Safeguarding the company's jewels

Scott Lazzara
Director
Probe/Strategic Intelligence
Chicago, Ill.

Edited by Stephen J. Mraz

Is economic espionage for real? Well according to FBI Special Agent David Drab, Fortune 1000 companies suffered losses of more than $45 billion from thefts of propriety information in 1999 alone. And as of last June, the FBI had more than 800 cases of industrial espionage under active investigation. Is that real enough for you?

But are you or your company a target of these thefts? You be the judge.

What is economic espionage?
The Economic Espionage Act of 1996 defines economic espionage as the theft of trade secrets, technologies, research, or other information developed by business enterprises in the U.S. In other words, it's theft of your financial, business, scientific, technical, economic, or engineering information. The Economic Espionage Act goes on to specify items that fall into those categories and they include: "patterns, plans, compilations, program devices, formulae, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled or memorialized... if it's reasonably protected and has value."

Therefore, anything you deem worthy of protecting for the welfare and success of your business could be a trade secret.

Of course, you must attach economic value to the information, and it must not generally be known nor determined through public means.

The types of information considered trade secrets could fill a book. So it might be wise to broaden your perception of trade secrets and proprietary information. For instance, you may never have thought that the number of people you have on a shift would be of much interest to anyone, much less that it should be a secret. You'd be wrong, and someone could be sitting across the street from your employee parking lot tonight keeping track of cars and people going in and out. Why? Well, if you recently added that shift to accommodate a new product or a big order, someone might find that information very interesting. And useful.

But is it illegal? Is there anything criminal about someone loitering outside your plant, counting cars or people? No. For the act to qualify as economic espionage, it must be the theft of protected information. Was secret information taken illegally? Once again, the Economic Espionage Act spells things out. Actions considered theft involve: the unauthorized copying, duplicating, sketching, drawing, photographing, photo-copying, replicating, transmitting, delivering, uploading, down-loading, mailing, or communicating information a company has taken reasonable measures to keep secret.

Was it stolen by fraud or deception? Was there bribery or blackmail involved? Was it perpetrated by hackers or wiretappers?

In other words, if someone posed as, let's say, a pizza delivery guy, entered the office of your vice president of manufacturing and stole or photocopied a shift schedule off his desk, that's illegal. Or if he bribed the foreman to get the list. Or blackmailed the vice-president's secretary.

Identifying potential leaks
The first line of defense is a company's building security. But even that has leaks. Mark Apel, president of Titan Electronics, a Chicago-based security company points out one of the major defects in most companies: employee complacency. "People can pose as executives, messengers, copier technicians or whatever. Total strangers can usually walk right into any company if they wear the right uniform, whether that's a suit or a maintenance uniform, carrying a clip board or toolbox."

But according to the FBI, most thefts are perpetrated by insiders, including disgruntled employees and ex-employees.

Of the 24 cases prosecuted under the new Act so far, 18 involved insiders. Every employee, from the CEO to the delivery person, is a potential source of proprietary information. Their motives may range from revenge to money to ego. These people, who could be frustrated, annoyed, irritated, disturbed or just plain grumpy, may try to sell proprietary information or trade secrets, usually to a domestic competitor, and sometimes to foreign competitors or governments.

Employees and clients can also give away secrets inadvertently. A prime example is the company sales force. These people go from company to company, and they make their living talking.

Companies also willingly open their doors to visitors. Unfortunately, they sometimes open too many doors or the wrong doors. Then there are the vendors, suppliers and contractors who have a legitimate need to know your plans, specs, and deadlines. Any of these people can hurt you, unintentionally perhaps, but seriously, nonetheless. Even casual conversations on the golf course, in the locker room, at a bowling alley, during a party, or in a conference or seminar present opportunities for someone to extract information on your company. Odds are, they won't even have to pry it out of your people. The data will be offered out of hand and with a smile.

This type of activity is not illegal. In fact, there's a legitimate place in every organization — including yours — for competitive intelligence. But it is a crime if proprietary documents are taken from your open briefcase in your hotel room. Or your laptop is lifted. Or your disks are swiped. Maybe your files are uploaded or downloaded ala Mission Impossible. It's not impossible. It happens every day.

"People think that just because 'I've got all my data in this notebook and it's with me' that the data is safe," says Apel. "They should realize there are times when that notebook is not with you. You don't take it to dinner with you or into the shower. So there are times when that notebook carrying your most important schedules, details, information or plans for the future, is vulnerable. The thief doesn't need to physically take anything. He or she just needs to download it," Apel explained.

Plugging those leaks
Once you've identified your trade secrets and estimated their potential value, you should take "reasonable measures" (according to the EEA) to protect them. After all, if they're valuable to you, they're probably valuable to someone else. So let's look at ways you can protect yourself and your company from economic espionage.

Today there are biometric devices that can identify you by "reading" your palm, voice, eyes, or face. They're all being used to control access to companies' trade secrets. So are fingerprints, thumbprints, hand geometry, magnetic cards, bar codes, PIN numbers, and keypads. This technology can deter, if not always thwart, economic espionage. And it doesn't need to cost that much.

Early security technologies were expensive, says Apel. Only the federal government could afford them. But as the costs came down, companies in the private sector began using the technologies to protect their assets. "Advertising agencies were among the first to adopt systems which would limit access," he says. "They weren't worried so much about physical property such as typewriters and computers being stolen. They were concerned about information such as storyboards and marketing campaigns being seen or compromised. When you have clients like Oscar Meyer and McDonalds, there can be a lot at stake." Other early adopters of cutting-edge, high-tech security measures include legal and financial organizations such as banks, stockbrokers, and law firms.

Today, almost every company needs to be aware of their vulnerability and take steps to protect themselves. Here's a game plan that will help companies protect trade secrets:

Step One: Start a company-wide effort. "The majority of firms, even dotcoms, are getting actively involved up front in protecting their trade secrets rather than waiting for a company-defining event that could shut them down," says Apel. "They're being proactive but they're not always keeping the big picture in mind. They need to create a securityminded atmosphere or attitude throughout the company. They must emphasize that security is important and it's everybody's job," Apel explained.

For example, many companies have a security system controlling access to the company spaces. But what happens if someone "tailgates" you as you're entering? "If someone comes in behind you, it is your mandate to ask them if you can help them or who they're looking for," explains Apel. "So, while companies are investing in these systems, it's still necessary to create employee awareness as well."

Step Two: Find out where you are vulnerable. Bring in a vendor or a security consultant, someone who understands where you are in your business cycle as well as your particular risk factors. They'll review your security plans, physically audit your premises, and recommend options on systems and staffing.

It's important to find a dependable security source or consultant with a good reputation. Ask around. Find out who's done a good job for other companies. Apel also urges companies to limit their choice of consultants and security vendors to local or regional firms. "When you have a security problem, you want it solved now, not next week."

Companies should look for a balance between manpower and systems. There's no system, no matter how high tech, that can totally secure a site without the appropriate staffing. Firms that offer only security-guard forces may see electronics as a competitor which reduces the need for manpower. And some firms that are primarily electronics-based may downplay the need security officers. Hence, the need for balance.

"Protecting your trade secrets invariably involves perimeter security: lobby control, authorized access," says Mike Mairson, vice president of Titan Security Services Inc. "Virtually everyone needs some type of security plan. But regardless of the system, somebody also needs to watch the watchers. What good is an elaborate camera system if the tapes aren't reset on Saturday and Sunday? What if there's not enough backup for your computers? Or if the backups aren't properly secured?"

According to Mairson, the responsibilities of a security force can include your physical security layout, parking control, external and interior access control, closed-circuit television and alarms, a manned security presence on-site, and internal and external disaster control.

Step Three: Concentrate on integrated systems. Rather than having stand-alone systems such as a separate card-access system, a monitoring system, an intercom system, and a closed circuit TV system, all these systems should be interconnected so they can act in unison.

For example, when a door that should be locked is suddenly opened, the following should take place: Lights and cameras in the area should be activated and the security staff alerted. The CCTV system should record the events and show what's happening on a full-sized monitor, not a small, multiscreen display. Other doors should close and lock, isolating the affected area. "The facility should be able to respond automatically," explains Apel.

Access control, one of the first systems that should be installed as part of a security effort, should consist of layers around the perimeter. "Visitors need to be identified, signed in, and escorted. Then you need to develop a second perimeter," says Apel. "Even if people are escorted, they should be restricted to specific sections of the facility. High-priority areas that are more sensitive such as computer rooms, LAN areas, executive wings and R&D labs should be contained inside a third perimeter. It's like an onion. You're defining what is appropriate and necessary for a person to do their job and restricting their access to anything beyond that."

Step Four: Consider all your soft spots.
Asset control. Many items such as parts, assemblies, prototypes, plans, drawings, and documents are trade secrets. Attach electronic tags to them for protection. Then, equip each entry and exit point with an overt or covert system to read what's passing through. Items can even be matched to the person carrying it. If they're not authorized, alarms go off.

Internet and E-mail. Create and communicate a policy that's clear and specific about use, misuse, and abuse. The policy should address appropriate sites, personal time, downloads and news-group participation, to name a few. Before monitoring employees' Internet use, consult an expert regarding software and Freedom of Information Act issues.

Vulnerability outside your fortress of security. Do your people travel extensively? If so, make sure they are briefed on their destinations, along with people and places to avoid.

And what about that laptop left on the desk in the hotel room? Today notebook computers can be made so secure that only authorized users should be able to log onto the notebook or use the modem.

Run background checks on prospective employees. It's natural for job candidates to project themselves in the best possible light. And it's not unheard of for them to slightly stretch the truth or outright lie about their backgrounds on resumes. That's why it is important to check the backgrounds of potential employees.

Background investigations can uncover situations as varied as money problems, emotional instability, or a criminal past, says George Scharm, head of TSS Consulting Group, a full-service detective agency in Illinois. He recalls one investigation in which an accountant had conveniently left a small bit of trivia off his resume: He'd been convicted of embezzlement in another state. "If you hire a person who knows how to steal, the odds are he's going to steal from you, too," says Scharm. "It's just crazy not to do background investigations."

Scharm also tells corporate clients to have job candidates fill out and sign a job application. "It carries more weight in court than a resume, especially if the application contains a statement crafted by your legal eagles stating the candidate gives permission to verify their information."

Step Five: Get the word out.
Special Agent Drab has two recommendations. The first priority is to make all employees aware of the problem. Get them to think of information as your company's crown jewels and to believe someone out there wants it. "If everyone's not sensitized, then the company's response will be strictly reactive. They'd just be putting out fires and patching holes," notes Drab. "It should be a proactive effort to protect the company's most valuable assets."

He also recommends establishing principles of ethical conduct for your employees. Let them know that business is to be conducted in an atmosphere of quality, honesty, and fairness. And that conflicts of interest, unauthorized use of company property, or infractions that jeopardize proprietary information will not be tolerated. Be specific, be clear. And be ready.