Keeping Corporate Secrets
© 2011 FrontLine Security (Vol 6, No 3)

Corporate espionage is linked to national security – in fact the concepts are tightly intertwined. Our national security is linked to our state secrets but it is the R&D and economic activities of companies that produces those sensitive intellectual property that is sought after by those who wish to gain any corporate advantage. With its knowledge-based society and cutting edge technology research centres, Canada and its companies ­represent a very attractive ­playground where international competitors can come to steal that R&D.

We spend per capita more on R&D than the entire European community. In addition, our allies have entrusted us with sensitive information. Many countries send operatives here to gain access to all those secrets.

The problem is that the Government has not done enough to raise awareness among the private sector concerning this threat. The result is that business leaders are not prepared for a very sophisticated threat. The bad news is that conventional security will do very little to protect IP or trade secrets, and, when it’s gone... it is gone for good! You can’t get it back and the legal system will be unable to get you compensation for your losses. In that game, vigilant awareness and knowing your threat are the only ways to prevent a disaster associated with loss of your company’s edge.

In Nest of Spies, I made the point that industrial espionage has not only survived but been invigorated by the end of the Cold War. And, while political and corporate spying disciplines have many differences, they are often performed by the same foreign officers. Political and corporate objectives and can also be quite different. Political espionage is almost exclusively performed by foreign intelligence officers who want to gain access to people who will provide strategic information or be used to influence their own country’s policies. It could be, for example, that a spy from a specific country recruits a senior public servant or elected official to influence his or her government to relax certain national policy. We call this person an agent of influence. Stalin used to call him a “Useful Idiot.”

A corporate spy could be the same foreign intelligent officer because often they are here under a diplomatic, trade officer or journalistic cover. In the name of bringing a good business opportunity and facilitating a new joint venture, you may suddenly find yourself deprived of your IP or your manufacturing process and ultimately, your market – not a good message for your shareholders despite your best interest at the outset of the campaign.

Perps and Targets
The perpetrator can be one of your employees instead of an international spy. In fact, 85% of all spy cases show that the modus operandi involved one or several people that had “legitimate access” to the sensitive information. In other words, the company had granted a clearance to that person. So, more often than not, the threat will be from the inside, prompted and assisted by the an entity on the outside.

Most corporate espionage targets are technology companies with valuable Intellectual Property (IP), but that absolutely does not that mean that non-tech based companies need not bother about security and protection from IP theft.

The idea of espionage is to gain strategic advantage over your opponent. Sometimes your company can be in competition for a major contract which does not necessarily involve new technology. For example, a company was bidding on a $300 million contract to install and build a project that was not cutting edge technology. Their competitive advantage was in the quality of their product and their efficient delivery. They lost the contract because their competitor was able to find out, with the assistance of its national spy agency, how much this company was about to bid, and underbid by a small amount to win the contract.

At the end of the Cold War we went from military to economic confrontations, and the countries with a foreign services have ALL increased their budgets and ALL have tasked their services to steal economic and industrial secrets. You are now facing a tough playground to do business internationally or if your product represents a threat to a foreign competitor.

An Ottawa company became a victim when an employee stole a new gadget that the company had just created. He sold it to the Government of Vietnam. The company estimated it lost 10 years of research, $40-$45 million in R&D, and between $200 million to $1 billion in market share. One briefcase, one gadget, one guy.

Inside Threats
But the threat can come from the inside too. Corporate espionage is often performed by a disgruntled employee or one who ­simply wants to make a quick buck. For example, an Ottawa company became a victim when an employee stole a new gadget that the company had just created. He sold it to the Vietnamese Government. The company estimated it lost 10 years of research, $40 - $45 million in R&D and in market share between $200 million to a $1 billion. One briefcase, one gadget, one guy.

A good security program goes beyond conventional physical security. You need to diligently look at all aspects of your business – from publishing job offers in the newspaper, to the way you hire and the way you select your suppliers and your clients.

You must know how your employees behave when they leave the office for the fun after hours drink or the business trip to a foreign country. Inadvertently hiring an individual who intends to learn your way of doing business and later becomes your next competitor can cause a lot of pain.

Companies need to consider hiring security management professionals in recognition of the modern threats from corporate espionage. At the risk of offending some of my security colleagues, we often see security professionals that do not understand contemporary threats. Not that they don’t have the right stuff to do the job when it comes to conventional security, but the great majority come from the physical security world (which is often limited to peripheral security) or the police world that has developed their skills in finding the bad guys after a crime has been committed.

In the corporate world, this is too late. Corporations don’t care about fighting crime. They are in business to make money and they need their security program to assist them in doing so. Their security program is a strategic investment (not only an expense) that connects to the strategic planning process.

A corporate security program must be able to detect and to warn about threats and ultimately to mitigate that threat before it’s too late. Corporate security includes the capacity to look along the horizon and translate that into a business process.

Towards a Resilient Corporate Environment
Protection against corporate espionage does not have to be expensive – it has more to do with a good BUSINESS CULTURE than “guys who shake hands with door knobs at midnight” or more firewalls for your computers. It is more about good executive leadership than conventional security. Traditional techniques dealing with company security can be important, but they might not be enough because spy games are done by humans. There is always a human factor in a spy case and is often caused by someone who was not even aware of what was going on until it was too late. So AWARENESS is the name of the game.

We are now witnessing the arrival of organized crime in the business of espionage. Particularly in the area of cyber-espionage, we see organized crime stealing trade secrets and IP to sell it on the black market.

However, the threat is different for every company. Therefore, before engaging in a series of awareness programs, it is important to understand the specifics of the threat you are facing.

The challenge is that corporate executives are not trained security experts. The following simple formula will help you assess an effective security plan. You must have a TRA (Threat and Risk Assessment) that will cover “Threat To” + “Threat From” = Vulnerability Assessment. “Threat To” is what you need to protect.

Most security consultants will tell you to protect your IP. Yes, that is the crown jewel, but key engineers or important executive leaders can be as important as your trade secrets. Determine the drivers to success, such as what will it take to win the next big bid – who and what are the unique processes that make your organization successful? Once you understand that, you will understand which elements of the business need the most protection.

Then you need a “Threat From” assessment that most times cannot be performed by security consultants. You need to know who wants to hurt you; who is looking at you as prey. Uncovering the threat agents will reveal their intention and objectives, including the way they might come at you. And don’t forget that the threat is not always on the outside. My point is that you can only get a true Vulnerability Assessment and optimize your budget for security only if you superimpose a “Threat To” and “Threat From” assessment on top. Only then can you really discover where your vulnerabilities are, and only then can your security program be planned to protect your corporate advantage adequately.

Proactive Intelligence
Ultimately, good security intelligence constantly keeps its eye on the horizon. It can discover patterns and indicators in a business practice that masks criminal activities.

We are now witnessing the arrival of organized crime in the business of espionage, particularly in cyber-espionage. We see organized crime stealing trade secrets and IP to sell on the black market.

In the best of worlds, our government agencies would warn us about such emerging threats and assist our national corporations to protect themselves, however, this has not been the case. Therefore, the private sector must create its own private intelligence capability and share it among the ­registered members of that community.

I am convinced that we can succeed in battling the rise of corporate espionage if we develop the capacity to assess strategic and tactical intelligence for corporate security rather than national security. With time, the national agencies will be looking for corporate security solutions instead of the other way around!

A 30 year veteran of CSIS and author of the book, Nest of Spies, Michel Juneau-Katsuya has become Canada’s foremost authority on espionage.
© FrontLine Security 2011