Business Espionage: Why There Are Bigger Threats To Your Business Beyond Cyber-Attacks

The National Cyber Security Center continues to warn businesses that cyber-attacks are on the rise and that organizations should have the correct prevention strategies in place. But with all the focus on cyber, businesses could be overlooking a greater threat to their security; most commonly referred to as business espionage or business spying.
 
Unlike corporate espionage, which involves corporations spying on other corporations, business espionage occurs when governments or competitors spy on businesses, whatever their size or function. 
 
This can involve cyber-attacks, where systems are hacked and confidential data is downloaded, copied, or stolen, but it also involves the use of listening or monitoring devices, hidden cameras, and transmitters. In some cases, business espionage can be carried out by spies, who infiltrate organizations to access private information in various ways, from stealing or copying files to going through paper waste. These spies can be employees, former employees, cleaners, contractors, or intruders.
 
An estimated US$8.5 trillion ($1.7 trillion per year) is lost worldwide in five years as a result of business espionage. To put this into context, that’s US$5.5 trillion more than all costs relating to the attack on the World Trade Center in New York City in 2001, which were estimated at US$3 trillion for the five years following the attack. 
 
Business espionage can have a catastrophic impact on businesses, and yet it is one of the least understood threats facing organizations today. 
 
CONSIDER ALL INSIDER THREATS 
Business espionage can come from many sources, including individuals, competitors, foreign governments, or criminal gangs, and in most cases, perpetrators can get away with business-critical and confidential information long before anyone becomes aware of the breach. 
 
In some cases, it can be as simple as a bogus new starter entering the building, armed with the right information to get by security, swiftly stealing confidential information in the form of documents, laptops, or mobile phones before anyone notices. 
 
Increasingly, spies are stealing personnel records, as these are also of great value to businesses. We could argue that accessing personal information about an organization’s people allows spies to better infiltrate the business, or even recruit new talent straight from within the business. 
 
Business spies will develop detailed and strategic plans to infiltrate organizations and access their data. They will play on basic weaknesses, knowledge gaps, and human frailty, which is why businesses must have the correct measures in place to monitor these threats. There is little point in monitoring systems if you don’t also monitor the people who have access to them.  
 
Potential workplace threats include new starters, disgruntled or greedy employees, but also suppliers and contractors who may take confidential information with them, with little sign of detection. Sensitive information being shared via online platforms and telephones, or on printed documents is also vulnerable if not protected appropriately.  Information can also be elicited by telephone and computer communications, or during conferences.
 
Business executives are particularly vulnerable to spying when traveling for business matters. This is because although most businesses will consider terror threats, criminal activity, or even natural disasters within travel security programs, they rarely cover business espionage. The same risk applies to expatriate employees, stationed in foreign countries, as the company may not explain the threat of business espionage to them for fear of disrupting them.
 
EFFECTIVELY PROTECT YOUR COMPANY’S INFORMATION
Companies will routinely monitor equipment loss because of theft, but arguably a far greater consequence to the business is the information that can be found on these stolen company laptops or mobile phones. The information that can be accessed on these devices is virtually guaranteed to have a far greater value to the company than the equipment itself. 
 
As well as setting complex passwords and passcodes, and installing software that allows the organization to track these devices, all sensitive data should be encrypted and copies should be saved to secure servers. Legal restrictions such as non-compete agreements, patents, and copyrights are also ways of protecting your data and your assets from competitors and former employees. 
 
Good physical security and access control help protect from business espionage. As part of a security audit, rights of access and rights of way for all staff and all services staff such as cleaners, engineers, and IT professionals should be mapped out, agreed, and tested. Firmer and more limited access control should apply to any external visitors. 
 
Screening processes and background checks for new starters should also apply to contractors and partners, as in some cases they will have access to the same confidential data and premises as a full-time employee. 
 
For companies or business departments that handle particularly sensitive data, one solution is to monitor printing, either by limiting access control to certain printers or printing rooms, or even through banning printouts entirely. Most printers will have the ability to store copies of up to 1,000 of the latest printed pages, some of which may contain confidential information.  One related spying issue is that printers and copiers can often be accessed remotely or the hard drives removed by repair/maintenance companies.
 
In departments where printouts are permitted, clean desk policies should be implemented and enforced, and processes should be in place around the timely disposal of sensitive data that has been printed out.  
 
As well as implementing physical and IT security systems within organizations, members of staff should also be briefed appropriately. Whether they work in reception, sales, or IT, at the operational or director level, educating your people on the threats of business espionage, and how to prevent it will go a long way in preventing your data from reaching the hands of the wrong people.