Enterprises are stepping up efforts to counter spying operations that aim to steal their trade secrets, according to a former US Federal Bureau of Investigation agent who now works for Xerox.
Companies such as Wal-Mart, DirecTV and Motorola have in recent years been victimised by employees or others who stole sensitive data, said David Drab, a principal in the Xerox information and content security services section. Drab spent 27 years in the FBI fighting organised crime and economic espionage.
"The payoffs are high and the risks of getting caught are low," Drab said at the RSA Europe conference in London.
A study by PricewaterhouseCoopers found that economic espionage costs the world's top 1,000 companies £22.4 billion annually, Drab said. Another study by the Society for Competitive Intelligence Professionals found companies spent $2 billion (£1.28 billion) on spying activities in 2004.
"The secret of business is knowing something that no one else knows," Drab said. "That's hard to keep in this world. Keeping critical information is difficult to do."
Enterprises are victimised in a few different ways. One is "walk-offs," where employes steal data and found their own company. Another is "hire-offs" where other employees go and work for the one who stole the data. Those scenarios affected both Applied Materials and Qualcomm, Drab said. Airline manufacturer Boeing was damaged by an employee who was recruited by China to steal information on projects such as the Space Shuttle throughout the 1980s and early 1990s.
Spying operations are very difficult to detect, especially if the person who is carrying it out is professionally trained, Drab said. And when a company does suspect something and approaches law enforcement, they often don't know exactly what has been stolen.
Defending against espionage requires knowing who has access to product development, marketing, sales and engineering information, Drab said.
Policies and procedures for handling confidential information should be clearly communicated to employees, Drab said. In some cases, employees who have access to sensitive data should be given extra incentives for doing well since their departure with that data could be damaging.
Absent technological controls, employees should also be observed for inconsistent behavior, such as sudden lifestyle changes, frequent overseas trips, security infractions or disciplinary problems, all of which can precede an information breach.
"Espionage is a huge problem, there is no question about it," Drab said. "Too often we look for technology to solve things that can't be solved."