I am neither a political scientist nor a historian. However, I am conscious of some certain past events in human history which had political impacts and also influenced the course of history as we know it.
Some say such events occurred on the basis of social, political and historical backgrounds and factors, whilst others pointed out to the certain historical events that triggered in very odd and peculiar ways. We know them as “Espionage,” mostly with a covert, repulsive and hideous nature.
The Trojan Horse is perhaps one of the best narratives of espionage. It was an unprecedented military technique by the ancient Greeks. It enabled Greeks to take the heavily fortified city of Troy and sabotage their defense system. In terms of computer security, a digital trojan horse functions exactly as this historical example did.
The second example happened in the late 19th and early 20th century right before the start of the First World War. It began when some artillery designs in French military were compromised and given to the Germans. This came to the attention of some internal French military. Captain Alfred Dreyfus was named as the main suspect, and he spent five years in jail whilst the responsible individual lived free.
In today’s world, espionage is being tangled with some of the greatest achievements human being ever harnessed in the field of technology. Such achievements provided effective and efficient methods to enable very sophisticated espionage activities which we never imagined before. Having said that, the human factor always had a central role in such covert activities. This puts the Boards of so many businesses in an uneasy situation. Corporations have trade secrets, patents and intellectual properties which give them a competitive advantage on the world stage. Corporations must protect their secrets and assets.
The recent alleged reports by the Bloomberg that China used a tiny chip to infiltrate U.S. companies sent shivers down the spine of the Boards of many multinational corporations. The news such as this one reminds us that corporate espionage is very much alive.
Organizations should establish positions on crisis management and/or corporate espionage with a contingency plan that can support the efforts to mitigate risks and minimize negative impacts of espionage. And if they already have such positions and plans, then they should look into improving and aligning them with the current threat landscape. All of this requires a diligent and careful approach. Corporations need to realize that whilst information assets are today’s reality, espionage concerns the whole enterprise and its supply chain.
Countering espionage requires not only a holistic approach but an inclusive one. In addition, it entails extensive and close internal and external collaboration, communication, partnership and consistency with public and private organizations.
How to Respond?
A risk-based approach can help organizations tackle corporate espionage. Enterprise security governance is the best place to start, as it provides a baseline of accountability in the framework of a corporation. This must be followed by the creation of the context of the organization and the scope of the operations that might be under threat from espionage.
The inventory of assets and classification is the next important step. In corporate espionage, the targeted assets are mainly intellectual property, trade secrets, patents, business data, manufacturing data and others. For the purpose of identification and classification of those data, all business units in an enterprise need to work collaboratively and closely to focus on the most critical assets.
Next up is the identification of vulnerabilities which are correlated with the assets in scope and context. This is followed by identifying possible threats and threat agents which are capable of exploiting the vulnerabilities. The current threats and their agents in the field of corporate espionage are mainly state sponsor players and large organizations. Having said that, there are corporations who try to break into their competitors’ systems and applications. In both cases, the intents and capabilities of the threats and their consequences should be evaluated on a proactive basis with the adequate reporting process to the senior management team.
Because of the nature of the threats, in many cases corporations should consider working closely with governments and in some cases international bodies and agencies such as Interpol. The threat identification process in the case of corporate espionage is not as complex as other major threats if the organizations work closely with the mentioned players and stakeholders.
The process of rating risks, prioritization and remediation can follow afterwards. In order to fulfill this, organizations should evaluate and test their risk appetite and risk capacity. The process contains the risk identification, risk analysis and risk evaluation that requires regular improvements and update. The whole process should be regularly communicated to the interested parties in an enterprise but most importantly to senior management. The risk treatment plan cannot be an effective one in the absence of senior management. This is old school risk management that can be used proactively. It will produce results.
Corporate espionage is a clear and present danger to all companies. Businesses require a unified approach to address this potentially damaging threat. They should consider referring to something like ISO 31000 as the framework for this purpose.
About the Author: Reza Alavi is the managing director of Information Security Audit Control Consultancy (ISACC). He has been working in various business and IT management and consultancy positions for the last 27 years and is currently working as a cybersecurity consultant. He specializes in a wide range of consultancy services such as information security, risk management, business continuity, IT governance, cybersecurity and compliance. He assists his clients to become more effective and efficient typically through the strategic implementation of information systems, risk management, technology transformation, compliance and regulatory know-how and security governance.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.