Perpetrators of corporate espionage get close to the data by entering through the least monitored yet most advantageous jobs for spying. "It's far easier to infiltrate a company as a lower level employee such as a janitor or mailroom staff member where the bar is much lower and the spy still gets the keys to the kingdom," says Becnel.
It's even easier to recruit someone who already works at the target company than it is to push a spy through the hiring process. "It's also very difficult for the enterprise to catch someone who is already inside," says Becnel.
"It's common for a competitor to approach a disgruntled employee, offer them a job with more compensation, and ask them to take all the sensitive data available before leaving the company," says Becnel. They may access electronic data or simply use their smartphone to record internal meetings and phone calls.
When recruiting current employees, the biggest prize is often the IT professional who has full access to every piece of data and whom the company does not audit. "Some of the largest espionage events were performed by IT people," says Cates.
Shut them out or lock them down
Deep, thorough background checks are a good start for securing companies against unwittingly hiring an operative who is working for a competitor or a foreign state, except when hiring them into the lower positions. "Vet lower level employees as you would vice presidents," says Becnel. When hiring someone away from a competitor, be especially careful in checking their background and intentions. Consider the cost of using lie-detector tests against the cost of not using them. Look at the likelihood and severity of the risk of losing data through a corporate spy. If you can afford to use these as mitigation tools or you cannot afford not to, then use them.
Use HR to ensure the company is mentoring new hires and monitoring their behavior. "Make sure they understand their job function and are performing it adequately," says Cates. Deviations can be clues that they are using work time for something else, perhaps for spying.
Use technology to identify and limit employee exposure to sensitive information such as IP, customer data, and anything that might be tempting to a corporate spy. Make sure to have the appropriate controls in place to monitor employee access to sensitive information.
By auditing ever expanding Big Data, the enterprise can maintain an awareness of what needs protection so that it can apply the strongest protections to the most sensitive information. Audits can update the enterprise as to the amount of data, new data types, and increased data sensitivity so it can go back to square one with risk and impact analyses to determine again what to secure most. Then the enterprise can decide how to secure the varying data and data stores, and how to adjust access controls based on roles, responsibilities, and knowledge of who should see or touch the information.
Sign up for Computerworld eNewsletters.