Some information spies navigate the hiring process with every intention to steal corporate secrets for a competitor or foreign state once inside. Others turn against an employer when angered and leave, lured by job offers and incentives to haul out as much data as they can when they go.
Meanwhile, enterprise efforts to spot traitors and limit their access to sensitive data may not be enough. With the right job and the right access, operatives posing as janitors, mailroom employees, or IT staff can skirt efforts to defend data, using their broad access to walk data out the door.
CSO looks at enterprise barriers to these information sleeper agents, how corporate spies get past the protections, and what security leaders can do technically and otherwise to keep their data vaults safe from prying eyes.
Corporate spies enter from other organizations by genuinely qualifying for the work at hand while keeping their intentions hidden. Unfortunately, totally avoiding prospects who work for competitors may be difficult to impossible, if not undesirable because people want to recruit people from their competitors. "Competitor employees have the skills, market intelligence, and experience the enterprise wants, so they are prime candidates," says Sol Cates, CSO, Vormetric.
Competitors also bribe formerly loyal employees, transforming them into funnels for valuable data, syphoning it out to use as leverage for gaining marketplace advantage.
How many enterprises attempt to mitigate these imposters
Many enterprises perform the simplest of background and reference checks and don't do enough digging to uncover ulterior motives. "Even some government contractors who routinely deal with classified information rely exclusively on the background checks provided through the security clearance process and don't do additional checks," says Philip Becnel, Managing Partner, Dinolt, Becnel, & Wells Investigative Group. This level of investigation won't cut it because corporate spies who are loyal to their country but not their employer will share classified data with other business entities.
Enterprises can do legal background checks to ensure that a previous employer has not sued the candidate for stealing corporate data and intellectual property (IP). "But that only helps if the candidate already committed acts of corporate espionage and the former employer caught them," says Cates.
Once an enterprise hires a candidate, it will add physical and IT access control technologies, document shredding, and surveillance to its tool belt to uncover or secure against corporate spies. But much is still lacking.
Tip toeing into the corporate treasure troves
Agents of corporate espionage dive through the cracks between the typical components of most background checks. The enterprise looks at employment history, criminal records, and driving records. But this is all about what the candidate has done, not what they intend to do now. "It's not like a polygraph test or other metric a company might use when screening people for sensitive government jobs," says Cates.
Sign up for Computerworld eNewsletters.