When people think of industrial espionage, they envision scenes from movies like James Bond or Mission Impossible, where the spy scales the wall, bypasses the alarm, forces open the safe, and makes off with the secret documents, barely avoiding capture. In other scenarios, people envision an industrial spy sneaking into the corporate boardroom to plant a listening device, or using sophisticated methods to tap into the phones or the computers carried by company executives.
While these types of attacks do occasionally happen, and receive a lot of sensational press coverage when they do, they are actually quite rare. Most actual industrial espionage is done using far more mundane methods, some of which can actually be legal.
Here are six low-tech ways in which spies may be able to gather intelligence on your organization:
Taking a Walk Around Your Building or Campus
It is amazing how much business intelligence a person can gather by simply walking around the exterior of your buildings and looking through your windows. This is particularly true in open campus settings where the public is allowed to roam freely between the buildings. Things that can be observed by looking through the windows commonly include:
- Whiteboards or presentation pads that have sales data, marketing plans, or new product launch information written on them.
- Prototypes of new products and packaging.
- Materials associated with new advertising campaigns or promotions.
- The names, job descriptions, and contact information for company employees.
- The names of customers and suppliers.
Smart spies are aware of this easy method of gathering intelligence and may make regular trips to your campus to gather information by simply walking around.
Looking Through Your Trash
Your trash and recycling bins can be a treasure trove for someone attempting to gather intelligence on your organization. Despite policies to the contrary, many employees continue to throw documents containing confidential information into the trash without shredding them first. Some items, such as prototypes of packaging for new products, can provide a competitor with valuable product development information yet are often thrown into the regular trash.
Sometimes, employees will follow proper disposal procedures when working at their desk, but fail to think about security when disposing of documents in places such as cafeterias or outdoor seating areas that may be open to the public.
Smart spies may attempt to gather confidential information from your trash, either directly, or by using an inside party to help them (such as a janitor, recycling company driver, etc.)
Overhearing Employee Conversations
In many cases, restaurants, bars, or coffee shops located near your campus may become informal gathering places for your employees. A person seeking to gather intelligence on your company can strategically place themselves so that they can overhear conversations taking place among employees.
As an example, we have a client who has a Starbucks store located about a block away from their headquarters in downtown Seattle. This store is used as a frequent gathering place for employees throughout the day, who can be identified by the company badges that they are wearing. By sitting in the vicinity of these employees, we were often able to overhear confidential business being discussed. One time, we were even able to overhear a group of employees rehearsing a sales presentation that they were planning to make to a major government agency later that day.
Smart spies may attempt to identify the places that are the likely hang-outs for your employees, and may deliberately go to these places in an attempt to overhear employee conversations.
Monitoring Social Media and Forums
Employees sometimes unknowingly disclose confidential company information when posting on business and social media sites such as Facebook and LinkedIn. Engineers, scientists and researchers often openly share information on technical forums and sometimes inadvertently disclose trade secrets and other information that their employers would rather keep private.
Smart spies will identify your key employees, and then attempt to monitor their postings to social and business media sites and forums. Most of this information is public and freely available.
Sometimes, something as innocent as posting your business travel plans can provide information that is useful to a spy. For example, one company learned that two of their major competitors were planning a merger because of frequent trips made by senior executives between the two cities in which the competitor’s respective corporate headquarters were located.
Talking with Your Vendors
Most companies rely on a wide range of different types of vendors, including suppliers and contractors, to support their business operations. In many cases, these vendors are considered valued business partners and are given access to some of the company’s most important secrets.
While most vendors have honorable intentions, they typically don’t do business exclusively with you and probably also have similar relationships with some or all of your competitors. Sometimes in an attempt to appear knowledgeable or to make a sale, a vendor may deliberately or accidently leak confidential information about your company. Sometimes, these leaks may be the actions of an individual vendor employee and not sanctioned by the vendor company itself, but this doesn’t make them any less damaging.
Smart spies may deliberately target your vendors and suppliers to obtain confidential information about your company. They may pose as a potential customer wanting to buy a product or service, or as a reporter from a newspaper or magazine. They may even pose as someone from your own company, asking the vendor to send or otherwise disclose confidential information directly to them.
Talking with Your Current and Former Employees
Your current and former employees know a lot about your company. Sometimes, without knowing it, they can inadvertently disclose information that can be damaging to your company. They can be particularly vulnerable in social settings, where alcohol is be being consumed and their guard is down.
Smart spies may specifically develop relationships with your current or former employees to gather confidential information. The spy may get introduced through a “friend-of-a-friend”, or offer the employee a job or lucrative consulting assignment that can be performed without interfering with the employee’s regular job. Spies are especially likely to target employees with personal or financial problems, or employees that have issues with drug or alcohol abuse.
It should be kept in mind that intelligence gathering is a cumulative process. While any one piece of information in itself may not be of much value, a collection of multiple pieces of information can be assembled over time into something that is extremely valuable. A good spy recognizes this, and can often take a tiny scrap of leaked information and develop it exponentially into something that can be very damaging to your company.
For example, an overheard conversation in a coffee shop + a packaging prototype found in the trash + sales projections observed on a whiteboard + forum postings by an employee bragging about a new technology + material order information provided by a vendor can = a fairly complete picture of a new product that you are planning to launch. This information could allow an unscrupulous competitor to beat you to market with a copycat product, causing your company to lose revenue and possibly suffer great financial harm.
Things That You Can Do To Prevent Low-Tech Spying
- Employee security awareness training is the single most important preventive measure that you can take to prevent low-tech spying. Employees need to be made aware of the things targeted by industrial spies and the methods that may be used by spies to gather information. Most employees are oblivious to the risks of corporate espionage and often compromise security for the sake of convenience or in an attempt to be helpful to others.
- Develop effective procedures for the disposal of sensitive documents and other confidential information. Conduct random inspections of trash and recycle bins to make sure that confidential material is not being disposed of improperly. (See Security Tip #2-4: Are You Throwing Your Company Secrets in the Trash.)
- Walk around your buildings to see what a spy could observe from the outside. If necessary, move whiteboards and presentation screens so that they cannot be observed from the outside. Make employees who have offices on the exterior of the building aware that the things that they have in their offices could potentially be observed by a spy. In general, anything that contains information that has not yet been released to the public should not be displayed within exterior offices.
- Educate and frequently remind employees of the potential risks of posting company-related information on social media sites and in forums.
- Educate and frequently remind employees about the risks of discussing company business with outsiders, especially in social settings. Employees should be particularly cautious when talking with people who they have just met or who appear to take an unusual interest in their work. Employees should also be cautious about being overheard when discussing company business in a public setting.
- Develop procedures for managing projects that involve confidential information. Use non-descriptive code names for projects. Compartmentalize projects to the greatest extent possible and only allow authorized employees to have access to project areas. Share information about the project with employees on a need to know basis. Limit the amount of confidential information shared with vendors. Don’t think that NDAs (non-disclosure agreements) alone will provide adequate protection of your intellectual property.
- Periodically use search engines such as Google to search for information about your company and your key employees. Visit business and social sites to see what is being written about your company and its employees.