Action Plan: Confronting Digital EspionageBy John McCormick | Posted 2004-12-01 Email Print
Steps to take to secure your secrets.
The FBI ranks espionage—including economic espionage—second only to terrorism on its list of threats to combat domestically. Where does defending against digital spies fall on your priority list?
"Don't assume it's not happening," says Mark Lobel, a director in PricewaterhouseCoopers' security services practice.
Among the steps FBI cybercrime agents and other counter-espionage experts recommend that companies take to protect their trade secrets and intellectual property:
Identify secrets. Companies designate items such as drug formulas and new product designs as trade secrets and take particular measures to protect those assets.
Don't say everything is a corporate secret; that leaves too much to defend. Do a real inventory of assets so you don't leave corporate valuables unsecured. But then make clear judgments of what really needs defending.
For instance, while a new drug formula might seem an obvious choice, what about the sophisticated manufacturing or distribution processes that greatly reduce the cost of producing it? The litmus test: What would happen to your business if a competitor got a whiff and copied the formula, design or process?
In any case, take a good, hard look at your entire business. "You're never going to secure it if you don't know it's there," Lobel says.
Inform employees. Corporations often fail to inform employees working in areas such as new-product development that secrecy is vital to the company's future success.
Manny Alvarez, a special agent working in an FBI cybercrime unit in San Jose, says companies need to make it clear that information about the project they are working on is not to be disclosed or in any way taken out of the company. Draw up non-disclosure agreements and have employees sign them. Conduct intellectual property education seminars at least once a year.
Plot your defenses. Safeguards are not just physical, according to Gideon Lenkey, president of Ra Security Systems, a company that specializes in vulnerability assessments.
The information-technology staff needs to make sure there's a full suite of security software in place—firewalls, intrusion-detection software and network monitoring are all essential to securing corporate computer systems. Managers need to set policies on what system can be accessed by which employees, and authentication controls, such as passwords, need to be established. And employees need to know the basics—such as not giving out user names and passwords over the phone.
In Lenkey's words: "It's people, process and product."