Executive Summary:
- Corporate espionage is the act of stealing proprietary information, trade secrets, or intellectual property from a business and providing the stolen information to another competing organization.
- Often, corporate espionage can be sponsored or facilitated by governments seeking to obtain national security secrets from government contractors and manufacturers.
- Opportunistic corporate espionage can also occur when a passerby sees sensitive or perceivably valuable information.
- Intellectual property (IP) theft, obtained through corporate espionage, carries a significant monetary price tag, but can also damage a company’s reputation resulting in brand-value decrease
- The annual cost of IP theft to the US economy ranges from $225 billion to $600 billion or about 1-5% of the US’ GDP.
- Practicing good social and cyber hygiene, as well as employing counterintelligence techniques, can greatly mitigate the risk of intellectual property theft and corporate espionage while on business trips.
- For a more customized and bespoke traveling threat assessment consider contacting ask@rmsiusa.com to help mitigate the risk of corporate espionage.
Movies and television shows have conditioned many to think of “spies” as immaculately dressed men and women with a myriad of advanced technological devices and gadgets. While this portrayal makes for good entertainment, espionage can take on a much more mundane look. Espionage is not an activity limited to government operatives, in fact, a large percentage of spying is conducted in the private sector.
Corporate espionage is defined as the act of stealing proprietary information, trade secrets, or intellectual property (IP) from a business and giving or selling it to another. This can involve government actors, private sector businesses, or opportunistic individuals trying to get quick monetary compensation from an unprepared or unsuspected traveler.
Disgruntled employees, corporate plants, and business partnerships designed for intelligence gathering are all part of corporate espionage. Opportunistic corporate espionage or IP theft can occur by a traveler unintentionally broadcasting their employer, possible business relations, position within their company, type of work, and more. Ironically, many businesses unintentionally promote this behavior by providing branded corporate merchandise which exposes employment affiliation and encouraging working on vacation which can force individuals to use company devices in remote or cramped places where it can be monitored by unknown individuals.
Intellectual property (IP) theft, obtained through corporate espionage, carries a hefty price tag, impacting businesses, individuals, and the overall economy. Estimates of the annual cost of IP theft to the US economy range from $225 billion to $600 billion – or about 1-5% of the US’ GDP. The impacts can be even more costly when they impact national security.
However, the same principles and best practices taught to government operatives can be employed by the corporate business traveler. Counterintelligence strategies for business travelers are essential to protect sensitive corporate data, personal information, and overall business interests. Business travelers—especially those working in tech, defense, finance, or other critical industries—can be targets for espionage, theft, or cyber intrusion and should implement pre-travel, mid-travel, and post- travel preparations to mitigate associated risks.
Pre-Travel Preparations or Pre-Operational Research:
Before even arriving at the airport, there are several counterintelligence steps individuals can take to greatly mitigate the risk of IP theft. Business travelers can limit data exposure by only taking essential data, devices, and documents necessary for the trip. If possible, consider using a loaner or “clean” device that does not have an abundance of sensitive personal or company data. Additionally, tech devices can be “hardened” by ensuring all software and firmware are employing the latest updates – minimizing security flaws or gaps. Full disk encryption should be enabled, and unnecessary wireless features should be disabled. Strong passwords and two-factor authentication are essential for all devices housing personal or proprietary data.
The devices themselves should be plain and void of anything that could associate the owner with a specific employer, industry, or ranking within their organization.
Many countries either look the other way on corporate espionage or secretly fund IP theft. Consequently, it is essential to research and understand country-specific threats. China, Russia, Iran, and North Korea are known state-sponsors of corporate espionage. Understanding the risk posed by these nation states and checking government travel advisories can help mitigate the risk posed by these countries.
Mid-Travel or Operational Countermeasures:
During travel, it is essential to maintain physical security. Never leave tech devices -personal or work related- unattended, this includes in hotel rooms, taxis, or meeting rooms. Recently, in the United States, a rideshare driver in Saint Louis secretly live-streamed his passengers. Consider all hotel safes and security boxes compromised as some can be accessed by staff or hotel employees. Be sure to always carry devices in your carry-on luggage and not in checked bags.
Use counterintelligence measures to combat surveillance. Assume all conversations in public, whether in airports, taxis, hotels, or even cell phone calls, can be intercepted and overheard. Be extremely cautious when connecting to public Wi-Fi hotspots and use a trusted and secure VPN at all times. When possible, avoid logging into sensitive accounts from public computers or while attached to unknown networks.
Be aware of social engineering and the different tactics. Social engineering, in the context of information security, is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Out of caution, do not share business details with strangers or in casual conversations and be sure to authenticate or verify the identity of anyone approaching and claiming to be representing business matters.
Lastly, always be aware and monitor all devices. When online, look for unusual behavior or pop-ups, as this can be a sign of tampering or the installation of malware. Be sure to turn off and restart all tech devices daily to minimize the persistence of some types of spyware or malware.
During travel, always assume the lodging accommodations and meeting rooms may be monitored. Try to avoid discussing sensitive or proprietary information while in the hotel room, even on the phone. To the extent possible, inspect the room for tampering, this could look like misplaced items, new devices, or small holes for cameras or microphones. Only use company-approved tools for video conferencing and messaging and be sure to disconnect from hotel Wi-Fi when devices are not in use. To secure communications, use encrypted messaging applications such as Signal, WhatsApp, or Proton Mail and to the extent possible avoid using standard SMS or unencrypted email when transmitting sensitive data.
Post-Travel Debriefing or After-Action Report:
Upon returning from business travel, be sure to have your company’s Information Technology (IT) team examine tech devices for signs of compromise to include malware infection and data exfiltration. Change all passwords that were in use during the trip. Report any suspicious contact or activity to your corporate security or compliance team and be sure to include details such as unusual interactions, access requests, or irregular device behavior. If using a loaner device, erase all data and reset to factory settings before reintroducing them to the company network.
Practicing good social and cyber hygiene, as well as employing counterintelligence techniques, can greatly mitigate the risk of intellectual property theft and corporate espionage while on business trips. For a more customized and bespoke traveling threat assessment consider contacting ask@rmsiusa.com to help mitigate the risk of corporate espionage.
About RMS International:
Founded in 2012, RMS International provides ad hoc and contracted close protection, estate security, international travel management, corporate executive protection, personnel and asset security, and discreet investigative services. Operating a state-of-the-art Risk Operations Center in West Palm Beach, they provide 24/7 overwatch of global operations in Asia, Europe, Africa and throughout the Americas. RMS International delivers peace of mind in a chaotic world. Connect with us at RMSIUSA.com.
