Protecting Against
Corporate Espionage

Anthony Dye

0:00:04 – 0:01:16

Welcome to NAVIGATE. My name is Anthony Dye. I’m the Corporate Team Leader here at World Travel Protection based out of Brisbane, Australia. Today we’ll be exploring the realm of corporate espionage. From James Bond to Jason Bourne, we’ve all been captivated by the action packed escapades of spies on the big screen. However, did you realise that real life corporate espionage is equally exciting and at times much more hazardous?

Modern corporate espionage involves activities such as hacking into a competitive database, using social engineering tactics to pilfer confidential data or simply sitting in a coffee shop and overhearing a conversation. With me today to delve into this topic is Paul Trotter.

Paul is a former intelligence operator with over 16 years experience in complex operating environment. Paul has a background in the Australian Defence Force and recently returned to Australia after providing security and intelligence support to diplomatic missions and oil and gas clients in hostile environments. Using his background and intelligence collection and assessment, Paul is based in Brisbane and supports a World Travel Protection global effort for direction, collection, and assessment of information used to inform our operations team and support our clients. How are you doing today, Paul?

Paul Trotter

0:01:16 – 0:01:17

Anthony Dye

0:01:17 – 0:01:19

Paul Trotter

0:01:19 – 0:02:13

It’s a complex subject. But essentially, corporate espionage is the act of gaining a competitive advantage over a rival organisation, typically through a covert act or a clandestine act. So this can include things like surveillance, physical infiltration, it could be coercing an employee or bribing an employee, or the ones that we often think about things like cyber activities and hacking.

But there’s also the risk associated with things like disgruntled employees or negligent employees, both of which we would call a trusted Insider. And it’s important to know that it’s not just limited to corporate entities. Government sponsored corporate espionage does occur in many countries. Whilst this is often linked to defence corporations, government sponsored activity could target just about any industry, whether it’s to gain access to something like a technological advancement for their own country, or to apply economic stress to a rival country as well.

Anthony Dye

0:02:13 – 0:02:19

Paul Trotter

0:02:19 – 0:03:26

Sure, it’s difficult to give an actual metric on how prevalent it actually is just because it’s either often undetected, or it goes unreported as well. I guess you can imagine, if you were an organisation that was targeted in a way that resulted in a significant breach, whether it was significant in the size of material that was taken or significant in sort of impact, it doesn’t really benefit you to make it widely known that you’ve been targeted, given the potential damage to things like your reputation, and then subsequent flow on things like your share price or the like.

It’s definitely a significant problem, though, particularly in sectors that place a significant value on their intellectual property. So when I say that I mean, organisations that focus on things like technology and defence, but also things like pharmaceuticals. Before the podcast, they actually had a quick look into the actual impacts from a financial sense. And it turns out that a recent study commissioned by the US Center for Strategic and International Studies estimates now that corporate espionage costs about one to $300 billion every year, just amongst US companies. So it’s obviously quite a significant impact.

Anthony Dye

0:03:26 – 0:03:36

Paul Trotter

0:03:37 – 0:04:52

One of the major things to consider is that we live in an increasingly digital world, which combined with the globalisation of business, it makes it significantly easier for organisations to target each other. Essentially, now we’re sort of faced with a problem where information can be collected remotely and across borders, and which makes the detection and prevention of corporate espionage even more difficult than it previously was.

Obviously, things like the cyber attacks and hacking is something that’s always been able to do this. But there’s an increase in things like social engineering in the life being conducted online versus face to face. And then obviously, in the wake of the pandemic, we’re increasingly more remote in our business.

And all these sort of things are combined to create a situation where there’s so much exposure for businesses now everything’s dislocated. And as a result, there’s an increased risk, both in terms of that negligent insider or that disgruntled insider to have access to information without appropriate monitoring. And then at the same time, there’s an increased ability of threat actors to be able to target information target individuals that aren’t going to be protected in the way that they would be if the business was more centralised and information and data and everything else was co-located in one single facility office.

Anthony Dye

0:04:52 – 0:05:04

Paul Trotter

0:05:04 – 0:06:13

So the one that people focus on a lot is obviously cyber attacks and hacking, as we’ve already sort of discussed. But there’s also threats from things like social engineering, or physical infiltration, eavesdropping, bribery, and targeted recruitment of insiders as well. In the more sophisticated attacks, perpetrators will often use multiple techniques or tactics to gain access to whatever information or data they’re trying to access, particularly if it’s part of a major project or a much broader project.

So you can imagine if you’re trying to steal information about a new type of car, one person or one department might have information about the wheels, whereas another department, another person may be able to access information about the engine.

And at the same time, as we become more aware, or more consistent in our approach to mitigating corporate espionage and the risks associated with it, we also create the situation for attackers where they have to be more skilled and more capable of gaining access to information and actually defining their tactics and how they’re going to proceed with this before they ever start. Whereas previously, it might have been a much more ad hoc approach, particularly on those larger scale projects.

Anthony Dye

0:06:14 – 0:06:28

Paul Trotter

0:06:28 – 0:08:34

So the first thing and the most obvious one at the same time is having robust security policies in place. These are essential in protecting sensitive information and your staff as well, both from being targeted, and from the fallout of any corporate espionage attack. There should also be clear guidelines on how to handle and hold sensitive material, how security breaches are detected, and how we respond to them. And then clear reporting mechanisms as well, both for staff in terms of how they report, if they believe there’s been a breach, how they report if they believe they’ve been targeted.

And then for the company themselves, as well. They also have legal obligations to report things if they’re a listed company, they have to report things to partners and shareholders and those kinds of things. Access Controls, which form a key part of the security planning are also essential, particularly in terms of the physical theft, but also more and more and increasingly within the cybersecurity space as well. If there’s no need for an individual to actually access that information, or access that material, then they don’t need to access it.

So limiting that access to information and that data to those who actually require it for their work actually goes a long way in preventing potential trusted insider attack. Maintaining these processes and not letting them slip is also the key part to all this. So many times laziness, or this perception that doubt necessary, particularly, you know, we protect against this kind of attack, we’ve never seen it before, therefore, the attack is unlikely to happen. It’s obviously flawed logic in the sense that if the process is working, it prevents the attack. But having that attitude, and this inherent laziness really has resulted in a lot of organisations falling foul of not having the appropriate processes or controls in place, or having them in place and having people not adhere to them, which obviously leaves them in a vulnerable situation.

So having that understanding of what the process is, having that repeated reminder of what the processes are, how we protect against it, why we’re doing it under the digital techniques, and then obviously having also continuous training, you know, whether that’s an annual thing that the organisation does on both identify potential breaches and how to report them as well, and how to mitigate those risks is essential.

Anthony Dye

0:08:35 – 0:08:48

Paul Trotter

0:08:48 – 0:09:59

It’s one of those things where you sort of got to look at all the different costs associated with it. So obviously, there’s always going to be a financial cost. As we discussed, you know, US companies alone are looking at 100 to $300 billion annually in cost there. But outside of that financial cost, we’re talking reputation, if my company is breached, is any range of clients going to want to work with me in the future. Our partner companies can work with me in the future, how do my shareholders do it?

There’s sort of that ongoing flow from financial reputation and then physical as well, potentially, you’ve got staff now that don’t feel comfortable in the workplace, either, because there’s been someone that’s been gaining legal access within the building. So there’s that physical concern, but then they have to think about their reputation as well. If you’re a professional at the top of your game, do you want to be working with a company that’s known for these data breaches, or known for being a repeat victim of corporate espionage?

So realistically, whilst you may lose man hours and those kind of things to training and drills and everything else, are you really in a position where you can do this training or not do this rehearsal stuff on the off chance that you are targeted by a corporate espionage attack?

Anthony Dye

0:09:59 – 0:10:25

Paul Trotter

0:10:26 – 0:12:15

At its heart, social engineering is essentially the act of manipulating or deceiving someone primarily with the goal of getting them to divulge information or carrying out an activity that they otherwise wouldn’t have normally done. It’s something that you might have seen examples of people getting caught out on the phone or by email.

The common scams, the Nigerian prince scam is a perfect example of that social engineering, albeit at a very non technical level, it’s still attempting to manipulate that person, in this case financially. But we’ve seen things like love rats, which are essentially a person trying to pull on the heartstrings of lonely people, even down to sort of the more business oriented side, which is obviously a lot more common within corporate espionage, where people are posing as IT tech support and saying, I just need your password.

Obviously, we know to not give our password to people, it’s a fairly accepted rule that you don’t hand out your passwords to other people that you hear about all the time where someone got in because someone so gave them their password. It’s not that outlandish to believe that either negligence, laziness or just willful disobedience can contribute to these kinds of data spills and social engineering capitalises on those attitudes. And either their failure to adhere, or the miscommunication or misunderstanding of what they actually need to be doing in these processes.

Obviously, this can also get a lot more sophisticated, and also involve things like a direct personal approach. But that’s something that’s more geared around a sophisticated attack, which has a long lead time, involving studying the target individuals identifying ways to connect with them. And it’s something that realistically, you’re not looking at just an opportunistic attacker. At that point, you’re looking down the lines of more of a professional intelligence collection activity there.

Anthony Dye

0:12:15 – 0:12:21

Paul Trotter

0:12:21 – 0:14:18

There’s a couple of steps that companies can take obviously, the first one is that they need to secure the compromised information to prevent a further breach, or further access or distribution of that information or material, whether that involves changing passwords, further limited in the access and introducing enhanced security measures as well.

The next thing they do is investigate the breach. The company needs to understand what the actual scope of the breach is. And obviously they also need to understand the nature of the breach, whether it’s a cyber incident is going to be significantly different to a trusted insider, for example, notifying law enforcement is also essential as much as theorganisations to hide the harm to their reputation, everything else, particularly if there’s a criminal element, there needs to be law enforcement involvement. Obviously, corporate espionage as a whole is generally going to be criminal anyway, particularly if there’s something like physical theft. By involving law enforcement, these companies are able to leverage that expertise and that tracking skill, a lot better than if the company was to try and do that investigation on their own.

And then they also have the capability to properly identify the perpetrators and deter future attempts as well. Hand in hand with law enforcement is also legal action, which again, is another deterrent method. Whilst it’s not always possible, if potential attackers do see that you’re litigating against everyone who targets that, then it may deter those future attempts. The next one is reviewing and enhancing security measures. So we need to identify how this happened, how we can plug the holes, whether it’s through again, enhanced access control measures, increased monitoring, or even training staff and appropriate handling of sensitive material.

And then finally, communication. So we need to communicate with all stakeholders involved. They say that bad news doesn’t get better with age. And it’s especially true in these kinds of incidents, everyone, from employees through customers, partners, they’re all going to need to be aware of this breach, not only to maintain the trust and confidence within the organisation, but also because there may be subsequent flow on effects particularly for partner organisations and the like and affiliated companies in particular.

Anthony Dye

0:14:19 – 0:14:36

Paul Trotter

0:14:36 – 0:15:34

So there’s a couple of really good ones. In 2012, Samsung was forced to pay Apple $1 billion in damages after it was found that Samsung had copied confidential documents from Apple.

In 2017, we’ve seen another one where Google sued Uber because Uber capitalized on the theft of documents by a former employee, which are related to self driving cars, and that prompted a payment of several 100 million dollars.

Most recently, whilst it’s not a corporate example, we’ve just seen the arrest of a 21 year old National Guardsmen in the US who was accused of copying piles of top secret US government documents.

In all three of these cases, the central component is a failure of security protocols for one and the human involvement as well. We often see a focus on cyber attacks or hacking attacks as well. But the key step in most corporate espionage activities is the human error or the human factor, which many define as the weakest link in security.

Anthony Dye

0:15:34 – 0:15:46

Paul Trotter

0:15:47 – 0:17:08

Technology, the first one that everyone thinks about people talk about social media, which provides a treasure trove of information that can be used to target either an individual or a company. And it can be used for everything from clues to crack a password, you know, things like kids’ birthdays, first pet’s names, those kinds of things, through to mimicking the language that someone uses when they talk online, or providing ways in which that individual could be approached or solicited.

For example, if you’ve got, you know, your favourite band on your social media, and it’s an obscure band, and no one’s heard of, and someone’s suddenly coming up to you in a cafe in Paris, and they’re the world’s biggest fan of it, and they’ve got a t shirt and you know, you’re bonding over that kind of stuff. You’ve presented that information in a way that is easily accessible, and easily used for targeting through a variety of avenues there.

When we talk about technology, in general, though, people have a tendency to just automatically trust that technology is going to keep them safe, you know, the various security protocols that come within the phone, or the laptop, or whatever it happens to be. And people have a tendency to store information on that phone or on that laptop, which can be accessed either physically or remotely.

And then the flip side of that they don’t consider the implications of how that technology intersects with something like physical surveillance. So working on a document or cafe or having a phone conversation on the train also provide opportunities to collect against a target.

Anthony Dye

0:17:08 – 0:17:35

Personally, I’ve been diving into Chat GPT, Jasper AI, those types of new tech that’s been coming out. It’s fascinating and incredible to see what these tools are capable of and the direction that we’re heading in utilising these tools and programs.

How do these emerging technologies though? So things like artificial intelligence, Blockchain tech, how does it impact corporate espionage? What new challenges do they pose for companies that are trying to protect themselves?

Paul Trotter

0:17:36 – 0:19:07

The difficulty with emerging technology is that we often don’t know the full security risks posed by these technologies until a breach happens, essentially, we don’t know what we don’t want it. Already, though, we’re already starting to see issues arising with chat GPT, for example, where company’s proprietary or sensitive data is being input by their staff, and then being accessed nefariously by others, either to prove the point that it’s not safe, or actively trying to collect that information.

And the flip side of that is, even if people are publicising this in a way to highlight to people that it is at risk, there hasn’t been any steps to mitigate the risk from the Chat GPT side. So you know, it’s just out there that you can access this information by following the following steps, essentially creating how to guides for nefarious actors, there’s a major push amongst many industries to utilise these AI platforms, particularly things like enhancing productivity and efficiency.

But we aren’t fully aware of how these platforms can be used negatively yet. So if you think about enhancing productivity from a management perspective, you might be putting in employees’ names, details, and those kinds of things. If we can pull that information later, I’ve now got a list of people that I can use to target within the company as a whole at very best case scenario. Very worst case scenario, I know what projects are people are working on, I know exactly what kinds of things are doing there and what level of access they have. All because you’ve just put it into chat GPT and you’ve made it open source for me.

Anthony Dye

0:19:07 – 0:19:20

Paul Trotter

0:19:20 – 0:19:21

Anthony Dye

0:19:23 – 0:0:19:34

Paul Trotter

0:19:35 – 0:21:31

It really depends on the specific situation itself. So the investigation, for example, it needs to be sensitive and quiet is sort of a key mandate to all these kind of investigations, particularly because we do want to avoid tipping off anyone that’s involved. Because that’s key in how we identify not only who was involved but how they gained access, what specifically was taken and how they took it as well.

There also needs to be a level of maturity to covering up mistakes or failures leads to the resultant updated security plans not being robust enough to mitigate future risks, just as it fails to highlight new or emerging threats as well. So if you think about Joe Bloggs has failed in his duty as a manager to ensure that everyone is signing out documents every day that they’re controlling documents in an appropriate way. He doesn’t want to lose his job. So he’s going to potentially lie about what we’re trying to cover up or reduce his involvement in that point of failure.

But having that maturity and actually saying this was one of the things that I failed to do. and as a result, this happened, helps to identify those root causes and helps to identify those almost paths, if you will, of how that corporate espionage attack played out.

At the end of the day, though, corporate espionage is very different to something like an employee taking an extra long lunch break or something. So it’s not something that HR or management can investigate themselves. It’s something that they need to have professional input on. And the findings of that investigation then need to drive updates to their risk assessments and security policies as well.

And again, it’s something that a security professional or counterintelligence professional is best suited to be able to do. And it’s not so much about hanging out the individual or individuals that are involved in it so much as it is protecting the business further down the line, and preventing this from happening both to yourself and then to obviously others as well by removing this threat from the board.

Anthony Dye

0:21:31 – 0:21:44

Paul Trotter

0:21:45 – 0:22:31

As I said, applying the findings, diversification into an appropriate mitigation response, and also the defences used to protect against future breaches is key to that effective investigation. If that investigation response isn’t targeted and appropriate to the incident, then at worst, you’re going to see future incidents occurring. At best, the poor handling or poor response can lead to just as much reputational harm as the initial breach itself.

I’m sure you’ve seen a number of companies that have handled a data breach or have data spilled poorly. And as a result, it’s damaged their reputation more so than the initial breach actually did that by applying appropriate security risk management counter-intelligence methodology, or by engaging a professional service to do so companies degrade those unintended or second order impacts.

Anthony Dye

0:22:32 – 0:22:43

Paul Trotter

0:22:44 – 0:24:10

The first and foremost, one is always going to be to adhere to their organisation’s security policies and protocols. If you don’t act outside those policies, then it becomes very hard for a perpetrator to actually gain information from you or to get you to do something for them.

The next one is to be sceptical. So be suspicious of unsolicited messages or calls, particularly if they’re asking for sensitive information. And a good example of how to respond to this is if you’ve ever received a call from your bank asking for information, want to ask them for a reference number or contact person, hang up and call them back on a phone number that you know is that bank. By doing that you’ve just interrupted any potential adversaries ability to gain that information from the because you’re now contacting the bank. And we’ll both identify that, hey, that was a potential breach, or it wasn’t. But we’ve got that policy and process in place that once we receive this request for information, we act in this way, which prevents any potential data spill, leak, breach whatever it happens to be.

The other one is social media, which is always going to be a major consideration that many people don’t take into account. So people should be aware of what they’re posting on social media and what personal information is available about them. It may not actually be sensitive information, but it may be something that could be used as a convincer. So a new person in your life that suddenly seems to share all the same interests and hobbies as you or it may provide them with information as we discussed about how to crack your password with the child’s birthday, your pet names, etc.

Anthony Dye

0:24:11 – 0:24:22

Paul Trotter

0:24:23 – 0:25:04

So all those previous corporate espionage tactics are scalable, and as I said, they’ll often be used together rather than as a standalone technique or tool. When these types of activities get more complex, however, we start to see alternative types of targets.

So for example, someone seeking to gain advantage may not be able to access information directly from the source, but a supplier a vendor, they may be the weak link in the chain, and that gets targeted instead. We define threat as the sum of capability and intent. So when there’s a high capability, such as required to carry out those more sophisticated operations, our threat naturally increases as well. All whilst our ability to actually detect that threat decreases.

Anthony Dye

0:25:06 – 0:25:12

Paul Trotter

0:25:13 – 0:26:13

Anthony Dye

0:26:14 – 0:26:42