How to Detect and Prevent Corporate Espionage

Originally published by Code42.

Written by Aimee Simpson.

Employees’ hard work, innovative ideas and collaborative efforts drive every organization’s success. In fact, many companies consider their employees their greatest asset. However, the trade secrets those employees create and use daily can develop into a business’s biggest threat.

A pressing question on the minds of many security leaders is, “How do we make sure that we can trust employees to keep our trade secrets safe?” What’s more, they must make a plan to protect their trade secrets from bad actors — especially as cyber criminals exploit trade secrets and other confidential data.

While corporate espionage can create costly, critical issues for a company, proper detection and prevention can mitigate that risk. This article will discuss all things corporate espionage, including its different forms, commonly affected industries, high-profile cases and best practices for avoidance.

What is corporate espionage?

Corporate espionage refers to the act of taking a company’s proprietary information, intellectual property or trade secrets without consent and selling them to another party. Sometimes called “industrial espionage,” it includes a wide array of both simple and complex means for stealing information for financial or commercial gain.

It’s important to note that, while the two terms are often conflated, “corporate espionage” and “economic espionage” are two distinct concepts. While corporate espionage is conducted between organizations, economic espionage occurs between governments and is an international act.

Here, we’ll focus on corporate espionage, but there is often some overlap between the two. This is because the interests and priorities of governments and businesses frequently align, which makes it particularly confusing and difficult to discern between the two.

What are the different forms of corporate espionage?

The larger umbrella of corporate espionage comprises several different forms of the action. The two most common types include:

• Intellectual property acquisition – Intellectual property (IP) acquisition — also known as IP theft — is the act of stealing unique inventions, ideas or information from other parties for profit, financial or otherwise. Today’s hyper-innovative, globally competitive market demands fresh ideas, novel information and new processes, which makes IP acquisition a very dangerous threat. Thieves loot another party’s IP to gain a competitive edge, monetize a product or steal the “secret sauce” that drives a certain company’s success. Organizations must keep IP theft at bay to avoid productivity issues, revenue loss and other long-term damage to their brand and viability.

• Trade secret theft – A trade secret is considered any type of information that’s not public that holds potential economic value to the organization it belongs to. Employees create, move and share trade secrets at a regular cadence, which makes them especially hard to protect. Emails, text messages, browser histories, personal drives and more can all contain trade secrets that malicious actors want to steal. Since it’s difficult to tell when and where trade secrets move, exposure can happen without a trace.

Methods of corporate espionage

Corporate espionage is not a new concept by any means. But as organizations scale and leverage more and more tools and technologies, risks for exposure inadvertently increase. Due to new avenues for access, many methods can be used to gather information for nefarious purposes:

• Unauthorized access – Unauthorized access refers to any instance where an individual (either internal or external) gains access to networks, data, endpoints, devices or applications without permission. The accessed information gets used to leverage further access or destroy systems and networks.

• Phishing – Phishing attacks typically begin with an email that contains a document or link that appears legitimate, but is actually carefully designed to gain information or infiltrate a system or network. Despite the several different types of phishing attacks, each entices a user to take action that consequently gives the attacker information or control.

• SQL injections – SQL injection (sometimes called SQLI) is a technique using SQL code to manipulate backend databases and gain access to unauthorized information. Attackers can then view or modify the database for various purposes.

• Insider threats – An insider threat is perhaps the most unexpected type of corporate espionage, as they can occur both maliciously and accidentally — and without detection. In fact, CISOs rank insider threat (27%) the most difficult to detect, ranking above both cloud data exposures (26%) and malware (22%). Human error, cutting corners and, of course, malintent employees all lead to insider threats. These users often have authorized access to key information and data, which makes insider threats notoriously difficult to mitigate. Malicious insiders, inside agents, security evaders, negligent workers and departing employees can all commit corporate espionage; ultimately harming a company’s reputation and exposing their proprietary information.

What industries are commonly affected by corporate espionage?

Technically, any business in any industry can fall victim to corporate espionage. However, there are a few that are more commonly affected than others:

• Computer software – Businesses that design and publish computer software develop novel and valuable products, which makes them greater targets of corporate espionage.

• Manufacturing – Attackers often attempt to steal information from companies that design and build technology products about how they craft their hardware.

• Biotechnology – Foreign attackers use both corporate and economic espionage to steal sensitive information and data around advanced manufacturing, robotics and chemicals.

• Aerospace – Avionics and aircraft designs are among two of the most common trade secrets exposed and stolen in aerospace espionage acts.

• Chemical – Industrial spies target chemical companies for their customer details, marketing plans and product trade secrets for a significant advantage over competitors.

• Financial – In the financial sector, data is even more valuable than cash, especially since data can be moved anonymously.

• Retail – The highly competitive retail industry and companies within it lack adequate cybersecurity — thus making it a frequent target for espionage attacks.

Data across industries requires special protection due to the common threat of corporate espionage. These include:

• Source code – Some of the most valuable data that a company has is its source code. Since most businesses’ software gives them a competitive edge, bad actors steal source code data to make them lose their advantage, or destroy current operations by disturbing a company’s programming.

• Customer information – Many tools that businesses use store customer information (like CRM systems, accounts receivable software, etc.). Attackers can use this sensitive data to gain a competitive advantage or exploit their financial information.

• Financial information – Attackers steal financial information to learn how to entice competitor’s customers with more appealing deals.

• Marketing information – When armed with your marketing data, malicious actors can get ahead of your marketing campaigns and thwart your efforts to attract new customers.

• Trade secrets – Trade secrets are difficult to track, manage and protect. That’s because employees are constantly creating and sharing them in order to properly execute their work.

High-profile corporate espionage cases

It doesn’t matter how mature or well-recognized a company is – an organization of any size can experience a corporate espionage attack. That being said, there are several well-known corporate espionage cases that you may remember after seeing these big names in the news headlines:

• Google – Back in 2010, Google’s China operation was attacked by hackers who accessed the Gmail account information of Chinese human rights activists and managed to steal IP. This was a shocking incident, as it proved the tech giant wasn’t impervious to malicious actors.

• Oracle – In 2000, Oracle was caught (and admitted to) spying on Microsoft to uncover if their independent advocacy groups were, in reality, shell organizations financed by Microsoft. Oracle stole Microsoft’s garbage to access their trade secrets.

• Amazon – Amazon fell victim to corporate espionage by way of insider theft in 2020, when an employee exposed customer email addresses to a third party.

• Coca-Cola – Another incident of insider theft occurred in 2021, when a Coca-Cola employee was convicted for selling trade secrets regarding bisphenol-A (BPA). She photographed sensitive company information with her cell phone to circumvent the company’s security measures.

• Gillette – After being demoted to a lower position in 1997, a disgruntled Gillette subcontractor sent trade secrets to several rivals.

This list is only a snapshot of corporate espionage attacks. Discover more real-life examples of insider threats this blog.

How to prevent corporate espionage

While attackers constantly invent new methods to conduct corporate espionage, organizations can take preventative measures to successfully curb attempts. To stay ahead of malicious actors, security teams should implement the following best practices:

Establish an acceptable use policy

Because exposure is often a result of ignorance around sharing information, it’s vital to create policies that inform employees on how to properly share your company’s data. All employees, contractors and third-party stakeholders should have real-time access to these guidelines so that everyone is well-versed on who can access sensitive data. An acceptable use policy template can help get your team started on what to include, as well as how to broadcast the document to the appropriate users.

Conduct risk assessments

Risk is ever-evolving, so it’s important to evaluate your risk posture on a regular basis. Thorough assessments will help you understand who your top threat actors are, how your critical processes might be affected, and your current risk-preventing capabilities. By identifying both your strengths and weaknesses, you can make the necessary adjustments to keep information owned by your business as safe as possible.

Be non-disruptive to employees

Your employees knowingly and unknowingly expose and exfiltrate corporate data every single day. Even if not done maliciously, they create risk by finding shortcuts to get their work done faster, like using information technology without express approval. Your technology and frameworks should enable your security team to distinguish between malicious intent or ignorance, and then allow you to respond accordingly. After all, you don’t want to punish or prevent employee collaboration — you just want to prioritize safety without slowing down your entire operation.

Be 100% cloud-native

It’s no secret that cloud-native applications are more popular than ever in workplaces across every sector. They’re scalable, cost-effective and ideal for dispersed workforces. Organizations should adapt their capabilities and policies to support holistic adoption of cloud applications. Security teams will gain greater flexibility and control by investing in solutions that don’t require on-prem hardware or networks since they’ll only need to protect data stored in one location, not two. By going 100% cloud-native and investing in and prioritizing security practices that support the move, they can better focus on the capabilities they need to protect data as it flows between the endpoint and cloud applications.

About the Author

Aimee Simpson is a Director of Product Marketing at Code42. She and her team have the fun job of performing market research and launching new product features to customers.