Industrial and corporate espionage is not a new problem. Theft of intellectual property by corporate competitors and hostile foreign governments has gone on for centuries. However, the methodologies have advanced to leverage the most effective means of IP theft today. Gone are the days of dumpster diving for discarded documents and inserting moles into the target workforce. Today, most IP theft and other corporate espionage is perpetrated via social engineering attack vectors. And those vectors are made possible by the absence of effective external data privacy policies on the part of targeted organizations. In this Privacy Bee White Paper, we’ll be examining contemporary industrial and corporate espionage threats and exploring ways to prevent organizations from being victimized.
The Current State of Corporate Espionage
TechTarget defines industrial espionage (or corporate espionage) as “the covert, and sometimes illegal, practice of investigating competitors to gain a business advantage. The target of an investigation might be a trade secret, such as a proprietary product specification or formula, or information about business plans. In many cases, industrial spies are simply seeking data their organization can exploit to its advantage.”
Organizations in highly competitive industries – often those focused on rapidly advancing technologies such as biomedicine, life sciences, pharmaceuticals, military technologies, avionics, semiconductors/chip makers and others – are prime targets for IP theft. Due to the labor and cost intensive aspects of research and development, industrial secrets pertaining to breakthrough technologies, or those of strategic geopolitical value, are worth great sums to unscrupulous organizations and foreign intelligence services.
It is easier and far cheaper to steal the newest innovation than it is to develop a new medicine or medical device. This is why the industries favored as targets for corporate espionage/industrial espionage already spend significant sums to protect against unauthorized access to their physical locations as well as the critical data stored on site and/or in the cloud.
In 2016 Harvard Business Review interviewed Stockholm School of Economics assistant professor, Erik Meyersson and Albrecht Glitz, an associate professor at Pompeu Fabra University. The pair of professors had been doing deep research dives into the historical archives of the “Stasi”. The Stasi was the East German Ministry for State Security during the height of the Cold War. Even in the middle of the 20th Century, Stasi spies were aware that corporate spying is easier, quicker and far more cost effective than R&D.
More recently, in July 2022, the BBC reports Christopher Wray, the FBI director briefed a group of business leaders and academics gathered in London. In this briefing Wray shared evidence of concerted efforts on the part of Chinese tech and manufacturing organizations to “ransack” the intellectual property of Western companies in pursuit of accelerating China’s industrial development. The goal being to ultimately dominate key industries in global markets. Wray shared that Chinese concerns were infiltrating companies of all sizes, “from big cities to small towns – from Fortune 100s to start-ups, folks that focus on everything from aviation, to AI, to pharma”.
Industrial espionage is not just confined to corporate and commercial concerns either. The same type of IP theft goes on in what one might consider a more traditional “spy-vs-spy” fashion. Foreign governments – some hostile to western interests and others simply competing for global economic hegemony – routinely engage in less-than ethical activities designed to steal IP for a host of reasons.
Consider the current US Congressional hearings and associated efforts to ban the popular video-sharing web application “TikTok” in the United States. Those in favor of such a ban point to Chinese government ownership of the company and suggest that the Chinese Communist Party can and does illegally access the personal data of tens of millions of American citizens who use the app. Those in favor of banning the app say it is because the data harvested by the CCP is being used to influence voters/voting patterns and exert a foreign influence in the political processes of the United States. Others point to the app’s potential to expand corporate espionage activities too. Later in the paper, we’ll explain why such a ban, while perhaps well intentioned, would do little to actually neutralize this legitimate threat.
Nevertheless, the problem of foreign interference and espionage has been a priority of the US Department of Justice for decades. As far back as this article from the DOJ in 2001, authorities had begun reviewing foreign intelligence services as a threat to business, and a identifying the need for intelligence in the United States to stay one step ahead of the competition.
The DOJ article writes, “In today’s world where business contracts are awarded with a “winner take all” mentality, some domestic companies and foreign corporations alike will go to any measure, including criminal activity, to ensure that they are awarded the contract.”
Attempts to prevent industrial espionage threats emanating from China have not been at all successful. In 2015 the US and China struck a deal in which both sides pledged not to carry out “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage”. According to foreign policy news outlet, ForeignPolicy.com, the hacking deal inked between the US and China is widely regarded as a “joke”. Within one year of being ratified, the US National Security Agency was sure Chinese organizations, with the backing/blessing of the Chinese government had already violated the agreement. The overall impact of the agreement has been characterized as minimal. Experts noted that Chinese cyber-espionage in the US continues to be pervasive and stretches from academic labs across every aspect of Western business and blame poor enforcement for this reality.
The US government is behind the curve on stanching the outflow of American IP via IP theft by foreign actors. This can be attributed to both the rapid evolution of attack vectors as well as outdated policy priorities. Following the terror attacks of 9/11, the US intelligence apparatus was focused almost entirely on counter-terrorism efforts. Spy chiefs took their lead from the agenda set by political leaders in DC. The strategic priority of combating Islamic terrorism overruled the focus on growing threats from hostile governments in Russia and China.
Over the same two decades, as the growth of the internet and the profusion of online economic activity emerged, vast volumes of personal data have been and continue to be collected. Thousands of identifying information points exist for nearly every person on the planet. All this personally identifiable information or “PII” is available for low-cost purchase via the multi-billion-dollar data brokerage industry, scores of people search sites, and even for free via search engines and unsecured social media profiles. Ready availability of PII has been a boon to cyber criminals and other bad actors who utilize this easily-accessed PII to mount cyber attacks on large corporations and governments. The rise of social engineering attacks including phishing/spear phishing, smishing (SMS phishing), domain impersonation, ransomware, DDoS (denial of service) and a host of other variants are presently the chief vector for corporate espionage, industrial espionage, IP theft and political espionage.
Unscrupulous business competitors are employing these techniques – made more effective by the vast, unsecured volume of external data – to steal intellectual property and/or disadvantage their competition. In many cases, free agent hackers and cyber criminals are using social engineering to steal IP and then posting it for sale on the dark web.
In a recent example of the latter, infosec and technology news leader, BleepingComputer.com recently exposed the newly launched marketplace for purloined industrial IP. Called “Industrial Spy”, the new online marketplace run by cyber criminals offers information and data stolen from compromised organizations. The site actually advertises itself as a place companies can go to purchase their rivals’ data, gain access to classified trade information, financial information, manufacturing and technical diagrams, and client databases.
Below are several screen captures from Industrial Spy showing the data for sale, recently stolen from the data stores of a company in India. Listed in Industrial Spy’s “Premium” category, this data has a sticker price of $1.4 million to be paid in Bitcoin.
Premium stolen data category
The marketplace also offers individual data elements for sale so threat actors can purchase only the specific files they want. At the meager cost of $2 per file, Industrial Spy delivers stolen data to anyone with a few dollars in hand.
Individual files for Sale
Clearly, the unregulated market for data represents a clear and present danger to any organization seeking to protect its intellectual property. The data broker and people search industries are not held to any standards with regard to the origins of the data they collect and resell. While some of it may be attained through legitimate channels, much of it could be the product of illegal intrusions into secured databases. What’s more, these companies routinely sell vast tranches of data amongst themselves. Even worse, there is no regulation governing the level of security data brokers must maintain to protect the sensitive PII they keep in their inventories. As such, the broker companies themselves are often targeted by cyber criminals who view the brokers’ information security as less robust than that of large corporations and governmental agencies/bodies.
So, what is an organization to do to prevent their data from breaches and the theft of sensitive, expensive IP? Securing the external data of an entire, globally distributed corporation of many thousands of employees and an even greater number of vendors and partners with access to their information systems might seem like a futile pursuit. The answer must certainly involve neutralizing or otherwise securing the PII of all members of a workforce or government – regardless of the size of the organization or number of persons therein. A task that seems, on its face, insurmountable.
The size and scope of this challenge is only now coming into focus both for organizations and for individual consumers. Both groups are awakening to the threat of unsecured PII and how allowing personal information to exist – unsecured in the wild – represents a vulnerability. Resulting from this awakening to the threat, we see a growing, knee-jerk reaction issuing from private enterprises as well as governmental authorities.
One such recent, high-profile reaction is the example of the debate surrounding a US government proposal to ban the popular video-sharing web application, “TikTok” in the United States. As referenced earlier, doing so would be completely ineffective at stemming the tide of IP theft and other abuses of unsecured PII. In a rare example of bipartisanship on the United States Congress, lawmakers on both sides of the ideological spectrum agree it is problematic to have tens of millions of American citizens voluntarily revealing personal data through their use of the TikTok app. They point to the fact that several other nations have already banned TikTok due to its vulnerabilities to abuse at the hands of the Chinese government. Time Magazine lays out the arguments Congress presents for banning TikTok.
Assuming for purposes of discussion the US were to ban TikTok, privacy experts within Privacy Bee suggest this action would have exceedingly minimal effect when it comes to interrupting the ability of cyber criminals to gain access to American industrial secrets or US government intelligence. Once legislators realize that a TikTok ban would not make a material difference in slowing the theft of PII, they’d be likely to expand the list of organizations to ban. This could have a chilling effect on individual liberties, free enterprise, and would not solve the underlying cause.
For the same reason, Privacy Bee casts doubt on the increasing number of retail banking companies offering new customers privacy services as a marketing device.
The Points Guy, a web-based news outlet covering consumer loyalty programs offered by credit card companies hails the seemingly helpful efforts of Credit card provider, Discover. Discover is marketing “Privacy Protection” delivered via a mobile app to all consumers who hold Discover credit card accounts. Their marketing touts a service that regularly monitors the “10 common websites that collect and sell personal information online”. They list the following, 10 well-known people search sites and pledge to scan them every 90 days, processing the “opt-outs” for any customers whose PII is found to be on those sites.
A nice gesture to be sure. However, just as banning one large social media application like TikTok is ineffective, so too would be focusing on removing one’s PII from fewer than a dozen out of hundreds of People Search Sites. Because there are so many available outlets to find and purchase PII to use in social engineering attacks and IP theft, simply eliminating a handful of these does little to prevent bad actors from finding it elsewhere. So, the efforts are rendered meaningless.
The answer to the challenge must include removing PII from as many of these sources as possible. Of course, with new entrants entering the field every month, there will never be a way to completely eradicate the PII of an entire large workforce from the internet. However, for this strategy to be effective, it must address the preponderance of known sources of PII for sale. Privacy Bee is the only data privacy solution that fully addresses the challenge with the vast majority of unsecured external data sources. Here’s how the solution works.
Enterprise organizations, corporations large and small, governmental agencies and any other organization seeking to protect against IP theft via social engineering attacks should invest in Privacy Bee for Business. The initial steps are actually accomplished at no cost to the organization.
Begin with free Privacy Risk Assessment and an External Data Privacy Audit
The Privacy Risk Assessment (PRA) is roughly 75 questions and takes about an hour to complete. It explores how customer and employee data is managed by your organization, illuminating any unmitigated risk and opportunities for improvement. Once completed, the answers help derive your organization’s Privacy Risk Score.
Your PRA is tied to your company, and not to any 3rd party or customer. This means once completed, your organization’s PRA can then be used to demonstrate to customers, regulatory bodies or partners to demonstrate the relative strength of your information security as it pertains to external data management. Many organizations even proactively offer the completed annual Privacy Risk Assessment when responding to RFQs or RFPs, similarly to declaring certifications like SOC 2 or ISO 27001.
The Privacy Risk Assessment is usually completed by a CIO, CISO, or whomever manages Information Security within your organization. Support on how to answer certain questions is provided by Privacy Bee business privacy consultants who provide limited insight and guidance at no cost.
The External Data Privacy Audit is a free web-based privacy app enabling organizations to quickly and easily scan their employees, build an extensive audit identifying privacy exposures and vulnerabilities, then extrapolate financial impact across your company. It’s a critical view into risk assessment, operational inefficiency, emerging cyber risk, and External Data Privacy management.
External Data Privacy Audit aims to power the business case by performing a quantitative analysis of all employees, modeling out opportunity and loss, allowing accurate financial forecasts to be extrapolated. This impact assessment does all the hard work and lays an elegant foundation for a comprehensive Cost Benefit Analysis. (To learn more about the affordability and a sample cost benefit analysis, read the Privacy White Paper titled, Cost Benefit Analysis Proves the Necessity of Business Privacy Management.
The EDPA is a unified employee audit, bringing together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). Gain a centralized view into public employee exposures, then overlay the tangible financial impact it has within your organization.
Continue By Cataloging the Risk Profiles of All Employees and Vendors
The next several steps are also 100% zero cost to an organization seeking to protect external data from being used in IP theft and other industrial espionage. Employee Risk Management and Vendor Risk Management tools are offered to use at no cost.
Employee Risk Management (ERM) is also a no-cost feature of the Privacy Bee for Business platform. Today’s social engineering trend is driven by highly personalized PII-infused content. Cyber criminals use this data to make the target feel like they know so much, they have to be the trusted entity they’re impersonating, therefore bypassing scrutiny and gaining valuable access or information and IP.
Privacy Bee’s Employee Risk Management (ERM) solution provides visibility into your External Data Privacy risk. After loading and configuring all employees (usually via an exported CSV from HR software), Privacy Bee begins automatically scanning hundreds of external sources, searching for any exposed privacy risks on each person. Any discoveries will be flagged as an exposure and impact each employee’s individual aggregated Privacy Risk Score.
Gain a full, at a glance picture of the organization’s real-time cyber risk from external privacy exposures.
Vendor Risk Management (VRM) helps organizations close the security gaps in the social engineering attack surface by securing all links in the supply chain and all services vendors, all of whom typically have some access to the organization’s information systems.
Many data breaches are not caused by an attacker targeting an organization directly. Rather they occur via slipping past the (often less sophisticated) defense of the target organization’s vendors. For example, a follow-up social engineering attack against your employees, from within your vendor’s email accounts or phone system, is extremely difficult to defend against. Some of the biggest companies in the world have been breached as a direct result of their vendors having poor or unmanaged External Data Privacy. (Read more about this in the Privacy Bee white paper titled, External Data Security and Vendor Risk.)
Procurement departments and sourcing teams are always looking for better visibility into vendor risks. Existing 3rd party vendor risk platforms are still valuable but dated. Privacy is emerging as the future of business and no other VRM tracks the External Data Privacy of your vendors like Privacy Bee. Real-time scans analyze vendor companies, their employees, attack vectors commonly exploited by bad actors, and any other privacy-centric path that attackers might use to compromise the vendor organization as they seek to compromise your defenses.
After a vendor is active in the system, Privacy Bee continues to monitor their risk score 24/7/365 and notifies you of any major change, such as a data breach, influx of high-risk contractors, or any other alarming event. Privacy Bee even works with vendors on your behalf, guiding them on ways to improve privacy practices and effectively de-risk both organizations via a safer supply chain.
Service Levels and Costs
After having completed the tasks associated with the four free services listed above, an organization, armed with the knowledge of how, when and where their external data presents risk, the final important step is to remove all the unsecured PII from the hundreds of locations it has been found. For many large organizations, this process would represent an unacceptable burden on internal resources as the process is labor intensive and time consuming. It is this facet of the solution that Privacy Bee charges for. Outsource the removal process to Privacy Bee’s extensive colony of Worker Bees who work tirelessly to manage the process on your behalf. Pricing model is based on a “seat license” for each member of the organization the client identifies as a security risk and is very affordable compared to traditional, contemporary information security solutions. It is certainly far more affordable that the cost of losing intellectual property to industrial or corporate espionage.
As the removal service does its work, organizations’ CISOs and other leaders are able to monitor the reducing risk profile via the dashboards provided in the no-cost ERM and VRM segments of the solution. This enables even the largest organization or governmental agency to maintain real time metrics over the risk levels they face. It also enables leadership to establish and enforce governance and business rules surrounding acceptable thresholds for external data risk and privacy, ensuring that they are an unattractive target for cyber criminals.
For more on these and the numerous other services and benefits available with Privacy Bee for Business, schedule a demo call with a Privacy Bee representative.