Protecting Against Corporate Espionage

Episode #29 of NAVIGATE discusses modern corporate espionage.

Protecting Businesses & Travellers from Corporate Espionage




Anthony Dye

0:00:04 – 0:01:16

Welcome to NAVIGATE. My name is Anthony Dye. I’m the Corporate Team Leader here at World Travel Protection based out of Brisbane, Australia. Today we’ll be exploring the realm of corporate espionage. From James Bond to Jason Bourne, we’ve all been captivated by the action packed escapades of spies on the big screen. However, did you realise that real life corporate espionage is equally exciting and at times much more hazardous?

Modern corporate espionage involves activities such as hacking into a competitive database, using social engineering tactics to pilfer confidential data or simply sitting in a coffee shop and overhearing a conversation. With me today to delve into this topic is Paul Trotter.

Paul is a former intelligence operator with over 16 years experience in complex operating environment. Paul has a background in the Australian Defence Force and recently returned to Australia after providing security and intelligence support to diplomatic missions and oil and gas clients in hostile environments. Using his background and intelligence collection and assessment, Paul is based in Brisbane and supports a World Travel Protection global effort for direction, collection, and assessment of information used to inform our operations team and support our clients. How are you doing today, Paul?

Paul Trotter

0:01:16 – 0:01:17

I’m good. Thanks.

Anthony Dye

0:01:17 – 0:01:19

Excellent. Thank you for joining me, Paul. Let’s start with the basics. What exactly is corporate espionage?

Paul Trotter

0:01:19 – 0:02:13

It’s a complex subject. But essentially, corporate espionage is the act of gaining a competitive advantage over a rival organisation, typically through a covert act or a clandestine act. So this can include things like surveillance, physical infiltration, it could be coercing an employee or bribing an employee, or the ones that we often think about things like cyber activities and hacking.

But there’s also the risk associated with things like disgruntled employees or negligent employees, both of which we would call a trusted Insider. And it’s important to know that it’s not just limited to corporate entities. Government sponsored corporate espionage does occur in many countries. Whilst this is often linked to defence corporations, government sponsored activity could target just about any industry, whether it’s to gain access to something like a technological advancement for their own country, or to apply economic stress to a rival country as well.

Anthony Dye

0:02:13 – 0:02:19

That’s fascinating. Would you be able to explain to us how prevalent corporate espionage is in today’s business landscape?

Paul Trotter

0:02:19 – 0:03:26

Sure, it’s difficult to give an actual metric on how prevalent it actually is just because it’s either often undetected, or it goes unreported as well. I guess you can imagine, if you were an organisation that was targeted in a way that resulted in a significant breach, whether it was significant in the size of material that was taken or significant in sort of impact, it doesn’t really benefit you to make it widely known that you’ve been targeted, given the potential damage to things like your reputation, and then subsequent flow on things like your share price or the like.

It’s definitely a significant problem, though, particularly in sectors that place a significant value on their intellectual property. So when I say that I mean, organisations that focus on things like technology and defence, but also things like pharmaceuticals. Before the podcast, they actually had a quick look into the actual impacts from a financial sense. And it turns out that a recent study commissioned by the US Center for Strategic and International Studies estimates now that corporate espionage costs about one to $300 billion every year, just amongst US companies. So it’s obviously quite a significant impact.

Anthony Dye

0:03:26 – 0:03:36

Yeah, I guess we’ve definitely seen a rise then in the prevalence of corporate espionage. How has that changed over time, and what kind of factors have contributed to this rise in this change?

Paul Trotter

0:03:37 – 0:04:52

One of the major things to consider is that we live in an increasingly digital world, which combined with the globalisation of business, it makes it significantly easier for organisations to target each other. Essentially, now we’re sort of faced with a problem where information can be collected remotely and across borders, and which makes the detection and prevention of corporate espionage even more difficult than it previously was.

Obviously, things like the cyber attacks and hacking is something that’s always been able to do this. But there’s an increase in things like social engineering in the life being conducted online versus face to face. And then obviously, in the wake of the pandemic, we’re increasingly more remote in our business.

And all these sort of things are combined to create a situation where there’s so much exposure for businesses now everything’s dislocated. And as a result, there’s an increased risk, both in terms of that negligent insider or that disgruntled insider to have access to information without appropriate monitoring. And then at the same time, there’s an increased ability of threat actors to be able to target information target individuals that aren’t going to be protected in the way that they would be if the business was more centralised and information and data and everything else was co-located in one single facility office.

Anthony Dye

0:04:52 – 0:05:04

Okay, from what I’m understanding, there’s probably some common steps or actions within the espionage process when someone or a company is targeted. What are some of those common tactics that are used in corporate espionage throughout this process?

Paul Trotter

0:05:04 – 0:06:13

So the one that people focus on a lot is obviously cyber attacks and hacking, as we’ve already sort of discussed. But there’s also threats from things like social engineering, or physical infiltration, eavesdropping, bribery, and targeted recruitment of insiders as well. In the more sophisticated attacks, perpetrators will often use multiple techniques or tactics to gain access to whatever information or data they’re trying to access, particularly if it’s part of a major project or a much broader project.

So you can imagine if you’re trying to steal information about a new type of car, one person or one department might have information about the wheels, whereas another department, another person may be able to access information about the engine.

And at the same time, as we become more aware, or more consistent in our approach to mitigating corporate espionage and the risks associated with it, we also create the situation for attackers where they have to be more skilled and more capable of gaining access to information and actually defining their tactics and how they’re going to proceed with this before they ever start. Whereas previously, it might have been a much more ad hoc approach, particularly on those larger scale projects.

Anthony Dye

0:06:14 – 0:06:28

I guess it’s important to highlight that it’s not just individuals that are solely targeted, usually that individual is a part of a bigger picture targeting the company or organisation that they work for. How can companies protect themselves from corporate espionage?

Paul Trotter

0:06:28 – 0:08:34

So the first thing and the most obvious one at the same time is having robust security policies in place. These are essential in protecting sensitive information and your staff as well, both from being targeted, and from the fallout of any corporate espionage attack. There should also be clear guidelines on how to handle and hold sensitive material, how security breaches are detected, and how we respond to them. And then clear reporting mechanisms as well, both for staff in terms of how they report, if they believe there’s been a breach, how they report if they believe they’ve been targeted.

And then for the company themselves, as well. They also have legal obligations to report things if they’re a listed company, they have to report things to partners and shareholders and those kinds of things. Access Controls, which form a key part of the security planning are also essential, particularly in terms of the physical theft, but also more and more and increasingly within the cybersecurity space as well. If there’s no need for an individual to actually access that information, or access that material, then they don’t need to access it.

So limiting that access to information and that data to those who actually require it for their work actually goes a long way in preventing potential trusted insider attack. Maintaining these processes and not letting them slip is also the key part to all this. So many times laziness, or this perception that doubt necessary, particularly, you know, we protect against this kind of attack, we’ve never seen it before, therefore, the attack is unlikely to happen. It’s obviously flawed logic in the sense that if the process is working, it prevents the attack. But having that attitude, and this inherent laziness really has resulted in a lot of organisations falling foul of not having the appropriate processes or controls in place, or having them in place and having people not adhere to them, which obviously leaves them in a vulnerable situation.

So having that understanding of what the process is, having that repeated reminder of what the processes are, how we protect against it, why we’re doing it under the digital techniques, and then obviously having also continuous training, you know, whether that’s an annual thing that the organisation does on both identify potential breaches and how to report them as well, and how to mitigate those risks is essential.

Anthony Dye

0:08:35 – 0:08:48

I take it within these processes and procedures, there would be extensive training or coaching involved, how to companies balance the costs of implementing security measures against the potential costs of a successful espionage attack?

Paul Trotter

0:08:48 – 0:09:59

It’s one of those things where you sort of got to look at all the different costs associated with it. So obviously, there’s always going to be a financial cost. As we discussed, you know, US companies alone are looking at 100 to $300 billion annually in cost there. But outside of that financial cost, we’re talking reputation, if my company is breached, is any range of clients going to want to work with me in the future. Our partner companies can work with me in the future, how do my shareholders do it?

There’s sort of that ongoing flow from financial reputation and then physical as well, potentially, you’ve got staff now that don’t feel comfortable in the workplace, either, because there’s been someone that’s been gaining legal access within the building. So there’s that physical concern, but then they have to think about their reputation as well. If you’re a professional at the top of your game, do you want to be working with a company that’s known for these data breaches, or known for being a repeat victim of corporate espionage?

So realistically, whilst you may lose man hours and those kind of things to training and drills and everything else, are you really in a position where you can do this training or not do this rehearsal stuff on the off chance that you are targeted by a corporate espionage attack?

Anthony Dye

0:09:59 – 0:10:25

There’s definitely some stuff there. Personally, I hadn’t considered that reputational risk within your staff when they would feel safe working in a company or an organisation that has been a victim of this. Definitely a few really interesting things to think about. I just like to kind of bring us back to the human element that you discussed earlier. Specifically, you threw around the term social engineering, what exactly is social engineering? And how can it be used to carry out corporate espionage.

Paul Trotter

0:10:26 – 0:12:15

At its heart, social engineering is essentially the act of manipulating or deceiving someone primarily with the goal of getting them to divulge information or carrying out an activity that they otherwise wouldn’t have normally done. It’s something that you might have seen examples of people getting caught out on the phone or by email.

The common scams, the Nigerian prince scam is a perfect example of that social engineering, albeit at a very non technical level, it’s still attempting to manipulate that person, in this case financially. But we’ve seen things like love rats, which are essentially a person trying to pull on the heartstrings of lonely people, even down to sort of the more business oriented side, which is obviously a lot more common within corporate espionage, where people are posing as IT tech support and saying, I just need your password.

Obviously, we know to not give our password to people, it’s a fairly accepted rule that you don’t hand out your passwords to other people that you hear about all the time where someone got in because someone so gave them their password. It’s not that outlandish to believe that either negligence, laziness or just willful disobedience can contribute to these kinds of data spills and social engineering capitalises on those attitudes. And either their failure to adhere, or the miscommunication or misunderstanding of what they actually need to be doing in these processes.

Obviously, this can also get a lot more sophisticated, and also involve things like a direct personal approach. But that’s something that’s more geared around a sophisticated attack, which has a long lead time, involving studying the target individuals identifying ways to connect with them. And it’s something that realistically, you’re not looking at just an opportunistic attacker. At that point, you’re looking down the lines of more of a professional intelligence collection activity there.

Anthony Dye

0:12:15 – 0:12:21

So what are some of the ways that companies can respond if they do believe they’ve been targeted by a corporate espionage attack?

Paul Trotter

0:12:21 – 0:14:18

There’s a couple of steps that companies can take obviously, the first one is that they need to secure the compromised information to prevent a further breach, or further access or distribution of that information or material, whether that involves changing passwords, further limited in the access and introducing enhanced security measures as well.

The next thing they do is investigate the breach. The company needs to understand what the actual scope of the breach is. And obviously they also need to understand the nature of the breach, whether it’s a cyber incident is going to be significantly different to a trusted insider, for example, notifying law enforcement is also essential as much as theorganisations to hide the harm to their reputation, everything else, particularly if there’s a criminal element, there needs to be law enforcement involvement. Obviously, corporate espionage as a whole is generally going to be criminal anyway, particularly if there’s something like physical theft. By involving law enforcement, these companies are able to leverage that expertise and that tracking skill, a lot better than if the company was to try and do that investigation on their own.

And then they also have the capability to properly identify the perpetrators and deter future attempts as well. Hand in hand with law enforcement is also legal action, which again, is another deterrent method. Whilst it’s not always possible, if potential attackers do see that you’re litigating against everyone who targets that, then it may deter those future attempts. The next one is reviewing and enhancing security measures. So we need to identify how this happened, how we can plug the holes, whether it’s through again, enhanced access control measures, increased monitoring, or even training staff and appropriate handling of sensitive material.

And then finally, communication. So we need to communicate with all stakeholders involved. They say that bad news doesn’t get better with age. And it’s especially true in these kinds of incidents, everyone, from employees through customers, partners, they’re all going to need to be aware of this breach, not only to maintain the trust and confidence within the organisation, but also because there may be subsequent flow on effects particularly for partner organisations and the like and affiliated companies in particular.

Anthony Dye

0:14:19 – 0:14:36

That’s great, thank you. So we’ve covered off a bit of the who, what, why, how behind corporate espionage. I personally, always like to learn through existing real life scenarios, things that have actually happened. What are some of the most high profile cases of corporate espionage in recent history?

Paul Trotter

0:14:36 – 0:15:34

So there’s a couple of really good ones. In 2012, Samsung was forced to pay Apple $1 billion in damages after it was found that Samsung had copied confidential documents from Apple.

In 2017, we’ve seen another one where Google sued Uber because Uber capitalized on the theft of documents by a former employee, which are related to self driving cars, and that prompted a payment of several 100 million dollars.

Most recently, whilst it’s not a corporate example, we’ve just seen the arrest of a 21 year old National Guardsmen in the US who was accused of copying piles of top secret US government documents.

In all three of these cases, the central component is a failure of security protocols for one and the human involvement as well. We often see a focus on cyber attacks or hacking attacks as well. But the key step in most corporate espionage activities is the human error or the human factor, which many define as the weakest link in security.

Anthony Dye

0:15:34 – 0:15:46

In this day and age, we’re all connected to each other through technology, social media, computers, phones, tablets, whatever that may be. How has this technology impacted the practice of corporate espionage?

Paul Trotter

0:15:47 – 0:17:08

Technology, the first one that everyone thinks about people talk about social media, which provides a treasure trove of information that can be used to target either an individual or a company. And it can be used for everything from clues to crack a password, you know, things like kids’ birthdays, first pet’s names, those kinds of things, through to mimicking the language that someone uses when they talk online, or providing ways in which that individual could be approached or solicited.

For example, if you’ve got, you know, your favourite band on your social media, and it’s an obscure band, and no one’s heard of, and someone’s suddenly coming up to you in a cafe in Paris, and they’re the world’s biggest fan of it, and they’ve got a t shirt and you know, you’re bonding over that kind of stuff. You’ve presented that information in a way that is easily accessible, and easily used for targeting through a variety of avenues there.

When we talk about technology, in general, though, people have a tendency to just automatically trust that technology is going to keep them safe, you know, the various security protocols that come within the phone, or the laptop, or whatever it happens to be. And people have a tendency to store information on that phone or on that laptop, which can be accessed either physically or remotely.

And then the flip side of that they don’t consider the implications of how that technology intersects with something like physical surveillance. So working on a document or cafe or having a phone conversation on the train also provide opportunities to collect against a target.

Anthony Dye

0:17:08 – 0:17:35

Personally, I’ve been diving into Chat GPT, Jasper AI, those types of new tech that’s been coming out. It’s fascinating and incredible to see what these tools are capable of and the direction that we’re heading in utilising these tools and programs.

How do these emerging technologies though? So things like artificial intelligence, Blockchain tech, how does it impact corporate espionage? What new challenges do they pose for companies that are trying to protect themselves?

Paul Trotter

0:17:36 – 0:19:07

The difficulty with emerging technology is that we often don’t know the full security risks posed by these technologies until a breach happens, essentially, we don’t know what we don’t want it. Already, though, we’re already starting to see issues arising with chat GPT, for example, where company’s proprietary or sensitive data is being input by their staff, and then being accessed nefariously by others, either to prove the point that it’s not safe, or actively trying to collect that information.

And the flip side of that is, even if people are publicising this in a way to highlight to people that it is at risk, there hasn’t been any steps to mitigate the risk from the Chat GPT side. So you know, it’s just out there that you can access this information by following the following steps, essentially creating how to guides for nefarious actors, there’s a major push amongst many industries to utilise these AI platforms, particularly things like enhancing productivity and efficiency.

But we aren’t fully aware of how these platforms can be used negatively yet. So if you think about enhancing productivity from a management perspective, you might be putting in employees’ names, details, and those kinds of things. If we can pull that information later, I’ve now got a list of people that I can use to target within the company as a whole at very best case scenario. Very worst case scenario, I know what projects are people are working on, I know exactly what kinds of things are doing there and what level of access they have. All because you’ve just put it into chat GPT and you’ve made it open source for me.

Anthony Dye

0:19:07 – 0:19:20

Exactly right, this new text kind of come out and we’ve all rushed headlong into it. I guess not necessarily being aware of what the future implications possibly could be, where it could lead down the track who may be able to access it or use it for those nefarious purposes.

Paul Trotter

0:19:20 – 0:19:21

Exactly right.

Anthony Dye

0:19:23 – 0:0:19:34

If a company does become aware that themselves or an employee has been targeted for any sort of corporate espionage, what can a company do to effectively investigate but also respond to any suspected instances?

Paul Trotter

0:19:35 – 0:21:31

It really depends on the specific situation itself. So the investigation, for example, it needs to be sensitive and quiet is sort of a key mandate to all these kind of investigations, particularly because we do want to avoid tipping off anyone that’s involved. Because that’s key in how we identify not only who was involved but how they gained access, what specifically was taken and how they took it as well.

There also needs to be a level of maturity to covering up mistakes or failures leads to the resultant updated security plans not being robust enough to mitigate future risks, just as it fails to highlight new or emerging threats as well. So if you think about Joe Bloggs has failed in his duty as a manager to ensure that everyone is signing out documents every day that they’re controlling documents in an appropriate way. He doesn’t want to lose his job. So he’s going to potentially lie about what we’re trying to cover up or reduce his involvement in that point of failure.

But having that maturity and actually saying this was one of the things that I failed to do. and as a result, this happened, helps to identify those root causes and helps to identify those almost paths, if you will, of how that corporate espionage attack played out.

At the end of the day, though, corporate espionage is very different to something like an employee taking an extra long lunch break or something. So it’s not something that HR or management can investigate themselves. It’s something that they need to have professional input on. And the findings of that investigation then need to drive updates to their risk assessments and security policies as well.

And again, it’s something that a security professional or counterintelligence professional is best suited to be able to do. And it’s not so much about hanging out the individual or individuals that are involved in it so much as it is protecting the business further down the line, and preventing this from happening both to yourself and then to obviously others as well by removing this threat from the board.

Anthony Dye

0:21:31 – 0:21:44

On that same line, I can imagine there’d be some pretty severe potential consequences if a suspected case of corporate espionage was mishandled, or a suspect in that sense was mishandled. How can companies avoid making these mistakes during an investigation?

Paul Trotter

0:21:45 – 0:22:31

As I said, applying the findings, diversification into an appropriate mitigation response, and also the defences used to protect against future breaches is key to that effective investigation. If that investigation response isn’t targeted and appropriate to the incident, then at worst, you’re going to see future incidents occurring. At best, the poor handling or poor response can lead to just as much reputational harm as the initial breach itself.

I’m sure you’ve seen a number of companies that have handled a data breach or have data spilled poorly. And as a result, it’s damaged their reputation more so than the initial breach actually did that by applying appropriate security risk management counter-intelligence methodology, or by engaging a professional service to do so companies degrade those unintended or second order impacts.

Anthony Dye

0:22:32 – 0:22:43

So what are some effective strategies for training employees to recognise and defend against these social engineering tactics that, as you said before, are quite heavily utilised in corporate espionage attacks?

Paul Trotter

0:22:44 – 0:24:10

The first and foremost, one is always going to be to adhere to their organisation’s security policies and protocols. If you don’t act outside those policies, then it becomes very hard for a perpetrator to actually gain information from you or to get you to do something for them.

The next one is to be sceptical. So be suspicious of unsolicited messages or calls, particularly if they’re asking for sensitive information. And a good example of how to respond to this is if you’ve ever received a call from your bank asking for information, want to ask them for a reference number or contact person, hang up and call them back on a phone number that you know is that bank. By doing that you’ve just interrupted any potential adversaries ability to gain that information from the because you’re now contacting the bank. And we’ll both identify that, hey, that was a potential breach, or it wasn’t. But we’ve got that policy and process in place that once we receive this request for information, we act in this way, which prevents any potential data spill, leak, breach whatever it happens to be.

The other one is social media, which is always going to be a major consideration that many people don’t take into account. So people should be aware of what they’re posting on social media and what personal information is available about them. It may not actually be sensitive information, but it may be something that could be used as a convincer. So a new person in your life that suddenly seems to share all the same interests and hobbies as you or it may provide them with information as we discussed about how to crack your password with the child’s birthday, your pet names, etc.

Anthony Dye

0:24:11 – 0:24:22

So we’ve just discussed some of the more common tactics that are utilised in espionage. But what some of the more sophisticated things that people are likely to see used against them, and how can they defend against that?

Paul Trotter

0:24:23 – 0:25:04

So all those previous corporate espionage tactics are scalable, and as I said, they’ll often be used together rather than as a standalone technique or tool. When these types of activities get more complex, however, we start to see alternative types of targets.

So for example, someone seeking to gain advantage may not be able to access information directly from the source, but a supplier a vendor, they may be the weak link in the chain, and that gets targeted instead. We define threat as the sum of capability and intent. So when there’s a high capability, such as required to carry out those more sophisticated operations, our threat naturally increases as well. All whilst our ability to actually detect that threat decreases.

Anthony Dye

0:25:06 – 0:25:12

Thanks, Paul, I appreciate you taking the time out to have a conversation with us. Do you have any final tips or anything to say?

Paul Trotter

0:25:13 – 0:26:13

Yeah, at the end of the day, staff need to be aware of their surroundings and think about where they are, what they’re doing at that time. Is it appropriate to be doing this within the environment that I’m in? So should I be working on this document in the cafe? Should I be having this phone call surrounded by people? And then at the same time thinking about who you’re talking to? Have I just met this stranger at the bar? Have I just met this person on the plane? Are they asking me specific questions about my business about what I do? It may not be nefarious, but it’s good practice get into to not be talking about sensitive information. At the end of the day, realistically, it’s common sense to a large degree. And then the other part is adherence to good corporate security policies of not divulging what you’re working on, not divulging specific information about what it is that you’re going to be doing at the time what the company is doing those kinds of things. But at the end of the day, if you wouldn’t say it publicly in an interview or international television, whatever happens to be, then you wouldn’t say it to an individual on a plane, you wouldn’t post it on social media, those kinds of things.

Anthony Dye

0:26:14 – 0:26:42

Are you looking for the best travel podcast to inspire your upcoming adventures while also helping you travel smarter? Listen to navigate the travel podcast that enhances how you explore the world found on our world travel Travel assist hub. In each episode, while travel protection hosts speaking with travel industry experts, or experienced everyday travellers to bring you thought provoking travel insights, experiences and advice, helping empower you to travel the world confidently.

Are you aware of the potential risks your business faces from corporate espionage? Join us in this episode as we delve into the insidious practice of corporate espionage and how to safeguard your business from it with intelligence expert, Paul Trotter.

Discover common tactics and how companies can protect themselves from an attack. We also explore high-profile cases of corporate espionage and the role of technology in facilitating such attacks.

Learn how to effectively investigate and respond to suspected instances of espionage, and defend against sophisticated attacks. Don’t miss Paul’s top tips on how to you can mitigate these covert threats at the end of the episode.

Subscribe to the NAVIGATE travel podcast

Are you interested in safe travel and mitigating risks? Catch the latest episode of travel podcast NAVIGATE from World Travel Protection by subscribing or following on your preferred podcast platform.Are you interested in safe travel and mitigating risks? Catch the latest episode of travel podcast NAVIGATE from World Travel Protection by subscribing or following on your preferred podcast platform.

Travel smarter: listen to our top travel podcast episodes

A group of young people. Panorama.

European Summer Travel Surge

Do you have a summer trip booked? Whether it’s for business or leisure, here are the top scams and disruptors you should prepare for.
Data protection privacy concept. GDPR. Cyber security network. Man protecting data and personal information on computer with digital padlock, internet technology networking

Protecting Against Corporate Espionage

Could you spot a corporate espionage threat in real life? Discover how to protect your business and travellers from the growing threat in this episode with intelligence expert Paul Trotter.
Communication technology for internet business. Global world net

Behind the Scenes: Provider Networks

If you got sick overseas, would you google the closest hospital? Travel Assistance providers do more than that – with the help of their vetted provider network – to ensure safe and efficient care.

Helping you navigate travel beyond our travel podcast

Is NAVIGATE one of your top travel podcasts for travel tips and inspiration? Our team at World Travel Protection can also help you – or the travellers you’re responsible for – stay safe and informed pre-, during and post-travel.

To learn more about our expert team of travel, medical and security risk professionals and the Travel Risk Management Tools they use to keep travellers safe 24/7, contact us today via the form below.

Australia Command Center