Sourcebase Reports

Country briefing exerts and analysis from KCS Group

The sale of secrets

Sex sells? No, secrets do. The not-so-new ‘x-factor’ that employers are looking for in you? The content of your former employer’s deepest secrets.

Ignoring your CV pumped full of prefect badges, hockey sticks and proof that you spent hours in the stuffed university library- what’s going to make an employer (or your competitor) tick is a potential new staff member who is ready and willing to strip that gag off which has thus far been keeping their current employer’s secrets from spewing out.

More than a third of people would sell company secrets and/or commit industrial espionage, risking their jobs and a criminal conviction. Moreover, according to the US based Ponemon Institute, 60 percent of employees steal company information when they are fired, and; nearly 70 percent of those individuals take the confidential or top-secret intelligence to their new job.

Whereas for current, dissatisfied employees…well, 61 percent of individuals who have overtly negative attitudes towards their company, steal data. Worrying, but unfortunately not too surprising.

Organisations worldwide need to absorb and take action from this statistic; Ponemon’s 2015 Cost of Data Breach Study: Global Analysis revealed that the average consolidated cost of data breach is $3.8million USD, a 23 percent increase since 2013. And data breach is only one element of business related crime.

So what are the secrets that people are selling? Data such as sales figures, current and future business plans, product specifications, new technology, and client lists are all on the shopping list. An employee can download a company’s entire intellectual property portfolio including all of its secrets on to a pen drive. Or an employee could send documents to a personal email – and they may have had a history of doing so.

In addition, more and more cases are being identified where individuals are partaking in ‘data laundering’. These employees attempt to pass off selling company secrets masked as market research to a competitor (or even on the Dark Web). In all honesty, organisations too often do not care where information has derived from as long as it is valid and will give them a competitive advantage.

After all, it was only at the start of this year, that IBM’s CEO, Ginni Rometty, stated that “data is the phenomenon of our time. It is the world’s new natural resource”.

How do people know how to do it? Well, the results of a quick and simple search on an internet browser ooze an exotic array of articles on just what the best steps are to sell your company’s secrets.

One that particularly caught my eye, and is pretty direct- gives the reader six easy steps to selling a secret ‘without getting caught’.

With suggestions such as ‘establish an anonymous Internet presence’ and ‘check for security cameras in the area before you call someone’, as well as giving tips such as ‘don’t overshare’ like James Hall III when he leaked information to a Russian spy (who was actually an undercover FBI agent), it should be seriously worrying for employers, that employees can learn online how to breach confidentiality in the most discreet manner (they hope).

Opportunity and motive combined with knowledge, is a very dangerous combination.

A well-known case back in 2011 saw an individual who worked for Apple, Paul Devine, arrested following an investigation which proved that for a number of years he had been passing information about the company to Apple’s suppliers. Devine was paid more than 65 thousand pounds by the sell-out, but it was reported that it cost Apple a total of approximately £1.5 million GBP in business.

What is it that motivates individuals to sell company secrets?

Financial gain, for a start, is one reason why current employees sell data or strategies to a competitor. Although, some people really must be desperate as, according to a UK Clearswift survey- employees would sell confidential data for as little as £100 GBP. Nevertheless, it is important to keep in mind that there will always be a large number of employees in any industry, who are looking to make easy money by trading in their former or current employer’s secrets.

Revenge is sweet, and selling corporate secrets and data makes it sweeter? Individuals have been known to ‘get back’ at a current or former employer by leaking confidential information in response to a number of actions ranging from negative comments to redundancy.

For example, a former Microsoft worker who had been an employee for seven years, but in 2012 threatened to resign when he received a poor performance review- began uploading propriety software including pre-release software, and admitted to posting information on Twitter and his websites, and selling Windows Server activation keys on eBay. Moreover, the individual, Alex Kibkalo, admitted to investigators that he provided confidential company documents to a French blogger. Kibkalo now works for a competitor in Russia.

The thrill of trying to get away with industrial espionage motivates some individuals to sell company secrets. Not exactly the most advisable way for an adrenaline junkie to achieve a high, but it happens all the same.

There are many ways in which companies can protect sensitive data with technology controls that for example, limit access and monitor emails and files (KCS ZoneFox enables, for example, an employer to track documents that have been downloaded) – however this article will focus on the steps that can be taken from a human intelligence perspective only.

I am not talking about going as far as hiring private investigators to monitor employees’ home lives (to make sure personal problems do not interfere with work performance) – such as Henry Ford did to maintain productivity and protect his intellectual property- because this would really be taking it a step too far.

The recent case of an American organisation installing a GPS monitoring application on one employee for tracking her in ‘out of office hours’ is evidence that directors sometimes just do not know when to stop.

What I am talking about is taking appropriate and effective action through human intelligence, analysis, and unobtrusive investigations; helping to prevent an organisation’s potential financial and reputational loss.

There are a number of proactive and defensive measures that can, and should, be taken to prevent your secrets form pouring out between a current, or former employee’s lips.

A background check is often the most simple and effective ‘initial step’ of protecting company secrets. But often, this is not enough.

1) Discreet, Non-conventional Due Diligence is a unique process which consists of analysts focusing on a current or potential employee’s political interests, reputational issues, personal and corporate relations, and determines whether a history of fraud, corruption or industrial espionage exists. This is the lifeblood of competitive strategy and corporate security- and is one of the areas of expertise of the Human Intelligence Team of the KCS Group Europe.

2) Screening and vetting of individuals should be conducted before employment. Without fail. Such action can prevent clients from permanently building a connection with an individual who may have perpetrated fraud, falsification of identity, embezzlement, intellectual property theft and/or espionage. It can also be used to assess the vulnerabilities of existing staff members, who may have joined under false pretences. Such assessment will give analysts indication of whether an individual is likely to steal and/or sell secrets. Given the access these individuals already have to sensitive and confidential data, the insider threat is certainly the most dangerous.

3) The processes of due diligence and screening/vetting can often be more challenging if a prospective employee is moving from a foreign jurisdiction, or analysts suspect he/she has purposefully hidden assets or a period in his/her professional history. In this case, an Enhanced Corporate Investigation should be conducted. Analysts therefore more specifically assess the risks, weaknesses and threats facing a client’s business interests. Open source intelligence is combined with human intelligence supplied by any one of the 7000 assets on the ground across the globe. Signals intelligence, needed in many cases, compliments the analysis with assessment of electronic communication between parties.

4) It is advisable that a company conducts exit interviews, and that personal intelligence is gathered from the individual in order to be able to ‘keep an eye’ on their communications, for example with an employee that has remained within the organisation. Selling secrets can be a process plotted and conducted by a number of middlemen; employees working with outsiders, for example.

No matter how loyal an employee may seem- it should not be taken for granted and should be treated with the same caution as someone who has been working for the company for only a number of months.

To boost compliance it is crucial that employees fully understand the internal and regulatory rules of the company, and continually have a deep appreciation of the need to keep organisational secrets confidential.

If companies do not take aggressive positions on secrecy in the workplace, it is very likely that competitors will start plucking employees, and information, from them (or start purchasing it from organised and/or cyber criminals on the Dark Web). This will not only lead to financial and reputational damage, but for some organisations, could lead to their utter demise.

A plethora of companies depend on trade secrecy to maintain its competitive advantage. Therefore, implementing security measures to manage the potential or existing ‘threats from within’ should be a top priority for all businesses.

Companies require the support of a dedicated, strategic intelligence-led entity that understands soundly the issues facing its clients and can assist in manoeuvring around the obstacles blocking their path to success (or a less expensive exit strategy). The KCS Group Europe can offer this.

Secrets will always sell; but for me- I’m sticking to the prefect badge.

Phoebe E Waters, Senior Analyst and Researcher at KCS Group

The KCS Group Europe operates internationally with an expertise in carrying out discreet and complex assignments for corporate and commercial entities and governments, in difficult and dangerous situations and locations.



This entry was posted on November 30, 2015 by in Uncategorized.
%d bloggers like this: