Information leakage to a competitor
Businesses operating in competitive market sectors can be targeted for commercial espionage. One of the main ways to weaken the position of a competitor and its leading position is to organize information leaks and further use the information obtained in order to harm the business reputation, intercept the customer base or counter development strategies. Professional methods of dealing with their organizers will help to defend against targeted hostile attacks.
Types and main channels of leaks
Gaps in the information security system arise at the organizational, technical and personal levels. The organizational level includes flaws in the security service, which allows outsiders to penetrate the protected objects; lack of regulations defining mechanisms for protecting information; lack of internal control. The technical level must protect against leaks occurring in the course of intentional impact on information systems, or from the introduction of embedded devices that intercept audio information or electromagnetic waves. The personal level is based on the conscious or unconscious behavior of employees, management - any insiders who, on duty, have access to important information. They are the ones who most often disclose them or pass them on to competitors.
The well-known portal Content Security, dedicated to information security of corporations, gave an overview of the degree of significance of threats:
- disclosure of information by employees (unintentional - in a casual conversation or with a too broad understanding of the freedom to handle trade secrets in dealing with clients) - 32%;
- actions of competitors and agencies hired by them, causing deliberate disclosure, for money or other preferences by employees or spies specially introduced to the object - 24%;
- leaks related to organizational and technical deficiencies - 14%;
- obtaining data by competitors from company presentations and reports, other open sources - 12%;
- use of the shortcomings of the information systems protection system - 10%;
- conflicts within the team leading to unintentional disclosure of commercial secrets - 8%.
Thus, out of 100% of cases of information leakage to competitors, the role of insiders and the human factor accounts for 64%, more than two thirds. This forces the management of companies to take a more responsible attitude to the selection of personnel, control over their work and the moral and psychological situation in the team.
The standard situation in the struggle for market dominance is inviting key employees of the company to a competitor. When they leave, they pass on important information to the new employer - from scientific developments to the client base. If in the first case it was possible to protect data from copying by technical means, then the client base can be easily copied simply with a pen or a mobile phone. These risks can be avoided only by increasing the motivation of staff.
It should be noted that the review of the site does not indicate such information leakage paths as external counterparties of the target company, information to which is transferred under the law or contract. Among them:
- audit and accounting companies;
- independent appraisers;
- consulting organizations;
- cloud storage of information;
- inspection bodies, tax inspection, Ministry of Internal Affairs.
Obtaining the necessary information from the employees of these organizations sometimes becomes an easier task than obtaining it from the employees of the target company. They are not responsible for disclosure, except for the identification of such cases as a result of official checks, and it is much easier to transfer and copy data arrays seized, for example, at the request of the Ministry of Internal Affairs, than looking for the necessary information in the company's information network for years.
Damage from leaks
It is difficult to assess the damage caused by data leaks. It is of a hidden nature and is most often expressed in the form of lost profits. Among the types of direct damage, the most common are:
- compensation for harm caused to employees due to the leakage of their personal data or to counterparties due to the loss of their trade secrets;
- costs incurred when creating inoperative protection systems;
- the cost of creating a product that failed to launch on sale due to the fact that the company was ahead of competitors.
Indirect types of damage - lost profits and deterioration of business reputation - are expressed in such forms as:
- loss of leading clients;
- transfer of key employees to another job;
- loss or termination of important contracts, for example, due to leaked information about a violation of the exclusivity regime when concluding a franchise agreement;
- loss of market share;
- increased attention of inspection bodies, more frequent inspections and fines;
- refusal to participate in tenders for the conclusion of government contracts;
- deprivation of SRO admissions.
These risks can be prevented only by systematic work with the protection of commercial secrets, far from all amounts can be reimbursed in court in the process of compensation for harm caused by the disclosure of commercial secrets. The judge will assess only the real damage, and if the claim is brought against a specific individual (the employee who disclosed the data), regardless of the size of the award, it will take decades to recover.
Not all businesses are at risk, many either lack data of interest to competitors, or operate in sectors where competitors do not have the resources to develop smart espionage strategies. Among the companies at risk of being targeted are:
- large organizations that interact with the public sector and work with government contracts;
- enterprises working with oil, minerals and other resources;
- enterprises of the housing and communal services system;
- commercial banks;
- companies engaged in the development of modern science-intensive products and software;
- pharmaceutical organizations.
They all have to spend substantial funds to protect against leaks, and the more efficiently they are spent, the less potential losses will be. For less vulnerable firms, only reputational damage can become a risk if an offended employee discloses situations from the internal “kitchen”, the peculiarities of the mentality of managers and other piquant details.
Traditionally, protection measures against organized information leaks to competitors are divided into two groups: organizational and technical.
One of the important organizational measures will be the creation of a commercial secret regime, the development of a list of documentation and secrecy labels. The documents containing commercial secrets and most of interest to competitors include:
- client bases;
- new technologies, ideas, methods of production;
- strategic plans;
- ways to implement management decisions;
- upcoming personnel decisions;
- information about planned transactions;
- data on information support, installed protection programs, encryption algorithms, passwords.
Financial and accounting documentation is of lesser importance; it is quite easy to obtain it using the capabilities of access to the databases of auditing organizations. But if the enterprise maintains management reporting, developed for the purpose of making management decisions by the International Financial Reporting Standards and having great operational value, it can become an object of attack. When formulating a list of information constituting a trade secret, it is important to deviate from the standard list and highlight the data most interesting to competitors. Often the omission of certain items in the list creates the impossibility of further recovering damage in court. It is obligatory to conclude agreements with all employees that impose financial responsibility on them for disclosing commercial secrets. Also, among the organizational measures, it will be mandatory to create regulations for interaction with inspection and control bodies when providing them with the requested confidential information.
A necessary stage of work will be the timely identification of insiders, conducting preventive conversations with all employees, anonymous questionnaires in order to identify persons who may intentionally or unintentionally transfer information to competitors from the office or from production outside. Whenever a conflict arises between senior executives, such as the CEO and finance, or the CEO and founders, it is necessary to carefully reduce their access to the data that really matters.
In addition to standard organizational measures, the security services of firms must constantly monitor the activities of competitors, not react to their encroachments, but prevent them. To do this, you yourself need to interact with companies operating in the region specializing in commercial espionage and intelligence, in order to prevent a competitor from turning to them at an early stage.
Among the technical measures, it should be noted the need to protect information networks of an enterprise using modern software. Installation of modern DLP systems will avoid data leaks through channels such as:
- e-mail, external and personal mail of employees;
- messengers, Skype, Telegram;
- interception of digital traffic going to a printer or scanner;
- copying files to external media.
The systems will allow you to control even the traffic leaving the employees' laptops and redirect it. We shouldn't forget about programs that prohibit taking screenshots of screens for important databases, about encrypting secret information on all types of devices. There are also special software products installed on the copier, which will help identify all persons copying confidential documents. Assessing the need to install such software should be the prerogative of the security service.
Interception of telephone conversations will prevent voice encryption programs or the prohibition of discussing important information over the phone with counterparties. Meeting rooms must be technically protected from all modern methods of intercepting audio information.
Only a comprehensive application of organizational and technical measures will reduce leakages by up to 90%. It is impossible to achieve 100% protection, as top managers and heads of security services often become insiders. It is impossible to fully compensate for the damage caused by the loss of information.