Some information spies navigate the hiring process with every intention to steal corporate secrets for a competitor or foreign state once inside. Others turn against an employer when angered and leave, lured by job offers and incentives to haul out as much data as they can when they go.
Meanwhile, enterprise efforts to spot traitors and limit their access to sensitive data may not be enough. With the right job and the right access, operatives posing as janitors, mailroom employees, or IT staff can skirt efforts to defend data, using their broad access to walk data out the door.
CSO looks at enterprise barriers to these information sleeper agents, how corporate spies get past the protections, and what security leaders can do technically and otherwise to keep their data vaults safe from prying eyes.
Corporate spies enter from other organizations by genuinely qualifying for the work at hand while keeping their intentions hidden. Unfortunately, totally avoiding prospects who work for competitors may be difficult to impossible, if not undesirable because people want to recruit people from their competitors. "Competitor employees have the skills, market intelligence, and experience the enterprise wants, so they are prime candidates," says Sol Cates, CSO, Vormetric.
Competitors also bribe formerly loyal employees, transforming them into funnels for valuable data, syphoning it out to use as leverage for gaining marketplace advantage.
How many enterprises attempt to mitigate these imposters
Many enterprises perform the simplest of background and reference checks and don't do enough digging to uncover ulterior motives. "Even some government contractors who routinely deal with classified information rely exclusively on the background checks provided through the security clearance process and don't do additional checks," says Philip Becnel, Managing Partner, Dinolt, Becnel, & Wells Investigative Group. This level of investigation won't cut it because corporate spies who are loyal to their country but not their employer will share classified data with other business entities.
Enterprises can do legal background checks to ensure that a previous employer has not sued the candidate for stealing corporate data and intellectual property (IP). "But that only helps if the candidate already committed acts of corporate espionage and the former employer caught them," says Cates.
Once an enterprise hires a candidate, it will add physical and IT access control technologies, document shredding, and surveillance to its tool belt to uncover or secure against corporate spies. But much is still lacking.
Tip toeing into the corporate treasure troves
Agents of corporate espionage dive through the cracks between the typical components of most background checks. The enterprise looks at employment history, criminal records, and driving records. But this is all about what the candidate has done, not what they intend to do now. "It's not like a polygraph test or other metric a company might use when screening people for sensitive government jobs," says Cates.
Perpetrators of corporate espionage get close to the data by entering through the least monitored yet most advantageous jobs for spying. "It's far easier to infiltrate a company as a lower level employee such as a janitor or mailroom staff member where the bar is much lower and the spy still gets the keys to the kingdom," says Becnel.
It's even easier to recruit someone who already works at the target company than it is to push a spy through the hiring process. "It's also very difficult for the enterprise to catch someone who is already inside," says Becnel.
"It's common for a competitor to approach a disgruntled employee, offer them a job with more compensation, and ask them to take all the sensitive data available before leaving the company," says Becnel. They may access electronic data or simply use their smartphone to record internal meetings and phone calls.
When recruiting current employees, the biggest prize is often the IT professional who has full access to every piece of data and whom the company does not audit. "Some of the largest espionage events were performed by IT people," says Cates.
Shut them out or lock them down
Deep, thorough background checks are a good start for securing companies against unwittingly hiring an operative who is working for a competitor or a foreign state, except when hiring them into the lower positions. "Vet lower level employees as you would vice presidents," says Becnel. When hiring someone away from a competitor, be especially careful in checking their background and intentions. Consider the cost of using lie-detector tests against the cost of not using them. Look at the likelihood and severity of the risk of losing data through a corporate spy. If you can afford to use these as mitigation tools or you cannot afford not to, then use them.
Use HR to ensure the company is mentoring new hires and monitoring their behavior. "Make sure they understand their job function and are performing it adequately," says Cates. Deviations can be clues that they are using work time for something else, perhaps for spying.
Use technology to identify and limit employee exposure to sensitive information such as IP, customer data, and anything that might be tempting to a corporate spy. Make sure to have the appropriate controls in place to monitor employee access to sensitive information.
By auditing ever expanding Big Data, the enterprise can maintain an awareness of what needs protection so that it can apply the strongest protections to the most sensitive information. Audits can update the enterprise as to the amount of data, new data types, and increased data sensitivity so it can go back to square one with risk and impact analyses to determine again what to secure most. Then the enterprise can decide how to secure the varying data and data stores, and how to adjust access controls based on roles, responsibilities, and knowledge of who should see or touch the information.
To guard against disgruntled employees as spies, be nice to them. "A well-compensated, well-treated employee is far less likely to betray you," says Becnel.
Other approaches to stall corporate spying include having people sign non-compete agreements and posting corporate policies about the company monitoring and logging computer usage. "This may give a disgruntled employee some pause before dumping sensitive data onto a thumb drive before leaving to work for a competitor," says Becnel. It can also give companies legal recourse after the fact.
As for IT professionals, the enterprise can enable them to do their jobs without them seeing the data by using encryption and access controls that security, not IT, manages. "IT professionals don't need to see the data to back it up, for example," says Cates. By maintaining the encrypted state of the data and keeping the key in someone else's hands, an enterprise can prevent even systems administrators from becoming successful data spies.
Knowing who the spies could be may have to be good enough. Check, watch, and limit everyone so they can do only good. Know changing data to secure it successfully.