Cyber Spying: How Corporate Espionage Threatens Businesses

Corporate espionage may sound like the type of problem only faced by massive enterprises or fictitious corporations in the latest spy thriller. However, corporate espionage and intellectual property theft are very real problems plaguing modern businesses. It is estimated that intellectual property theft costs American businesses $600 billion per year. Any business that possesses proprietary or client information is at risk of corporate espionage. In other words, all businesses are a target. Employee and client information, client agreements, R&D, and prototype designs are the most sought after documents, but depending on the type of business, other data may also be at risk.

Intellectual property is valuable not only for its resale value (personal info goes for $4-20 per identity on the dark web, and trade secrets can go for much more) but also for the value it has to the company. Loss of client information devalues a brand and comes with hefty legal, PR, and shareholder consequences, while prototype design and research theft can lead to cheap knockoffs that undercut both hype and profits at product launch. Additionally, threat actors deploying ransomware may prevent companies from accessing their own data, costing them tens of thousands of dollars in lost time and ransom payments if the company chooses to pay the hackers.

Preventing corporate espionage is complicated, and highly dependent on the type of proprietary data at stake. Though a personalized security strategy is always best, there are some simple measures companies can take to keep their proprietary data safe from threat actors.

How Corporate Espionage Occurs

Humans are always the most vulnerable component of a cybersecurity strategy, and threat actors know this. Humans are susceptible to phishing, are often careless or ignorant, and despite NDAs, are prone to sharing sensitive company data in order to make themselves look good. Threat actors often target individuals in an organization who are under the most pressure to act- interns and entry-level roles who are eager to please are far more likely to download an “urgent” malware-laden file from a spoofed email address.

Malware is the most common way threat actors access a company’s network to steal intellectual property and other sensitive data.  Depending on what type of malware is downloaded, it can track keystrokes, escalate user privileges, move to other computers on the network, download data, and even hijack device cameras or microphones. If malware also contains ransomware, companies may be prevented from accessing their data until a fee is paid with cryptocurrency.

Paying the ransom, however, does not prevent the compromised data from being sold on the dark web. It is very common for one threat actor to access a network, scrape all the data, and then sell both the stolen data and access to the network on the dark web. After a second threat actor purchases access to the network, they install ransomware, freezing a company’s data and demanding payment to return systems to normal. Often, companies without advanced cybersecurity efforts in place do not even realize their network has been compromised until long after the initial breach and data theft.

Preventing Corporate Espionage

There are many things that can (and should) be done to protect your company from corporate espionage. Developing a comprehensive security strategy that incorporates anti-virus software, network monitoring, data encryption of sensitive files, and employee training is crucial to preventing unauthorized access to data.

Use Next-generation Antivirus softwares.

Yes- multiple softwares. Threat actors are always developing new forms of malware that can track keystrokes or scrape data, and different softwares will be looking for different threats. Strategically selecting a few and updating often is the best way to catch the most known system threats.

Monitor the Network

No matter how many layers of antivirus software a company has, they need to continually monitor their network for potential threats and unauthorized users, and have a comprehensive incident response strategy in place.

Encrypt Files

Data should be encrypted not only when being sent, but also before being stored, especially if the data is getting stored on a cloud. Any file containing valuable research, prototype designs, client information, or other intellectual property should be encrypted any time it leaves the network. Client information is especially valuable, and loss of this data can be a PR nightmare, yet many companies still store client’s sensitive info in plain text format, exposing it to millions of potential threats.

Don’t Trust the Wifi

Thanks to wifi, more and more people are working on-the-go. However, unsecured networks are a huge target for threat actors. Employees should always use a full tunnel VPN when working on unsecured networks, and turn off bluetooth when it is not being used. This is especially pertinent when traveling. Airports, coworking spaces, and hotels are all prime spots for cybercriminals to gain access to sensitive information.

Cover your Camera

No tinfoil hats here. There is a very good reason why tech gurus put tape over their webcams. Remote Access Trojans (RATs) can track your keystrokes, remotely control your computer, and hijack your device’s microphone and camera. Employees should be encouraged to cover cameras and disable microphones while not in use, and especially during meetings where sensitive information is being discussed.

Focus on People

Most employees have good intentions, but without the proper security training, they can be a business’ biggest vulnerability. Threat actors rely on employees’ ignorance and carelessness to gain access to a company’s network. Employees should be educated about what data is considered sensitive, best practices for protecting that data, and how to avoid phishing scams. Additionally, setting up Network Access Control (NAC) that will grant certain privileges for specific roles, while restricting access for lower-level employees or guests can help reduce unauthorized actors from accessing a company’s most sensitive data.

The more layers a company’s security strategy incorporates the better their chances of preventing and detecting corporate espionage and intellectual property theft. Bluestone Analytics offers military-grade cybersecurity for small and midsized business. To learn more about advanced cybersecurity solutions for your company, schedule a consultation.