Corporate espionage is a common practice in Canada and it’s costing organizations billions of dollars per year, according to Ron Myles, a private investigator who was an officer with the Canadian Security and Intelligence Service (CSIS) for 13 years.
And many organizations are unaware of the potential risk they are facing.
“The business world, by and large, regards these problems as something that happens in the military world, looking for nuclear secrets, not in the world of private commerce,” said Sandy Boucher, a senior investigator at risk management firm Grant Thornton in Toronto. “More and more over the last decade, we’re seeing corporations are becoming a major target of all sorts of actors trying to steal anything they can get their hands on.”
Dumpster diving is one of the most common forms of corporate espionage, where individuals go through a competitor’s trash, said Myles, president of C.S.I. International Security Consultants in Montreal.
One of the most well-known cases of this was in 2001 when Procter & Gamble in the United States settled for US$10 million after being caught gathering piles of unshredded documents from competitor Unilever’s rubbish bins outside its offices.
Financial information is often found in dumpster dives since some companies don’t have shredders (or don’t use them properly) to discard documents, said Myles.
“A financial statement didn’t quite print properly so the bookkeeper throws the old copy in the trash… whoever is picking up that trash now knows to the penny what kind of money you have invested — they know everything about the company,” he said.
Social engineering is another common tactic used in corporate espionage. An individual starts frequenting common hangouts of a company’s employees and makes herself part of the regular crowd, said Myles. She develops a friendship with one or more employees and uses this to gain information about the company.
“They ask for a little favour and then another favour and it builds up from there,” he said. “As long as the person is inside your target company, he or she is a gold mine of information —they can tell you anything you want to know. The best spy you could possibly have is inside the company.”
Employees who are commonly targeted are those with addiction issues, such as drugs, alcohol or gambling, since they are the most interested in receiving compensation for their information, said Myles.
Another common form of corporate espionage is “honey traps,” where businessmen or women are lured into compromising situations, usually when overseas on a business trip, said Boucher.
In one situation, a man on a business trip went back to his hotel room to find two naked women in his bed. He had been warned about this kind of behaviour so he immediately called security, had them removed and didn’t have any problems, said Boucher.
“But if he had done it in a different way, there was a good chance he would have been recorded, videoed or photographed and that would have been used to blackmail him and force him to provide internal information from the company,” he said.
The billions of dollars lost is estimated from the direct cost of the intellectual property (IP) being stolen and the subsequent loss of potential profit, said Boucher.
However, there are also indirect costs, including the potential for damaged reputation and employee morale, which need to be taken into consideration.
“You may have to engage in PR, you may have to engage in legal counsel, you may have to do damage control, but the cascading effect on the people affected is something you’re not measuring and that’s something that’s very important,” said Rafael Etges, director of Telus Security Solutions in Toronto.
One of the most well-known Canadian cases of corporate espionage was between WestJet and Air Canada in 2006. WestJet was caught hacking into an Air Canada employee website to obtain confidential information and was required to pay $15.5 million to the competing airline.
Intellectual property of interest can be a plan, blueprint, methodology or something unique to the business itself that other people would have to spend a lot of time or money trying to create themselves, said Boucher.
“It’s probably the most valuable part of any company which is the knowledge and information required to do what they do,” he said. “It might be a software program, it might be a design for a piece of engineering equipment — it could be almost anything.”
To prevent corporate espionage, organizations should conduct a threat and risk assessment where the company figures out what is the valuable and vulnerable information within the company, said Boucher.
It’s also helpful to understand who might want the information, so the organization will know who it needs to protect the information against and in what ways it should be protected, he said.
All that information should then be included in a security policy.
“A lot of companies have a little bit of security but it’s always the second or third job of somebody — he’s in charge of research and development and production but he’s also the security officer. He needs a comprehensive guide that says, ‘This is the policy for the company and this is what we’re going to do,’” said Myles.
Having a risk-aware work environment is very important in preventing corporate espionage, said Etges. Security should be discussed by senior executives and the education should cascade down throughout all levels.
“There’s one component that’s really related to the people part of the equation and culture, education, behaviour change… we are now all accountable,” he said.
Proper training is also important in trying to prevent corporate espionage. It should be customized to the individual, such as specific programs for executives and salespeople who are frequently on the road, said Etges.
“They need to get some recommendations on how to behave in an airport with a laptop, when it is OK to sit in a café and link onto the Wi-Fi and do business and when it’s not OK and what type of information to be careful with,” he said.
“They need to understand the value of information because sometimes staff, they mean well but they’re not educated so they might expose information without knowing the value of it.”
© Copyright Canadian HR Reporter, Thomson Reuters Canada Limited. All rights reserved.