Spies among us: State-sponsored actors want to steal your sensitive information
4 takeaways from the historic FBI-MI5 joint statementNational security experts have been sounding the alarm over state-sponsored actors looking to steal sensitive information – not just from aerospace and tech companies, but from companies involved in chemical manufacturing, telecommunications, and pharmaceuticals. Recently, FBI Director Christopher Wray and Ken McCallum, Director General of the UK’s Security Service (popularly called MI5) issued a joint statement highlighting the growing state-sponsored threat to businesses, warning that even sophisticated businesspeople don’t realize the severity of the threat.
In addressing nation-state threats and risks to your business, policies, practices, and training can be more important than surveillance and investigative programs.
While such statements from national security and intelligence organizations have been increasingly frequent in recent years, there’s good reason to take this joint communique more seriously. To begin with, this is the first joint statement by the FBI and MI-5, ever. Despite the difficulty in coordinating such a statement, both organizations believed that the effort was worth it to capture the public’s attention.
We highlight four takeaways from this historic joint announcement.
1. Government security agencies can no longer protect businesses from state-sponsored economic theft
The joint statement is an implicit admission by both governments that they can no longer protect private businesses from state-sponsored intellectual property theft. The threat has become too complex and pervasive for either organization to address alone. Consequently, this statement was necessary to alert the business community to the fact that companies must now take increased responsibility for protecting their intellectual property.
2. State-sponsored theft of sensitive information from private companies is perpetrated by more than one country
The state-sponsored theft of sensitive information, particularly intellectual property including trade secrets, is not perpetrated by just one country. A multitude of countries have realized both the ease and near total impunity with which they have been able to steal valuable assets from businesses.
The class of assets targeted, of course, includes not just sensitive and cutting-edge technology, but also a whole host of other assets, such as key employees and customer data.
3. Cyber is not the only method nation-states use to steal sensitive information from the private sector (even though cyber gets the most attention)
As many business begin focusing on the potential theft of their intellectual property and confidential data, they often focus on cyber intrusions, even seeing them as the only avenue for such an attack. Unfortunately, cyber intrusions are just one method sophisticated nation-states (and their criminal proxies) may use to steal important information. Recent criminal prosecutions by the Department of Justice have shown that nations-states have also enlisted the help of insiders such as company employees to steal intellectual property from their respective employers.
That is why businesses should take a number of measures, beyond cybersecurity, to protect themselves. In the fight to secure business assets, employees are essential. A well-placed employee can evade any physical or cybersecurity program protections. Nation-states will seek to exploit employees to get information they need. Businesses should consider how they can best educate their employees to protect the company and the employees themselves from outside exploitation. If these steps are not taken, businesses risk leaving themselves enormously vulnerable.
4. What companies can do: be proactive, not reactive
There are several additional steps companies can take to minimize the risk of state-sponsored theft of intellectual property and sensitive information.
First, companies need to have procedures in place to clearly identify and mark proprietary information. These markings are important to ensure that anyone who has access to the information is on notice that the information is proprietary and correspondingly, that a company has made efforts to protect the information.
Second, information identified as trade secret or proprietary has to be properly stored, with controls on employee access and sharing. These controls can include locked rooms with limited access, nondisclosure or confidentiality agreements, and document destruction procedures.
Third, employees should receive training not just in cybersecurity and cyber awareness, but also in detecting anomalies that indicate a potential insider threat. This should include establishing procedures for reporting anomalies to the appropriate individuals within an organization.
These steps are meant to be preventive. Unfortunately, typical risk management programs these days tend to take a reactive approach and only emphasize what should be done after an incursion, to detect a loss or an attack. Few are looking at how to prevent such a loss in the first place or limit the damage of a potential loss in the future.
In addressing nation-state threats and risks to your business, policies, practices, and training can be more important than surveillance and investigative programs. Taking a holistic approach to this complex and pervasive challenge will not only protect your most important assets better but will preserve your options and limit your damage in the unfortunate case that you suffer a loss.
The materials from our recent program examining this topic are available online – access the recording here.
*Holden Triplett is a founder of Trenchcoat Advisors LLC. Find out more about him here.