Harvard Business Review Contribution.
How to protect and defend your organization’s sensitive information
Espionage has always been around. During the 6th century BC, the philosopher Sun Tzu found it very useful for gaining an advantage over his adversaries. Traditionally, spying (as well as other intelligence assessments) were of service to countries, their secret services, and their armies. Its first objective was to protect and improve the security of the country by discovering information that its strategic competitors and allies want to keep hidden. Many countries like the United States, Russia, and China also have secret espionage programs for the benefit of their businesses.
Espionage in the headlines
Today, more and more businesses adopt private information practices, which were previously usually the privilege of sovereign countries. In the United States, cybercrime targeting intellectual property costs between 10 and 12 billion dollars annually, and the theft of trade secrets costs between 1% and 3% of GDP. That being said, spy affairs regularly make the headlines. The Chinese telecommunication business, Huawei, was banned in the American market following accusations of espionage. The rideshare company, Uber, was also accused by Google via its affiliate Waymo of theft of industrial secrets. The CEO of Credit Suisse bank also had to resign following accusations of spying on one of his leaders.
Information is power
In business, the more a company has access to quality information with high added value, the more it has chances of success. The collection of information, acquired legally or not, has become the vital essence of small and large businesses. In the context of espionage, information has become the knowledge held and valued by one, but not available to another. Whether the reasons are offensive (a race for innovation, strong competition for resources, and intrinsically-limited market share) or defensive, advanced capabilities of secret intelligence gathering are now mandatory.
Even if stealing data and taking direct action against a competitor is illegal almost everywhere in the world (exposing the attacker to convictions for theft, fraud, corruption, or breach of contract), the sanctions are rather nominal in the short-term, and therefore not really dissuasive. The benefit-risk calculation of industrial espionage (by companies) and economic espionage (by states) remains in favor of those who practice it. Some of the biggest spenders are in the pharmaceutical business: more than a quarter of pharmaceutical companies spy on the competition, spending no less than two million dollars a year.
Companies must immediately adopt a more proactive approach against corporate espionage, as the costs for being unprepared are enormous.
The information cycle
The first step in secret intelligence gathering is to clearly identify the type of information being sought. Once the intelligence is targeted, the next step is to determine where and by whom that information is kept, and then decide on the most efficient and secure way to extract it. Obtaining information within the targeted organization is done through open-source research (trade fairs, congresses, media, Internet), technical means (cyber-attack, listening devices, intrusion) and human sources (blackmail, corruption, extortion), or a combination of all of them.
Access to information has become simpler and more discrete with the advent of the Internet. While cybersecurity is one of the areas in which companies have invested heavily, the weakest link in any security system is still the human element. Using a human source within an organization to bypass countermeasures is one of the spies' favorite tactics. Everyone from the maintenance worker to the manager has weaknesses and needs. Identifying them allows spies to easily manipulate the target with direct access to the information needed.
To run an effective and efficient business, information needs to be exchanged within companies and with partners, customers, and suppliers. However, this does not mean that all of the company’s data should be shared equally. Every business has its secrets. Proprietary information or exclusive technology can be of great value to competitors if discovered. All business sectors could be negatively impacted. Stolen information is primarily R&D data, customer information, and financial information.
In order to determine the level of protection of any business’ information, as well as its cost, the company must assess its value and classify it according to four categories related to the degree of danger for its activities:
1. Non-confidential information: Publicly-available information. No impact in the event of theft.
2. Confidential information: Low-business impact in the event of theft. This type of information requires only minimal checks.
3. Secret Information: Theft of vital information that would be harmful, even if the business survives. This type of information requires a higher level of protection.
4. Top-Secret Information: Critical information. The success and future of the business is directly linked to it. This type of information requires the highest levels of protection.
From counter-espionage to the culture of protection
To be effective, employees should understand that the senior leadership of the company strongly supports counterintelligence programs and expects them to do the same. The countermeasures break down into two main components: protection and defense. Protection consists of monitoring company’s operations and stakeholders, searching for possible leaks and vulnerabilities, and filling the gaps in internal security. Defense focuses on establishing active measures to trap, deter, or at least increase the costs of espionage for those who seek to harm the business.
Training. Involves educating and raising awareness of espionage among employees with access to sensitive information. The program explains the different types of threats, the variety of methods used in spying on businesses, the value of sensitive information, and the damage that could be caused. The objective is to also train employees to identify suspicious people or abnormal behavior, detect potential threats, and to react appropriately by reporting attempts or suspicions of spying. It is extremely common for executives to carry large amounts of sensitive data while traveling. It is, therefore, necessary to train them to be protected against any illicit appropriation by adopting the appropriate behavior.
Internal and external monitoring. The weakest component of any security program, especially in the technology-intensive business era, is the human element. Conducting background checks of employees in charge of sensitive information, setting up a monitoring process, and having precautionary measures. Confidentiality agreements, non-competition agreements, in-depth interviews, and removal of access in the event of resignation, for example, will limit the loss of information. The company must also exercise due diligence with its partners, suppliers, and customers. Finally, It should review financial and performance data, legal status, reputation, potential links with competing companies or companies under foreign control, as well as their compliance.
Technical measures. The security of sensitive information and assets includes technical, electronic, and IT measures. It is important to reinforce access controls in zones where sensitive information is stored, processed, and discussed. Barriers between sensitive information and those who are not authorized to access it, secure storage of sensitive data, and secure destruction protocol for secret documents. It is also necessary to detect spying devices: electronic scanning to remove microphones and cameras, protection of cell phones, computer systems, etc.
Offensive counterintelligence. When an attack is discovered, companies whose jobs and reputation are at stake, must use internal and external investigative resources to detect the leak and establish an active defense. The company may also consider criminal prosecution or use an "offensive" counterintelligence program. The latter consists of identifying the attackers and transmitting incorrect information via their spy source with the help of security experts and the authorities.
Experts agree that espionage is the second-oldest profession in the world. Although the threat is widespread and growing, businesses should not wait to be the victims. By combining a proactive attitude with a healthy and safe culture, it is possible to protect vital business information. Knowing the value of trade secrets, having a detailed knowledge of espionage threats, protecting sensitive information, and implementing effective procedures will limit the scope of attacks. Finally, by making its employees feel appreciated, valued and happy, the company will encourage them to protect their working environment instead of acting in a way that threatens it.
This article was originally published in the Harvard Business Review France with the title: Petit manuel de contre-espionnage à destination des entreprises