Raising awareness of industrial espionage

We often read about security incidents involving personal information in the newspapers or online.  Multi-million dollar credit card and social security number exposures grab the headlines and consume many column inches.  There are even websites dedicated to totting-up the sordid numbers.  There are laws and regulations to protect personal data, and most of us accept that our privacy is inherently worth protecting, no question.

When it comes to protecting confidential proprietary information belonging to corporations, however, the situation is less clear.  Someone taking, say, their former employer’s customer list to a new job may be ‘frowned upon’ but evidently this practice is often tolerated and is probably fairly common in practice.  Indeed professional résumés boast of prior work experiences and major projects, with the implication that proprietary knowledge and expertise gained on prior assignments is effectively for sale to the highest bidder.  

News stories involving industrial espionage are few and far between.  Why is that?  It’s conceivable that there are not many incidents, but it seems far more likely that most simply don’t see the light of day – in other words, they are kept under covers or quietly hushed-up, or perhaps they are just not identified as such.  As with personal data breaches, organizations are understandably reluctant to admit their security failures and discuss the vulnerabilities that were exploited, knowing that they reflect badly upon them and detract from their brands.  Possibly some fear that revealing incidents risks disclosing yet more of the proprietary information in question, or encouraging further attacks.  Without the legal pressures that force disclosure of many privacy breaches, organizations are within their rights to say nothing and evidently this is the most favored option in practice.

Our latest security awareness module explains the value of the information assets at risk and the myriad ways in which they may be threatened, and calmly describes the corresponding security controls.   We use diagrams, mind maps, photos, news cuttings and motivational writing to encourage people (specifically staff, managers and IT professionals) to take this seriously and change the way they behave.