Trade secrets

General resources

Having used and enjoyed them both as part of our research for this month’s awareness module, we’d recommend either of Ira Winkler’s first two books if this topic is important to your organzation (which it almost certainly is). For more info and Amazon links, read our book reviews here and here.

Despite the title, Dan Verton’s The Insider is about outsiders and insiders. Although lacking in insightful analysis, this book is stuffed with real world examples of industrial espionage, theft of trade secrets and the like.

Dirty Tricks (~$15 from Amazon) tells the story of British Airways’ smear campaign against Virgin Atlantic, a wonderful example of what can go wrong when corporate rivalry gets out of hand.

Managing Knowledge Security: Strategies for Protecting Your Company's Intellectual Assets by Kevin Desouza (~US$53 from Amazon) focuses on the human aspects of securing trade secrets. While the book’s content may be old hat to some, the author’s clear and engaging style may help business executives understand the issues that surround them.

Competitive intelligence

The Society of Competitive Intelligence Professionals (SCIP) is a professional body supporting marketers and other CI pro’s.

An interesting article in CSO Magazine goes step-by-step through the processes one might use to snoop on a competitor. In addition to the aboveboard use of public records and websites, the article touches on less ethical, if not actually illegal methods such as persuading employees to part with information on the phone (known as “pretexting”, a form of social engineering). It ends with a somewhat xenophobic section about the dangers of bugs, bribery, theft and extortion “in other countries” (not the USA, of course, oh no).

Dumpster diving is a rather distasteful and messy but nonetheless effective way to obtain proprietary and other private information from a careless competitor.

A KPMG employee was socially engineered by a competitive intelligence company to disclose confidential details about a client. Auditors are generally highly aware of the risks and understand their responsibilities towards client confidentiality so if they can be fooled, imagine how vulnerable the rest of us are.

Information warfare

A survey on outbound email content scanning found that around a third of the 400+ US and UK 1,000+ employee companies surveyed have been impacted by the exposure of sensitive or embarrassing information in the last 12 months. More than a third! They estimate that around one in five outbound emails contains sensitive information that poses a legal, financial or regulatory risk. Given that not all organizations scan outbound email content, the true figures seem likely to be even higher.

The Intelligence Threat Handbook, a non-classified document written by US military agencies, includes chapters on foreign espionage, economic espionage and IT. The Cold War may be over but government- and commercially-sponsored espionage is alive and kicking.

In the nascent market for zero-day vulnerabilities, some organizations are willing to offer a bounty for security bugs and some hackers are willing to trade their l33tness for cash. WabiSabiLabi is a new marketplace matching buyers with sellers - a kind of eBay for zero-days. I expect industrial and military spies are looking forward to market day.

Transparency International’s annual Corruption Perceptions Index indicates the countries where there are issues with corruption and a general lack of ethics. Beware competitors from countries at the bottom of the list (but not only them!).

Pretexting (in plain English, pretending to be somebody you are not, to get something you probably shouldn’t have, to use in a way that’s probably wrong) was a factor in the HP scandal that broke in September 2006. In short, HP employed private investigators to trace the source of a boardroom leak. The investigators allegedly used pretexting to get phone information from the phone companies .

An Israeli couple were convicted in connection with writing and selling a Trojan horse program to private investigator customers to spy on others. A handful of well known companies were caught up in the scandal. According to the original story, police discovered the plot following a lead from an Israeli author whose London-based former son-in-law was accused of disclosing parts of a book he was writing. The existence of the Trojan was not in dispute, along with the fact that it was distributed on a ‘promotional CD’. The author, however, claimed that it is legal and is ‘not his fault’ if it was misused for illegal/unethical purposes.

Forget hackers - watch out for competitors makes the point that your competitors have the motivation to obtain confidential information from your organization. If your access controls are not up-to-scratch, you may not even be aware of their incursions let alone being able to prevent them.

The Korean Defense Security Command is said to be transferring spooks from conventional military counter -espionage to industrial counter-espionage duties.

Theft of source code by employees is recognized to be a growing issue. In India, programmers have reportedly been stealing source code from their employers for use in their own competing companies/products.

A slightly xenophobic article nevertheless analyzes the threat of corporate espionage. “Experts say that company insiders are a much bigger problem than someone hacking into the system from the outside. ‘Seventy-five to 85 percent of all theft per se is done by an insider,’ said Julie Snyder, president of the Silicon Valley chapter of the International High Technology Crime Investigation Association.”

Secrets of Superspies, a conference keynote presentation by Ira Winkler, has the usual hallmarks of his case -study style plus the analysis to explain what makes corporate espionage such a realistic probability for any corporation with secrets, patents or other valuable intellectual property and unethical competitors.

Slurp is a program to download MS Office files from the C:drive to an iPod through the PC’s USB connector. Someone with physical access to the PCs in your office (perhaps an unescorted visitor, maintenance worker or cleaner) may have much more than ripped MP3s on their iPod.

Blogs are great for free speech and personal expression but are not necessarily in keeping with corporate security, marketing and legal requirements. This blog entry points to a number of blogging guidelines on the web that should prove useful if you are considering your own corporate policy in this area (in addition to that supplied in the NoticeBored awareness module in August 2007).

Imagine for a minute that you are the Head of HR who’s just been informed that one of your employees is actively blogging on the Internet, including a few decent but slightly provocative photos of them in company uniform on company premises. What do you do next? Delta Air Lines responded in just this kind of situation by firing employee Ellen Simonetti. Naturally, Ellen continued to argue her case through blogging, with the added buzz of global news media interest. The case was doubtless more complex than portrayed but this one incident is just the tip of the iceberg. A good proportion of bloggers, newsgroup/wiki/bulletin board contributors and other self-publicists out there are no doubt employed by someone who would probably not be terribly amused to see what they post online. How many organizations have an IT incident plan that provides for a measured and sensible response to this kind of incident? How many even have a policy statement that clearly defines management’s expectations on employees re work-related third-party communications? It’s a fascinating conundrum.

A small New Zealand farm has been sabotaged by someone who emailed its customers with (fake) news about a product safety recall, presumably spoofing the farm’s email address on the From: line. According to the news story, the company owner said they ‘had spent $7000 upgrading its computer firewall security four months ago. “I’m just trying to get to the bottom of this to see how it happened.” He said only two people – he and his wife – knew the password to the database.’ [It is not clear from the article whether their systems have actually been penetrated since email spoofing does not require access to their systems. A mature incident management process includes assessment and analysis activities prior to taking any corrective actions ...].

A typical military-style guide to classifying information relates purely to confidentiality. Six different classes are defined. The notes include examples of the types of information plus the protection to be applied in each class.

A classic espionage case is an excellent example of the techniques available to both high-tech spies and high -tech investigators. In this case an FBI agent assigned to the White House was secretly passing classified information to coup-plotters in the Phillipines.

Non-Disclosure Agreements (NDAs)

A Professor of business law who posted a student’s essay on a website has been accused of libel. The essay is said to have referred to a manager at a company persuading a new recruit to divulge proprietary information belonging to his former employer in contravention of a non-disclosure agreement.

Example NDAs are all over the Web - they are evidently not considered terribly confidential in themselves. If you want to browse nearly a million hits, Google is your friend. Here’s a smaller selection: NERC Apache OneCle.

Confidentiality clauses in employment contracts have to strike a balance between the interests of the employer and employee. Excessively restrictive clauses which unduly prevent a former employee from using general knowledge and information properly obtained in the course of employment may prove unenforceable, whereas excessively lax or missing confidentiality clauses may lead to former employees abusing confidential information belonging to their former employer. This is (yet another) complex legal situation relating to both security and employment.

“An NDA is only as good as the integrity of the company signing it,” cautioned Richard Lang, CEO of Burst .com. In 2000, Burst became an official Microsoft partner, signed an NDA and shared details of its patented video-delivery technology with the software giant. The relationship subsequently failed, but Burst pursued Microsoft through the courts, claiming that Microsoft stole confidential information obtained during the original negotiations.

Trade secret incidents

‘Forced disclosure’ can be a concern for organizations facing regulatory and legal inquiries into their business practices, such as British supermarket chains Tesco and Asda.

CA sought $200m from Rocket Software, claiming they used CA's intellectual property for their own database management system.

The McLaren racing team was accused of obtaining a confidential Ferrari engineering dossier. McLaren did not dispute that the information exists but claimed only their chief designer had it. It’s hard to think of a more competitive environment than Formula 1. The dispute was eventually settled in 2008.

“Hackers stole information from the U.S. Department of Transportation and several U.S. companies by seducing employees with fake job-listings on advertisements and e-mail”. Victims were lured to a site using fake job ads and (presumably) phishing emails, only to have their systems infected with malware. The malware apparently evaded detection by the standard antivirus tools. Nasty.

General resources

Competitive intelligence

Information warfare

Non-Disclosure Agreements (NDAs)

Trade secret incidents

Related NoticeBored links collections