Corporations are hungry for information. A majority of Fortune 500 companies have full-time staffs devoted to gathering intelligence information about competitors. It's necessary to do so to keep up with changing technology and market demands. There are a growing number of businesses that discover information about a particular company or industry for a fee.
A substantial amount of information can be gathered about a company using entirely legal methods. Much more data can be gathered through illegal methods. Therefore, companies should have policies and procedures in place to protect against both legal and illegal intelligence gathering.
The Economic Espionage Act of 1996 makes the theft of trade secrets a federal criminal offense. The Department of Justice has sweeping authority to prosecute trade inside or outside the United States, and on the Internet.
Favorite targets
Some of the favorite targets of intelligence gatherers include research and development, marketing, manufacturing and production, and human resources departments.
One would think that R&D would be the most heavily guarded department in a company, but access to R&D information is surprisingly easy. R&D personnel are almost always in the flow of information. The open exchange of information is part of the nature of their job. They participate in conferences, attend trade shows, and work with academic institutions; however, at each of these functions, they leave themselves open for intelligence spies to listen, mingle, and ask questions.
Researchers who publish their findings in industry journals may inadvertently include details of a project on which they may be working. This is particularly true in the case of academic professionals who may be hired by a company to perform research or conduct a study. More than one company has been surprised to learn that the results of a supposedly confidential study were published in an academic journal. If an academician is hired to conduct research, make sure that he or she understands that the results are to be kept confidential. Also make sure that the use of teaching assistants or graduate students is kept to a minimum and that those individuals understand the confidentiality requirements.
Insight into a company's marketing plan is a valuable gift to a competitor. Being careless with vital information such as test marketing results, promotional strategies, and planned introduction dates can be disastrous.
Production managers are often good sources of information. Also, almost anyone answering the phone on the plant floor can unwittingly provide valuable information to a crafty caller from a competitor.
Intelligence people often pay close attention to help wanted ads, job postings, and job announcements. More ominously, they may use this information to arrange a job interview to get information about the firm and what the job will entail.
Although the departments listed above are some of the more-favored targets, other personnel in an organization can provide enormous amounts of useful information. For instance, salespeople like to talk and are an excellent source of information on pricing, product innovations, and market programs. Purchasing agents are helpful in divulging suppliers, information about what is selling, and the costs of raw materials and services.
To break into an organization, intelligence operatives use a number of key access points. The telephone is the best method of gathering data from both inside and outside the company. A skillful interviewer can lead a person into divulging something he shouldn't without the person perhaps realizing what is happening.
Caution employees about phone calls from people who are supposedly conducting a study. They may identify themselves as market analysts, industry analysts, or students working on a paper.
Tours of facilities should be used carefully. They provide an easy way to gather information. Even papers sitting on a desk or tacked to a bulletin board can provide information.
Publications printed by the firm such as newsletters or reports to shareholders can inadvertently provide just the information a competitor is looking for. Also, speeches by executives eager to impress colleagues or potential customers are a danger point.
Persons outside the company can also provide useful information. Suppliers, for example, often know the most intimate details about a business's products and production amounts. One prominent intelligence firm reportedly spent years developing a close relationship with suppliers for several industries. Important tactical information was only a phone call away.
Maintenance and janitorial personnel can also be a source of valuable information, particularly if they aren't well-treated or well-paid. There are numerous stories about janitorial staff employees who are paid to separate out confidential internal documents and turn them over to intelligence operatives. One intelligence gatherer reportedly approached a janitorial worker and offered to pay him for confidential documents. The worker told him he wasn't interested. When asked why, the worker said, "Because I'm already being paid to do that by somebody else."
Companies that don't have a system in place of disposing of confidential information also leave themselves wide open for a competitor to "dumpster dive" and take proprietary information directly from the company's own trash.
Unless everyone in the organization works toward protecting sensitive information, competitors will always be able to obtain confidential data. However, it's impossible to have every employee's cooperation or to protect the flow of information outside the company. But there are strategies and procedures that management can adopt to significantly reduce the amount of information to which competitors can gain access.
Companies should develop programs for safeguarding proprietary information (SPI). Businesses should seek out a corporate information officer (CIO) to develop and manage an SPI program. An alternative is to hire a security management consultant to develop a program and then maintain it on a yearly basis. In either case, the CIO should have information management skills and be knowledgeable about trade secret protection.
To coordinate a company-wide SPI program, a task force should be assembled. The task force should include managers and staff from departments that deal with proprietary information such as research and development, and production. The team should also include representatives from corporate security, human resources, records management, data processing, and legal.
The process should begin by determining what information should be protected. The task force should identify those areas that give the company its competitive edge, such as quality of the product, service, price, manufacturing technology, marketing, and distribution. One way of accomplishing this is to ask the team, "If you were our competitor, what information would you like to know?"
Once these sensitive areas have been identified, the primary focus should be on the information security procedures for each department. They should identify where proprietary information is kept and survey the risk if such information is lost to a competitor.
An effective program must educate employees about security awareness. Employees should understand that their professional growth and well-being depends on the success of the company. It should be made clear that the success of the company is directly tied to the protection of information and data. Employees should be taught how to respond to telephone information requests. A procedure should be set out in which information requests are sent to the public relations department or some other group.
Nondocumentary communications should also be protected. Employees need to know that they are accountable for what they say, whether it be over the phone or at a social gathering. Employees should never discuss confidential business information at airports, restaurants, or any place they could be overheard. They should also be instructed about using a laptop computer wherever there may be a chance it could be read in public by someone "shoulder surfing."
Regular reminders of the importance of information security should be published regularly in the company newsletter, on bulletin boards, or in memos.
All employees should sign a nondisclosure agreement. Everyone involved with the company should sign such an agreement including subcontractors and their employees, clerical staff, consultants, and temporaries. Besides the legal value, a comprehensive nondisclosure agreement sends a signal to employees that the company has a tough attitude toward preventing leaks. It might also be necessary to have suppliers and distributors sign nondisclosure agreements. Although suppliers and distributors have to receive information about certain aspects of a business, employees dealing with them should be made aware of the potential for the misuse of the information and should be instructed to provide them with only the information that is essential for them to do their job.
Document classification is also an important area in a protection plan. Working closely with each department, proprietary documents should be classified according to the level of security that best meets the company's needs. For instance, documents may be labeled "private" for personnel matters and move up to "restricted" for pricing or marketing information. Trade secrets or highly sensitive information might be labeled "authorized access only." Notes and drafts of documents should also be safeguarded or destroyed when the final document is completed.
Visitors' access should be closely monitored. A visitor should be required to sign in and out in a logbook, and must be escorted by his host at all times and shouldn't be allowed into areas where there might be sensitive information.
Engineering and executive offices should always be locked to discourage browsing, theft, or the planting of an eavesdropping device. Keys to office doors should be kept secure. Keeping proprietary information and computer disks in locked cabinets greatly reduces the risk of theft.
Management should designate security personnel or someone to monitor maintenance work done in areas in which there might be sensitive information. We have all seen movie scenes in which the hero, or villain, gains access to confidential information by walking into a building or office posing as a maintenance worker.
Paging systems, background music speakers, and unused wiring can be used for eavesdropping. Any electronic items and wiring that aren't essential should be removed. A mirror and a light affixed to a flexible handle can be used to search for recording and transmitting devices in air ducts. After the search, when the duct grills are replaced, their orientation and screw-head positions can be designated with ultra-violet markers. By shining an ultra-violet light on the screws, it's easy to tell if the panels have been removed. Meeting rooms should be locked when not in use. If blackboards or flip charts are used, they shouldn't face the windows, or the blinds should be closed to prevent observation from telescopes or binoculars.
A "quiet room" may cost anywhere from $15,000 to $200,000, but it may be justified based on the risk involved. A quiet room is acoustically and radio-frequency shielded. The room can also be equipped with intrusion monitoring sensors and CCTV cameras.
Cellular or cordless telephones must not be used to discuss sensitive business matters. These devices are radio transmitters and are frequently monitored by both hobbyists and professional information brokers.
For knowledgeable hackers, e-mail and voice mail systems are easy targets.
Case Example
The U.S. affiliate of a Japanese company which distributes duplicating equipment hired a former salesperson of Standard Duplicating Machines Inc., a U.S. company involved in the same business. Standard alleges it its suit against the affiliate that after the employee was hired, he went on a fishing expedition by searching the voice mail boxes of Standard looking for confidential information. After several months, a competitor tipped Standard off to what was happening. Standard reportedly set up a sting operation using bogus sales orders as bait. Standard reports that some 230 calls made to its 800 number were traced back to the ex-employee's home or office.
Confidential information shouldn't be left on a voice mail system nor a home answering machine. Hotels often offer voice mail messages for their guests. These systems require no passwords to gain access and should never be used for sensitive information. Author Michael Stedman reports that when he wanted to interview Robert Gates, the former director of the CIA, he called the hotel where Gates was staying and was given a room number. Stedman said he was astonished when he punched the room number into the phone and suddenly found himself listening to Gate's messages that had been left on the hotel's voice mail service.
To prevent this kind of espionage, instruct staff, family, and friends never to leave anything but routine messages on voice mail. Tell them only to leave return numbers, or better yet, use a beeper or pager. Make sure voice mail is cleaned out daily.
Passwords are the most common defense against computer intrusion, but to be effective, there must be good control procedures. Passwords should be as complex as the user can memorize, but never less than six random alphanumeric characters. The company must change passwords regularly and close them out as soon as an employee leaves the organization. Management should train employees to log off terminals before leaving them unattended. The company can also install an automatic log-off program whereby a terminal that isn't in use for a certain number of minutes will be automatically logged off.
A secure encryption device can be employed to protect confidential files, especially when transmitting them by modem. Encryption techniques found in popular software packages available at the local computer store are probably not secure enough. These programs are in wide use and are usually no match for a sophisticated hacker. If files aren't encrypted, they may be vulnerable to anyone with access to your computer. Consider the following example:
The editors of WINDOWS Magazine uncovered a potential flaw in the Exchange program, which is included in the Windows 95 package. Exchange is a program that allows users to handle all of their e-mail, faxes, and MS-mail through one program. Editorial director Fred Langa reports that when Windows 95 users convert their old e-mails to the Exchange format, they are fooled into thinking that Exchange will use their old password to protect their new e-mail. Unfortunately, that doesn't happen. Under the default settings, anyone can walk up to your computer, click on the Exchange icon, and read all of your messages and faxes. No password is required. To protect your files, you must go into the program and change the default settings manually.
A company should also consider the use of virus scanning software. One of the best safeguards against viruses or any other kind of data loss is to have a secure backup procedure.
Many companies haven't yet figured out what to do with the electronic data stored in their systems. While some form of paperwork filing or shredding system may be in place, often electronic information is organized according to each user's personal system and deleted only when the individual chooses to do so. Even when files are deleted, savvy computer experts can often re-create the erased material. This means that everything sent through the computer from a birthday greeting to a "smoking gun" document is being preserved.
This is potentially crippling in the event of a lawsuit. Lawyers are becoming aware of the storage of data and are requesting electronic evidence in many cases. Lawyers, poring through backups of documents long thought deleted, find incriminating memos such as "I know this may be illegal, but do it anyway," or "Please destroy this evidence." Often such documents result in the case being settled for more than it may really be worth because the company doesn't want to run the risk that such documents will inflame the jury into awarding large punitive damages.
Companies should institute procedures for deciding what should be kept and what shouldn't. Also, backup files should be kept under lock and key. One 8mm tape can hold as much as 1,500 banker's boxes of information. Anyone can grab such a tape and easily sneak it out of the building.
Sensitive documents shouldn't be sent through a fax machine unless both machines are equipped with high-level encryption devices. Some fax machines have storage and retrieval systems similar to those on voice mail systems. From a remote number, you enter a PIN number and stored faxes can be sent to another machine. This allows a competitor to be able to retrieve those faxes as well.
Teleconferencing is growing in popularity. Unfortunately, satellite teleconferencing signals can be received by millions of home satellite dish owners, some of whom have deliberately tuned in to find out things they shouldn't. Teleconferencing should only be used when there is an encryption system in place that will fully scramble both the video and audio signals.
Private branch exchanges (PBXs) are located in a company's telephone closet where wires, mounted neatly and predictably upon row after row, lead to corporate executives' offices and other areas of interest to competitors. These rooms should be, but seldom are, locked and physically secured. People with tool belts go in and out with little notice from anyone. Keeping the eavesdropper out is easier that trying to detect his handiwork.
Case Example
A surveillance team found that an executive's phone line had been tampered with. They installed a motion detector in the telephone closet. The alarm sent report-only signals to an alarm central station. After two weeks, the central station's records revealed a pattern of early morning visits to the closet on Mondays and Thursdays. Surveillance was set up and the eavesdropper was caught.
Another good idea is to have an escort for anyone entering the area. The identity of the worker should also be verified.
Computer-driven PBXs or switches present numerous opportunities for eavesdropping. Using an on-site or off-site control terminal, the information thief can hide invisible wiretaps among millions of software instruction codes. The hidden codes, for example, could cause a second phone line to connect to a target phone line and terminate into a hidden tape recorder.
An appropriately trained investigator should regularly print out the user configuration instructions. Paying particular attention to those extensions, which are likely to be of interest to eavesdroppers, the investigator can look for modified instruction codes.
Sales materials, trade show exhibits, and the text of speeches should be carefully reviewed for information that a competitor might find useful. Employees should be instructed not to say anything to anyone that they wouldn't say directly to a competitor. During shows, employees shouldn't leave demonstration materials or sensitive documents unattended. New design models have been stolen during transport in or out of a show.
Foreign Travel
Corporate executives traveling out of the country should be especially cautious. Many foreign governments are unleashing huge and sophisticated intelligence gathering operations. The executive should use encryption systems on all voice, fax, or modem transmissions. He or she should also assume that their room is bugged and act accordingly.
TSCM surveys can help companies concentrate on areas in which a company is vulnerable to spies and pinpoint what can be done to secure the company's information and trade secrets. TSCM teams survey the company's offices (including boardrooms, executive offices, etc.) and the homes of executive and senior-level personnel.
The primary purposes of the TSCM survey are to locate and neutralize any electronic surveillance devices and to identify areas of weakness in security.
TSCM professionals should be competent in electronics, and have extensive knowledge of design, engineering, and maintenance. They must also be trained in eavesdropping techniques, practiced in radio frequency (RF) allocation and propagation, and knowledgeable about all techniques of modulation, electrical wiring, and installation principles.
The TSCM survey includes an RF examination. All radio emanations will be analyzed to determine their sources. An electronically enhanced search will then be conducted to locate items or devices that weren't detected from the RF search. A physical examination will be performed to locate clandestine devices such as recorders, microphones, and transmitters. The team will also examine the phones and the phone lines to detect bugs.
Although such a survey can be expensive, if a company believes that it's the victim of corporate espionage, it may be the only way to help track down the source of the leak of information.
A company can spend years developing a competitive advantage over its competitors. That advantage can be eliminated in an instant by an employee walking out the door.
When an employee leaves a company, there is usually little if any attention paid to where he goes. However, if a company begins to notice that a rival is suddenly taking away its business, it should sit up and take notice. Often employees leave one company for another, and take with them the knowledge of how that particular company operates its pricing policies, its manufacturing methods, its customers, and so on. When an employee share what he has learned with a competitor, the competitive edge is lost.
Today's work force is extremely mobile. Employees rarely start with a company and stay until retirement. On top of that, companies are continually downsizing and laying off employees. In most cases, experienced employees have little choice but to go to work for a competitor or begin consulting in their fields. Cutbacks and firings do little to foster an attitude of loyalty among employees.
Employees must be educated on what information is proprietary. It's hard to protect something if no one knows what needs protecting. A secret formula may be easier to identify, but employees often aren't aware that subjects they may be discussing over lunch in a crowded restaurant are also trade secrets that would be invaluable to a competitor. It doesn't help that the courts and legal scholars can't decide on what constitutes proprietary information. Definitions of a trade secret depend on the organization and the industry. Examples of trade secrets include everything from notes in the margin of an employee manual to a procedure for tying a fishing lure. As many as 39 states have adopted some form of the Uniform Trade Secrets Act, but its interpretation varies from state to state and their isn't any comprehensive federal law to regulate what is protected. The act provides a civil cause of action to anyone who has been damaged by the misappropriation of a trade secret.
Generally, to establish a trade secret, a company has to show that the information isn't known in the industry, that the company has made efforts to keep it confidential, and that the information gives the company some sort of competitive edge. Just because information is confidential, doesn't make it a trade secret under the law. However, even though information may not be a "trade secret" as that term is defined under the statutes, it should be protected by employees. Again, the best test for deciding what is confidential information is to ask yourself if this information would provide an advantage to the competition.
A nondisclosure agreement is a written agreement, which the employee should sign as soon as he or she starts work. It usually provides that all proprietary, confidential, or trade secret information the employee learns must be kept confidential and must not be disclosed to anyone.
In a noncompetition agreement the employee agrees not to work for competing companies within a certain period of time after leaving.
General Motors began requiring its senior-level executives to sign these agreements shortly after a well-publicized case against one of the company's former purchasing executives. GM accused the executive of taking millions of dollars worth of proprietary information to his new employer, Volkswagen. GM accused him of pushing up strategy meetings before he left so that he could gather even more data. The employee denied the charges. GM concluded after this happened that the use of noncompetition agreements could help prevent a similar occurrence.
However the use of nondisclosure and noncompetition agreements isn't an overall solution. There are several legal problems with using these agreements. As mentioned earlier, there is no clear definition of what constitutes a trade secret. In some instances, it can be extremely difficult to determine what belongs to the company and what belongs to the employee.
Noncompetition agreements also have a variety of problems. First, courts in some states have held that such agreements are against "public policy" because they limit the future employment of a person; therefore, in these states noncompetition agreements are unenforceable. Other states uphold the agreements, but only if they are part of an otherwise valid employment agreement. In these states, the employment agreement and the noncompeition agreement must be signed at the same time or the noncompetition agreement is unenforceable. In addition, if the employee is an "at will" employee who isn't covered by an employment agreement, any noncompetition signed by such an employee would be unenforceable.
Although nondisclosure and noncompetition agreements can be excellent tools for preventing the loss of confidential information to competitors, their use is limited, and legal counsel familiar with employment laws for the specific jurisdiction should be consulted.
Case Example
Diametrics Medical Inc, a Minneapolis-based medical equipment provider, was forced to abort a $30-million initial public offering after PPG Industries Inc., filed a lawsuit alleging theft of trade secrets and patent infringement. Diametrics denied the charges, but the accusations were enough to prevent the public offering from going through.
A company doesn't have to be actually aware that the employee is using proprietary information. There may be liability for "willful blindness," that is, company executives had reason to suspect that an employee could be using confidential information, but did nothing to investigate or prevent it.
Case Example
Novopharm Inc., was found guilty by a court in Vancouver, British Columbia, of stealing trade secrets from its rival Apotex Inc. Court documents state that a biochemist left Apotex and "secretly joined" Novopharm bringing with him valuable trade secrets. Under the verdict, Novopharm must pay damages of more than $3.7 million. The judge found that the chief executive officer "closed his eyes to what was going on around him." The CEO denied the judge's characterization.
Human resources personnel should ask potential employees whether they're subject to any agreements which bar them from competing with any current or former employer. If the employee is subject to any such agreement, a copy of the agreement should be forwarded to the legal department before any hiring decision is made.
If companies seek to use confidential information from former employees of competitors, then it may run a greater risk of losing its information to competitors in the long run. As discussed above, the most important element of any confidential information protection program is the cooperation of the employees. If the employees of a company see that management has a policy of pumping new hires for knowledge about competitors, it unlikely that the employees will take pride or interest in protecting the company's trade secrets.
Bibliography
Calhoun, James. "Clean the Air with TSCM." Security Management. September 1992.
Flanagan, William G. and Toddi Gutner. "The Perils of Voice Mail (Information Theft)." Forbes. Jan. 17, 1994.
Hansen, Michael. "Counterespionage Techniques That Work." Security Management. September, 1992.
Himelstein, Linda. "Computers, The Snitch in the System." Business Week. Apr. 17, 1995.
Murray, Kathleen. "HR Takes Steps to Protect Trade Secrets." Personnel Journal. June, 1994.
Tanzer, Marc. "Foiling the New Corporate Spy." Security Management. September 1992.
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 5 mins
Written By:
Roger Seifert, CPA, ABV, CFF
Jamal Ahmad, J.D., CFE, CPA/CFF
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 5 mins
Written By:
Felicia Riney, D.B.A.
Read Time: 5 mins
Written By:
Roger Seifert, CPA, ABV, CFF
Jamal Ahmad, J.D., CFE, CPA/CFF
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 5 mins
Written By:
Felicia Riney, D.B.A.
