Corporate Spies and Protecting Proprietary Information

Secret bank accounts in Swiss banks; foreign governments; selling of top secret information and the hint of international intrigue – all combined for what could be a Hollywood thriller, except that it is all based on recent news stories. 
The Wall Street Journal and Bloomberg business news reported on the developing story of corporate espionage at Renault, the French automaker.  Three of the company executives are being charged with corporate espionage after reportedly selling information on Renault’s electric car.  According to one article, Renault has invested over $5 billion in developing electric car technology.
So far, the details are sketchy about what exactly happened.  Reports indicate that a Chinese company may have made payments into the bank accounts of at least two of the executives.  And to add to the damages, the French government is the largest shareholder of Renault bringing this to more of a spy operation between two governments than two competitors looking for an edge.
What lessons can be learned?  And I know what you are thinking…my company doesn’t deal in high-tech products; no one would care about what we do.  Wrong.  Virtually every business and organization has information that, in the wrong hands, could impact their competitiveness or damage their corporate reputation.
Let’s take a look at another big news story this week.  In Arizona, there was the shooting that left 6 people dead and several, including a congresswoman, injured.  In the aftermath, three hospital employees where the victims were being treated were fired for unauthorized access to patient health information (PHI).  It does not appear that anything was actually released, but this is a clear example of another type of proprietary information.  The information may have been accessed out of sheer curiosity or it could be that some news agency might have been willing to pay for a ‘scoop’ on a patient’s condition.  This is a risk anytime a hospital has a VIP patient or even a deceased victim.  Think of all the media attention around Michael Jackson’s death and the money that might have been paid for exclusive photos of his body.
Here are two very different industries and two very real examples of proprietary information and the potential damages.
And what if your business or company provides a service or product that is seen as a commodity…there is no value in any company information at all, right?  In this type of case, your proprietary information may be even more valuable.  As a ‘commodity’ price may be one of your strongest competitive edges, especially when bidding for a contract renewal or for new business.  If you went into a sales presentation and knew exactly what your competitor was going to present and exactly what their price model was, wouldn’t you be able to adjust your bid to guarantee winning the business?  Along these lines, wage information, benefits to employees, training topics and costs, manufacturing techniques and vendor information can all become valuable items to know about competitors.
To prevent the loss of the information, a full risk assessment should be done.  Identifying all critical information is part of that, followed by identifying how that information is exposed and what threats can take advantage of the exposure. 
The easy way to look at risk, is this: risk is what you face when a threat exploits a vulnerability to put a critical asset in jeopardy. 
The real challenge comes with protecting information.  There are so many different ways to access and steal it, as we saw not long ago with the Wikileaks scandal.  The tricky part is that for the information to be of value, the employees of an organization have to have access to it.  The executives in the Renault case were responsible for upper level management positions, including heading up new product development.  This story will be worth watching to learn more about how the theft was uncovered, leading to a five-month long investigation.
In the case of the hospital in Arizona, it is very likely that the hospital’s IT department had some measures in place to see who was accessing electronic medical records.  Since this was a high-profile incident, I imagine that more attention was given to tracking access to any related victims.  As soon as any employee other than those that “needed to know” accessed the information, the IT department quickly checked on whose credentials or log in had been used to close that avenue of potential loss.
So what were those lessons learned?  Spy-proof your business with these four steps:
1.      Identify critical information – think about what your competitors would want to know about you and what you want to know about their business
2.     Review how that information could be vulnerable.  Look at how it is stored, electronically and hard copies.  Is it on a server or specific PC that could be stolen?  Could the data be emailed off your network?
3.     Evaluate the potential threats – usually, in these cases, employees.  Do key employees face regular background checks or screening?  Consider looking at credit issues as well.  Don’t assume that because an employee is higher in the organization that they are more trustworthy.  In the Renault case, the theft occurred at the executive level, not the mail room employee.  Think past criminal intent – employee carelessness with data or falling for social engineering (obtaining info by false pretenses) are other possible threats.
4.     Take action to minimize the risk from the threats.  This sounds obvious, but is probably the biggest mistake that companies make.  A nice risk or security assessment may be done and all the documentation completed, but no follow up action is taken.  It is not in the budget, or no one is given the responsibility or worse, no one cares enough until after an incident happens.
Remember your proprietary information, no matter what form or what industry, will be of value to someone – the only question will be if it stays your valuable information or will you give it to your competitors for free?

Read a follow up post, "License to Fool: Renault Spy Case Takes Another Twist"

No comments:

Post a Comment