German companies as a fruitful ground for spies
According to articles in the German press, the German National Criminal Police registered 110,000 cases of economic crimes in 2001, costing at least 6.8 billion euros. Who is doing the spying? A PricewaterhouseCoopers business consulting study found that in sixty-three percent of the cases of industrial espionage the perpetrator was employed in the firm.
Most economic espionage is preventable through a combination of access control, background checks, network monitoring and response, encryption, data destruction, and OPSEC (the identification and protection of critical information which is neither a trade secret nor classified). Increasingly aware of the dangers to their data, some German companies are becoming more cautious and electronic data is regularly encrypted. When it comes to investment in other preventive measures, however, such as regular background checks of potential employees, OPSEC, emergency plans, many companies prefer to take the risk. And the risk is substantial.
Due to the long existent “club atmosphere” in German business, and reliance on a candidate’s presentation of a bundle of documents that includes an official evaluation from each and every school, course, internship, and job that someone has held (often amounting to 10-20 pages) most companies see little need to check further. On the level of the board of directors, CEO, and CFO the record is public, and the list of offenders grows weekly. Again, the club atmosphere, embarrassment of checking on one’s peers, and reluctance to spend money account for the failure to exercise adequate due diligence.
The consequences are visible in the scandals, failed companies, and numbers of bankruptcies that have plagued the country for the last 18 months. As the competition increases in a rapidly shrinking job market, the potential for exaggerated or outright dishonest resumes has increased. Personnel specialists have noted a significant increase in inflated resumes, and struggle daily with the task of trying to sort the fact from the fiction among job seekers. Sadly, once the candidate has been presented by the personnel agency, most companies rarely choose to do their own checks. Companies, desperate to rescue themselves from failure, hire leadership based on wordof- mouth reputations, not reliable background checks and due diligence. We know from experience that this practice allows dishonest employees and managers to move from job to job defrauding and cheating companies with little fear of ever being caught.
But it doesn’t take dishonest employees to pass on information. Because most companies have never identified their critical information, they have never told employees what may or may not be discussed. Because of this, information can be provided to competitors by even the most loyal employees through conversations with friends and colleagues about ongoing projects, plans or rumors, while working on company data on laptops in public places, and through improper destruction of sensitive papers and documents. Few companies, German or otherwise, give serious consideration to ongoing vulnerability assessments or employee briefings. For most German companies, it is taken for granted that employees will be discreet. We, however, consider identification of critical information to be the first line of defense for any organization seeking to protect its source of income. Likewise, many companies believe that once they have secured their Internet against outside attack by hackers “ generally a baseless assumption, by the bye” information available inside the company is safe.
Sadly, this is not true. If you have not identified your critical information you are unlikely to have secured it appropriately from insiders or outsiders. Plus, putting aside the fact that a substantial number of web sites can be easily hacked using only a browser (web designers don’t know anything about data protection), even companies who have network monitoring rarely monitor real time, or react upon detection of intrusion.
But at least, you might think, the days of bugs, as in the days of the Cold War and spies around every corner, are long gone, right? Wrong! Unscrupulous competitors are turning to the tried and true ways of old, including bugs.
Sophisticated and effective technology is readily available in trade magazines and over the Internet. The mobile telephone carelessly left on the conference table during a sensitive discussion; the promotional gift or the old-fashioned bug planted under the table in the conference room will all provide the necessary access to company plans if the competitor doesn’t want to bother to sift through your garbage for unshredded sensitive documents.
Economic espionage is exploding inGermany. Actually, throughout CentralEurope. What is not keeping pace with that explosion is a corresponding interest in internal management that aims to protect the research, technology, and customer base in which companies invest so heavily.
If you think it is possible that some of these 6.8 billion euros are coming from your company, you should call us. If you don’t think it’s possible, you may be in for a nasty surprise and should definitely call us! As the old saying goes, “Better safe than sorry.” Call in OPSEC professionals to be sure.