Fighting industrial espionage

Risk Management08 Nov 2024

Author Oliver Dowson explains why organisations need to be aware of the risks from industrial espionage and provides some advice on how they can combat it

Ask people about spying, and most of them will think of those that work for state agencies such as MI5, CIA, KGB, Mossad and their ilk. Fictional characters like James Bond, George Smiley and Jason Bourne, and real ones like Kim Philby and Mata Hari. But there’s another less discussed kind of spying, but very real, and arguably more widespread and relevant to our times. Industrial Espionage. A more fitting name might be “commercial espionage”.

Industrial espionage is essentially a sophisticated form of fraud and deceit with political, economic, and industrial aims. Basically, it’s the illegal gathering of commercially valuable information, such as names and addresses, financial data, trade secrets, formulas, and even entire industrial designs. While the techniques have changed, this is no recent trend. Business owners have been seeking any advantage they can get over the competition for centuries.

We’ve all seen films portraying spies breaking into company or lawyers’ offices overnight, rifling through filing cabinets and photographing secret documents. Whilst I’m sure that still goes on, the more sophisticated and common approach is to use “moles”. Some may be disaffected employees open to bribery to steal secrets, some are trade visitors who, having got past the front door, take advantage to access documents surreptitiously. An increasing number – and perhaps the biggest concern - are short-term contractors. As companies reduce permanent headcount, they may inadvertently open the door to opportunists who may not be quite who they seem.

This is especially true now that the technological advances have enabled most industrial espionage to be effected through accessing IT systems. Such spies can relax in safety on the other side of the world. The evolution of business databases means industrial espionage is ever more prevalent, and often harder to detect. Cybercrime hasn’t eliminated human spies, just changed the skill set needed.

Unsurprisingly, few examples make headlines. Firms who succeed in surreptitiously obtaining secrets don’t advertise the fact, and those who lose out want to hide their shame from their shareholders. However, there are some high-profile cases in the public domain, revealing how pervasive and damaging industrial espionage can be.

Take the case of Volkswagen and Suzuki. Volkswagen is alleged to have spent millions of dollars systematically stealing technology from Suzuki over a period of more than twenty years. The techniques they applied included blackmail, bribery, and hacking. Ironically, Volkswagen themselves became a target in 2015 when their systems were hacked to obtain information and uncover software called ‘Defeat Device’ that the car maker had been using to manipulate emission test data, a scandal that eventually cost the company billions in fines.

Another vehicle manufacturer, Peugeot-Citroen, was targeted by a Chinese corporate espionage hacker who simply downloaded some of their top-secret documents and technical data to a USB memory stick. In 2007, a British subsidiary of the US-based General Electric had its research documents and product data stolen. In 2017, the personal data of nearly 150 million customers was stolen from Equifax. The breach was ultimately the result of malware installed by state-sponsored hackers who managed to gain access to the company’s databases.

The cases that have made headlines in 2024 almost all involve China – semiconductor designs stolen from a Korean firm, AI technology theft from Google and numerous examples of pre-patent designs stolen from Silicon Valley start-ups.

Such examples are just the tip of the iceberg and more a case of criminals holding companies to ransom than theft of secret data. But we can be certain that for every high-profile ransomware attack, there will be dozens of undetected hacks commissioned by commercial rivals.

In today’s climate, every organisation must remain diligent. All confidential data, from customer information to product design data, are potential targets for malicious actors. Robust and continually updated cyber security measures are a must to protect networks and data from potential attackers. Not doing so can result in serious fines, reputational damage, and costly legal proceedings. One would expect every business to be doing everything it can, but nevertheless, there are new cases of espionage month after month. Real life hackers are at least as sophisticated and devious – and successful - as the fictitious ones we see in films and read about in thrillers.

In my career, I oversaw IT projects across several countries, and did a lot of computer software development myself. My experience gave me insights into the weaknesses that exist and other risks businesses face with their IT systems. I frequently visited customers that included some of the biggest multinationals, amongst them major banks, a motor manufacturer, an electronics giant, and several pharmaceutical companies. Most had stringent controls over physical entry to their offices and factories, and massive IT departments. (You can read my recollections of some of these visits in my travelogue “There’s No Business Like International Business”). Nevertheless, in every one that I spent time in, I found it increasingly easy to see “chinks in the armour”. Indeed, on several occasions I witnessed actions of other visitors and certain staff that made me very uneasy (I duly reported them; I have no idea what action, if any, was taken).

A surprisingly large number of large companies – and an even larger proportion of small ones – still pay too little attention to the risks they face. They would probably claim that they lack the resources, or feel that their business is of little interest to others. However, the cases that have come to public attention have demonstrated the extent to which industrial espionage can damage a company – not just its stock price, reputation, and legal implications. Almost certainly, most cases fly under the radar, undetected or unreported. The organisation whose secrets are stolen either never finds out, or only discovers months or years later, by which time they cannot know when or how it happened, nor prove their case.

Over more than 30 years, Oliver Dowson built a multi-national business from scratch. Retired, he turned to writing, and has now published four books – a travelogue, ‘There’s No Business Like International Business’, and the first three thriller novels in his series ‘The Repurposed Spies’ that fictionalise different scenarios of industrial espionage. oliverdowson.com

Main image courtesy of iStockPhoto.com and DNY59