This goal is difficult given the way most companies manage information. Eighty percent of a company’s useful knowledge is unstructured, residing not in secure databases, but on desktops, filing cabinets, personal emails and internal reports, according to Gartner Group. This makes it very difficult to find, control or track intellectual property, let alone protect it.
Educating employees and implementing technology to track proprietary information are proactive steps every organization should take to avoid the pitfalls of economic espionage. With the growing concern that proprietary information, when in the wrong hands, is considered a threat to national security, companies must now go above and beyond to protect, educate and manage the distribution of information.
All public and private organizations are protected by law against the theft of proprietary information through the Federal Economic Espionage Act, among other laws and court decisions. Economic espionage cases range from medical professionals stealing patient lists and other records, foreign entities stealing new technology secrets or medical research, to major food manufacturers battling over a pizza crust recipe.
To make a case for economic espionage, organizations and their security operations must practice due care: identify where secure knowledge exists, how it is accessed and transferred. Failure to practice due care, combined with the fear of adverse publicity, leads to a great reluctance to report criminal activity. Even companies that have invested millions in secure technology find they are unable to prove where information originated because they have not taken the appropriate steps to track valuable knowledge assets.
Many organizations do not realize the threat posed by the turnover of valued employees. A service manager at a medical systems company resigned and went to work for a competitor. His new job was exactly the same as the one he had performed at his previous employer, and he enhanced his performance with downloaded information from his former company laptop. The lesson learned: companies that fail to restrict access to important information, or to enforce non-disclosure and non-compete agreements, are likely to suffer a similar fate.
In fact, more than 56 percent of the Fortune 1000 admit to having been victimized by the likes of economic espionage, according to a report from Lexicon Communications, a corporate crisis communications firm. It is likely that much of the other organizations are unaware that they too have experienced a security breach because of an employee who quits.
Current employees also pose a challenge. An intelligence collector’s best source is a trusted person inside an organization whom the collector can task to provide proprietary or classified information. These individuals are of greatest value to a collector because of their legitimate and direct access to information. In some instances an insider is selected because of personal weaknesses or vulnerabilities.
Other potential threats of economic espionage include visits by contract employees to a company’s manufacturing facility, the misplacement of an employee’s laptop computer or the discharge of a disgruntled employee. Business trips abroad are especially vulnerable--briefcases and other luggage can be searched and materials copied covertly either at border crossings or hotel rooms.
Keeping with its mission “to identify, prevent and defeat operations that threaten U.S. economic interests,” the FBI and some state and local law enforcement agencies now work with companies to educate and promote awareness on the dangers of economic espionage. The message: organizations must gain a cultural approach to security by recognizing the integral role people and processes play in the way business is conducted instead of approaching it solely from a technological perspective.
The step that many skip is to first evaluate work practices and note how and where secure knowledge is transferred before investing in security technology. By conducting a company-wide risk assessment, organizations can identify the information that represents the greatest threat to the company if exposed. Once the assessment is complete, it is important to develop policies that address several key areas: the identification, classification and marking of sensitive information, guidelines for distribution of information, physical security and information technology security.
Create a proactive model that integrates security principles at all levels of the business and involves all employees in the process of protecting their individual intellectual capital. This includes specific policies for employees to identify and report offenses, outlining procedures for non-disclosure agreements and controlling access to facilities and e-mail. In addition, organizations can implement a training program to educate employees on the problem and their obligation to prevent and report it. Programs that involve continuing education and periodic tests via scenario-based questioning ensure long-term cooperation.
Once a company’s risk has been assessed, and policies have been implemented to educate employees, organizations can finally turn to technological tools.
The prevention of economic espionage demands an understanding of human nature (psychology), the workplace (sociology) and technology. Those who recognize this and practice due care will not only have the means to prove that a theft has occurred, but will have policies to protect against such a security breach.
To help SECURITY Magazine readers keep up with economic espionage issues and trends, SECURITY sponsors a DAILY NEWS service on the Web at www.securitymagazine.com. News channels include facility security as well as computer and information security news. Articles come from worldwide media sources ranging from the Los Angelese Times and Slate.com to Communications Daily and Regulatory News.
For instance, just last month, the SECURITY Magazine Web site first reported on the indictment of two California men who have been charged with stealing trade secrets from four high technology firms in the state so as to hep a Chinese-based microprocessor maker.
Using information gathered in part by private security operations, law enforcement personnel arrested the two in late November just before they we to board an airline to China. Evidence was recovered at the site.
There have been other DAILY NEWS on the SECURITY Web centering on economic espionage, including coverage of the various incidents from the U.S. national laboratories. For instance, executives at Los Alamos National Lab are currently under fire for allegedly lax security in allowing a “culture of theft” to grow at the facility.
So keep up with the issue of economic espionage through www.securitymagazine.com.