IntroductionIn today’s world, espionage is being tangled with some of the greatest achievements human being ever harnessed in the field of technology. Such achievements provided effective and efficient methods to enable very sophisticated espionage activities which we never imagined before. Having said that, the human factor always had a central role in such covert activities. This puts the Boards of so many businesses in an uneasy situation. Corporations have trade secrets, patents and intellectual properties which give them a competitive advantage on the world stage. Corporations must protect their secrets and assets. The recent alleged reports by the Bloomberg that China used a tiny chip to infiltrate U.S. companies sent shivers down the spine of the Boards of many multinational corporations. The news such as this one reminds us that corporate espionage is very much alive. Organizations should establish positions on crisis management and/or corporate espionage with a contingency plan that can support the efforts to mitigate risks and minimize negative impacts of espionage. And if they already have such positions and plans, then they should look into improving and aligning them with the current threat landscape. All of this requires a diligent and careful approach. Corporations need to realize that whilst information assets are today’s reality, espionage concerns the whole enterprise and its supply chain. Countering espionage requires not only a holistic approach but an inclusive one. In addition, it entails extensive and close internal and external collaboration, communication, partnership and consistency with public and private organizations.
How to Respond?A risk-based approach can help organizations tackle corporate espionage. Enterprise security governance is the best place to start, as it provides a baseline of accountability in the framework of a corporation. This must be followed by the creation of the context of the organization and the scope of the operations that might be under threat from espionage. The inventory of assets and classification is the next important step. In corporate espionage, the targeted assets are mainly intellectual property, trade secrets, patents, business data, manufacturing data and others. For the purpose of identification and classification of those data, all business units in an enterprise need to work collaboratively and closely to focus on the most critical assets. Next up is the identification of vulnerabilities which are correlated with the assets in scope and context. This is followed by identifying possible threats and threat agents which are capable of exploiting the vulnerabilities. The current threats and their agents in the field of corporate espionage are mainly state sponsor players and large organizations. Having said that, there are corporations who try to break into their competitors’ systems and applications. In both cases, the intents and capabilities of the threats and their consequences should be evaluated on a proactive basis with the adequate reporting process to the senior management team. Because of the nature of the threats, in many cases corporations should consider working closely with governments and in some cases international bodies and agencies such as Interpol. The threat identification process in the case of corporate espionage is not as complex as other major threats if the organizations work closely with the mentioned players and stakeholders. The process of rating risks, prioritization and remediation can follow afterwards. In order to fulfill this, organizations should evaluate and test their risk appetite and risk capacity. The process contains the risk identification, risk analysis and risk evaluation that requires regular improvements and update. The whole process should be regularly communicated to the interested parties in an enterprise but most importantly to senior management. The risk treatment plan cannot be an effective one in the absence of senior management. This is old school risk management that can be used proactively. It will produce results.
ConclusionCorporate espionage is a clear and present danger to all companies. Businesses require a unified approach to address this potentially damaging threat. They should consider referring to something like ISO 31000 as the framework for this purpose.