Stealing your secrets: Cheap and easy…
In many large companies roughly 70% of the value of the company lies in its intellectual property. (One of the reasons there is all this talk about “knowledge management!) This is a very significant percentage, and makes a tempting target for the unscrupulous competitor. According to estimates in the 2002 Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, the cost to American companies of foreign and domestic economic espionage and theft of intellectual property is $300 billion dollars a year and rising. The average cost per incident is $500,000 in non-manufacturing companies, and a whopping $50 million per incident for manufacturing companies!
Who threatens this intellectual property? About 80% of the time it is insiders. By insiders we mean employees, temporary staff, contractors, vendors, suppliers, consultants, government agents, business partners, accountants, attorneys, security guards, OEM manufacturers, visitors, and a host of others, plus their associates, friends, and family.
How high is the threat? It depends on the company. Putting aside outside issues like competitors or foreign government interest, if your company is in any sort or crisis (in which we include mergers, real or rumored, layoffs or anticipated layoffs, large stock price fluctuations or any other financial situation that might endanger jobs), then the threat is high because all the insiders are not at their highest level of comfort and loyalty. This is particularly true in companies where the insecure insiders (or their friends, family, and associates) perceive that senior management has exceeded the traditional limit of 10% of the operating budget on themselves. Add the high mobility of employees today -– no longer do we work at the same company for 25-30 years – and the risk is further multiplied.
What are you doing about reducing the risks? We will ignore the things you are probably not doing, i.e. an inventory of sensitive information (the average company has never done an inventory of sensitive information, and if they have, it is almost certainly not current). Nor will we make any mention of adequate document control, and a host of other simple procedures needed to assure the safety of their information. And we’ll overlook the fact that most companies have never trained their employees on what sensitive data is, how to protect it, from whom to protect it, how to tell if someone is trying to steal it, and what to do if there is a suspicion of theft.
Rather than dwell on these negative aspects, we will merely note that 80% of your security budget is most probably spent on physical security and access control, which is to say keeping the 20% out, rather than dealing with the 80% who are already in. Since most of the risk arises from people you willingly let in, and since much of the illegal activity takes place outside the company walls, most security efforts are, in short, misdirected.
Thus theft of your sensitive information is easy and cheap because it is inadequately protected. We certainly do not advocate getting rid of your alarm systems and guard forces, but we do heartily recommend a reevaluation of your security priorities and expenditures. After all, at $500,000 per non-manufacturing incident to $50 million per manufacturing incident, it is a small step to take toward preserving your financial future.
