million Chinese Communist Party members. In the list of names of CCP members who have infiltrated top corporations and high government levels in the US, UK and Australia.

What do assailants want?

As you have seen by the above examples, they do not want the company’s money. No, there is something far more valuable that is deliberately targeted by such attackers.

They tend to target the company’s most valued asset – Their intellectual property, whether it be their unique designs, methodologies, processes, plans, inventions, trade secrets, patents, databases or other valuable benefits.

What are the different types of methods used to acquire their target asset?

Most organisations that find themselves suffering leaks probably as a result of their negligence and carelessness.

A competing organisation or nation-state that has targeted its victim will use different means to extract that asset.

• Through a coordinated approach, “contractors” (such as hackers, cybercriminals) are hired and assigned particular interest theft.
• They will recruit company insiders, or even coerce employees to aide their hacking efforts using blackmail or threats against families living at home.
• They will also try and place critical people within organisations as employees.

Many threat actors are circumnavigating target organisations by breaching them via trusted partners, business associates and other third-party networks.

Example: SolarWinds Attack

Thousands of organisations have been affected by a supply chain attack that compromised the update mechanism for SolarWinds Orion network monitoring software in order to deliver a backdoor Trojan.

The attackers were able to compromise the update process of a widely used piece of SolarWinds software there by affecting organisations such as the Pentagon, the Department of State, the Department of Homeland Security, Microsoft, FireEye, Cisco and many others.

 As the saying goes “Why bother to hack into a software company when you can just order it to install malware in its products?”

As ever, these organisations are persistent and inventive. If they can’t get in one way, they will keep trying until they find another.

Suggested Mitigation Recommendations

Because of this threat’s comprehensive nature, here are ten effective tactics that you can adopt to reduce the risk of corporate Espionage.

1. Identify critical assets – This not only involves looking inward but looking outward as well. Organisations cannot deduce their asset’s actual value until they understand how it is also perceived from the outside.
2. Identify the threat actor – Who are the actors that may want your asset? Is it competitors, partners, hackers, activist groups, foreign national state or even a client?
3. Ensure physical security – Organisations should ensure that the physical security of their offices, equipment and infrastructure. This means setting up surveillance and utilising specialised security personnel. Importantly, the organisation needs to identify the most sensitive facilities and ensure they are given extra protection layers.
4. Create security policies – Organisations should establish policies on what information employees can share inside and outside the workplace. It is essential to identify mission critical roles in the organisation and estimate their exposure to espionage risks. Establish the necessary corporate practices to communicate, train staff in the rules developed, governance and security operations.
5. Judge access – Implement the need-to-know principle for defining access rights and establish controls to monitor misuse of privileged profiles.
6. Conduct background check on employees – Organisations should conduct background checks on all employees with access to the sensitive asset. This may even include often-overlooked individuals such as janitors, caterers, and groundkeepers.
7. Conduct employee monitoring – Organisation needs to monitor the actions and activities of employees. Organisations need to ensure that members of their team are truthful and loyal to their employers.
8. Establish employee exit procedures – Organisation needs to develop comprehensive employee exit policies. Most cases of intellectual property theft perpetrated by employees occur 30 days before resignation and 30 days after.
9. Ensure cybersecurity practices – Corporate Espionage is increasingly becoming the domain of the cyber realm. The organisation must maintain a robust cybersecurity framework.
10. Consider Threats From Trusted Business Partners – While it might appear that outsourcing business functions will result in cost savings, expertise and other benefits, be sure to factor the threats that they may pose to your business.

The world of corporate Espionage is very real and very different from what one would expect.

It is far from glamorous, lacking both gunfights and fast women, but it concerns companies.

The temptation for gains, advantages and rewards in stealing the asset is strong, so corporate Espionage will continue, whether we hear about it or not.

How Can We Help You Address The User Risk?

Did you know that you have trusted people that are exposing your business to harm right now?

Are you interested in identifying risky behaviour by your employees or other

trusted business partners?

Now, with a User Threat Assessment, we can provide you with insights in a limited 30-day engagement and get one report assessing your organisation and its most significant risks.

• We will provide you with the visibility and analytics, allowing you to understand where your data is living, how your users interact with it, and where and how it’s leaving the organisation. You’ll also get an understanding of how users behave both on and off the corporate network.
• Your assessment will also show whether your employees are circumventing security policies and controls.
• We will find and elevate your highest risk users for inspection and find out where you need to be investing your security resources to get the best results.

What is the process?

1. Simple deployment – We will deploy a specialised monitoring tool on the selected endpoint of your choosing. The agent is lightweight enough to deploy in mere hours and will have no noticeable performance impact.
2. 30 days of Collection – We will monitor your endpoints, collect user activity data, and analyse that data
3. Your Threat Report – Once the 30-day data collection period is complete, we will review the findings and alerts and compile an executive summary & detailed report highlighting your organisation’s most prominent risks.

Our Guarantee

100% of Threat Assessments that we conduct have found some form of undetected, unaddressed security threat. Find out what’s happening in your organisation or pay you $1,000 to your nominated charity.

Your Next Step

To request your assessment, please fill in the contact form:  https://www.nakedinsider.com/user-threat-analysis or email us