Corporate espionage is rapidly rising. Years of R&D can go down the drain and intellectual property worth millions can be lost to competition overnight.

What once began as legitimate intelligence gathering has now morphed into a quick-fx solution by unscrupulous competitors out to nullify their rivals’ competitive advantage. Google’s threat to withdraw from China is a confrmation that corporate espionage is increasingly common across the Internet and can be extremely diffcult to detect. As companies struggle to survive in a hyper-competitive environment, prying into rivals’ secrets has become lucrative. Obviously, corporate ethics is taking a back seat.

It’s not just companies. Governments too are snooping. Today national security lies as much in a country’s industrial strength as it does in the possession of advanced weaponry. The methods employed generally involve highly trained spies and advanced gadgetry for carrying out sophisticated hacks on corporate trade secrets.

At the other end of the spectrum, a vast majority of corporate espionage occurs not in cyberspace using high tech gadgets, but rather through low tech devices such as a Rs. 500 bug hidden under the board room table. While a company may implement state-of-the-art logical and physical security by spending millions, it may do little to protect information from either the untrained or disgruntled insider, who is the cause for more than 85 percent of the leaks. Placing of ‘moles’ within the competitor’s organisation, and recruiting key employees working for the competitor are particularly insidious and commonplace.

Under these circumstances, companies must take proactive steps to mitigate the risk. Get a non-disclosure agreement that can be enforced under the Indian Contracts Act in place with all employees handling or creating sensitive information.

Carry out thorough background checks of employees with access to sensitive data. Institutionalise whistle blower and suspicious activity reporting, make employees aware of their responsibilities and consequent legal penalties and establish internal capabilities for monitoring, investigating and initiating legal proceedings to punish or seek compensation from those who have committed the crime.  

While standard information security controls such as identifcation and classifcation of sensitive data, risk assessments, strong authentication, data leak protection, encryption and regular bug sweeps are a must, companies must also explore measures such as out-of-band communication channels within the company for highly sensitive data, and obfuscation of sensitive data by maintaining multiple and fake versions of data along with the correct version, which is known only to trusted key staff.

There is a vast array of competing priorities for a company, and security issues tend to be addressed as a reaction to unfortunate events. However, corporate espionage is a major business risk, not just a theoretical curiosity or an issue purely for IT – and every board needs to treat it as such!

Felix Mohan Group CISO of Bharti Airtel