Four Myths of Corporate Espionage

By August 25, 2015 Insider Threat

Corporate espionage remains one of the most prevalent forms of data loss in private industry. Despite the pervasiveness of the problem, companies often make the mistake of dismissing it as a peripheral concern and fail to take preventative action. Much of this failure is due to the acceptance of four unspoken myths about corporate espionage—assumptions that are well worth revisiting.

Myth 1: “Corporate espionage is not a widespread problem”

One of the most common misconceptions about corporate espionage is that it is a narrow risk affecting only a handful of companies in industries such as defense, infrastructure, and technology. In reality, the scope of corporate espionage is far broader. The most reliable estimates place the cost of intellectual property (IP) loss in the United States at more than $300 billion per year. Globally, that number is likely to exceed $1.7 trillion. General Keith Alexander, former Director of the National Security Agency, has called the theft of IP the “greatest transfer of wealth in history.”

The scope of the problem is daunting, but it is also growing. The counterintelligence division of the Federal Bureau of Investigation reports that the number of economic espionage cases has risen by 53 percent in the past year. The Bureau even produced a Hollywood-quality short film as part of their strategy to raise awareness of corporate espionage threats among US businesses. While corporate espionage threats originate from around the world, the vast majority—approximately 95 percent—emanate from China.

Myth 2: “We’re too small to be targeted”

Size is not a hedge against IP theft. In fact, threat actors are often incentivized to target smaller organizations due to their typically weak security postures. In the cyber arena, nearly a third of all targeted cyber attacks on companies’ IP are directed toward businesses with less than 250 employees. Smaller organizations are also attractive targets due to their business relationships with larger firms. Vendors, contractors, and partners of larger companies often have access to their clients’ networks and data, making them convenient access points for stealing sensitive IP.

A company need not be on the radar of a foreign government in order to be at risk. For smaller enterprises, the insider threat is significant enough. A study that tracked trade secrets litigation for more than 50 years found that in more than 85 percent of cases, the perpetrator of corporate espionage was either an employee or a business partner of the organization. The bottom line is that small size is a weak defense against corporate espionage: if a business has something worth selling, it has something worth stealing.

Myth 3: “Our cybersecurity will prevent information loss”

A comprehensive cybersecurity strategy is critical to preventing the loss of IP. However, not all corporate espionage is cyber-related. In 2012, a major multinational aerospace company lost reams of sensitive IP when employees snuck into their facilities overnight to fax and scan documents to a competitor firm in China. Simple activities such as transmitting paper files, flash drives, and photographs require little technical skill, but can be devastating to a company’s IP.

A strong cybersecurity posture will also do little to stop advanced surveillance techniques by highly motivated actors. A pinhole camera or a hidden recording device in a conference room can spell the undoing of years of investment in proprietary processes, strategies, and products.

Myth 4: “Information loss will not affect the bottom line”

If a firm’s sensitive data were to fall into the wrong hands, would it still be a viable business? In many cases, the answer to that question is “no.” In 2014, major US government contractor US Investigations Services (USIS) was breached, leaking background check information on thousands of federal employees. The US government, which had awarded $340 million in contracts to USIS the previous year, immediately suspended work with the company. The next month, the federal government declined to renew contracts. By February, USIS had folded and its parent company, Altegrity, had filed for bankruptcy protection. If a multibillion-dollar firm can be crippled by data loss, companies of all sizes can ill afford to take the protection of their sensitive information lightly.

No Silver Bullet

Defense against corporate espionage requires constant vigilance. When would-be spies encounter resistance in one attack vector, most will modify their tactics rather than retreat. An enterprise cybersecurity strategy that includes periodic vulnerability assessments and company-wide information security training is a critical pillar in any counterespionage program. Companies must also supplement their cybersecurity strategy with technical surveillance countermeasures to ensure that sensitive business discussions are shielded from prying eyes and ears. Finally, an information security policy that includes robust data access restrictions can help mitigate the risk of insider attacks. While there is no silver bullet to preventing corporate espionage, companies of all sizes can do much to safeguard against the loss of valuable intellectual property.