Social Media Espionage – What’s Your Exposure?

Social Media EspionageSpy vs. Spy

Social Media Espionage – What’s Your Exposure? If this were a 1960’s issue of MAD Magazine we’d probably all be amused. But it isn’t 1960 and this isn’t a cartoon. Its real life drama, espionage and high stakes intrigue played out on the global business stage.

Like the black and white spies featured in MAD, stealing business information used to be a matter of old school, cold war, “cloak and dagger,” spy techniques involving shadowy figures wearing trench coats but times have certainly changed.

While old school techniques used to steal business information still exist in some format, enter the “new age” tool from the spies toolkit: social media. Social media may perhaps be one of the net’s coolest inventions.

However, for every cool new app like social media that’s launched, there are people, and organizations, looking to exploit it for nefarious purposes.

If we were to round up the usual suspects, as suggested by Captain Renault in the 1942 film classic Casablanca, they would include industry competitors, company insiders, foreign countries, competitive intelligence firms and governments.

However, before we go “all in” attributing the industrial espionage problem to the Russians, Iranians and Chinese, let’s not forget the domestic side of this issue as well: the cross town rival you’re in a race with to get your product to market first.

In a competitive business environment, the first to market often wins so your rivals are just as interested in gathering inside information about your business and products as foreign entities are in stealing your technology.

Theft – Bit by Bit

How easy is it for spies to steal your company’s technology, intellectual property or trade secrets? The answer it turns out may be no farther away than the social media tools your employees use to promote themselves or your company uses to promote its products and services.

Contrary to how one might think this occurs, via a massive one-time data theft, oftentimes the theft of trade secrets, IP or proprietary information occurs a little bit at a time by folks gathering Intel against your company.

Bloomberg supports our “theft by a thousand bits” theory in a piece on Social Media Spying

“That seemingly harmless tweet, status update or location check-in may be divulging more than you realize. As workers put more information about their professional and personal lives on social media networks, employers are at greater risk of competitors gathering intelligence on their business”

The collection of one piece of information about the company may seem innocent enough but one piece of information begets you two pieces of information, which begets you four, which begets you eight etc.

Pretty soon, the innocent little pieces of innocuous information gathered by interested outsiders add up to the sum total of the whole and your battleship’s sunk.

The Scope of the Problem

With the passing of the U.S. Economic Espionage Act of 1996, the theft of intellectual property (IP), proprietary information and trade secrets is now a federal crime and appears to be growing.

Wondering how big the problem is? From our research, government sources suggest it’s a multibillion dollar problem with increasing losses year over year. 2013 statistics estimated losses of 19 billion dollars.

However, these loss estimates are a bit skewed as they only represent cases worked by the F.B.I. which doesn’t accurately account for unreported, or unknown, crimes. Private sources however put the losses from industrial espionage as high as trillions of dollars.

Using the 80-20 historical loss calculation for fraud (20% known – 80% unknown), given current loss estimates, the problem has a significantly larger impact on victimized company’s, and the U.S. economy, than the government figures represent.

For federal agents tasked with the investigation of industrial espionage cases, this translates to increased case loads, arrests, indictments and convictions. According to the F.B.I.,

“Over the past 4 fiscal years, the number of arrests related to economic espionage and theft of trade secrets overseen by the F.B.I.’s Economic Espionage Unit has almost doubled, indictments have more than tripled, and convictions have increased six fold. Halfway through fiscal year 2013, the number of open investigations is running more than 30 percent above the total from 4 years ago.”

Social Media is Risky Business

While everyone in the business realm talks about social media like it’s the second coming…the reality is that social media is risky business. It’s not the kind of Risky Business involving Tom Cruise hooking up with Rebecca De Mornay while his parents are away, but it’s risky business nonetheless.

The risk with social media is information. Information is a valuable commodity and those who have it rule. To be active in social media involves building professional networks and engaging with people across the globe, some you know and some you don’t. Anytime you communicate with others in a business setting there’s an exchange of information which is always risky.

So while social media has incredible value for a variety of business purposes, (sales, marketing, marketing, branding, PR etc.) the flip side is that it’s perhaps the single greatest tool ever given to shadowy, organized crime, foreign Intel and business competitive intelligence types looking to plunder your company’s treasure chest of proprietary information.

Social Media – What You See is Seldom What You Get

When we communicate in person, it’s often easier to tell if a person is who or what they claim to be. E.g. it’s a lot harder for someone to pretend they’re a 5’10” inch, leggy blonde in person when they’re not. Not so with the Internet and social media propagates this exponentially. Create an online ID, steal a picture and you’re off to the races as the leggy blonde you always wanted to be…even when you’re not.

Factually, in the online environment, anyone can be anyone they want to be, can live anywhere at any time and have whatever credentials and business background they desire. The reality however is much different in that “what you see in cyberspace is seldom what you get.”

In 2012, I wrote about the GRC challenges associated with social media in a two part piece for Corporate Compliance Insights and I addressed the ease in which profiles are created without repercussion for not actually being the person you represent yourselves as.

Since that time, the theft of information via social media’s showed no sign of going away as indicated by increasing financial, data and information losses, new victims and not one but two stories today from the F.B.I’s news feed on cases involving industrial espionage and theft of trade secrets.

Clearly, with cases, and losses on the rise companies need to take increased measures to protect their proprietary information, intellectual property and trade secrets.

Action Items

Protecting trade secrets, intellectual property and proprietary business information is not an easy task. While a comprehensive and holistic approach is required for all businesses concerned with protecting their data and information, there are steps businesses can take to start moving into a less risky environment.

Nothing is 100% but the goal is to strengthen defenses to the point where the work required to gain the information isn’t worth the reward.

There are five steps companies can take to start making themselves less vulnerable to the kinds of devestating social media related thefts mentioned in this article.

First, however, a bit of a legal disclaimer: I’m not an attorney, don’t play one on TV and “didn’t stay at a Holiday Inn Express last night,” so the following are my own general business suggestions which are definitely not considered legal advice. Best practice always involves consulting your corporate counsel on any issues involving federal or state labor law before implementing employment related policy.

Five Core Action Items

1) Awareness: Awareness is a core component of any program designed to mitigate social media risk. Utilize company communication mediums to distribute reminder information to employees on social media risks, trends and InfoSec best practices.

An aware employee is an educated employee. Educated employees are less likely to violate company policy in this area and are always better shepherds of your proprietary information.

2) Policy: Create a “dedicated,” “stand alone” compliance policy concerning: social media, the use of social media, and the definition of trade secrets, intellectual property and proprietary information.

Clearly outline the employee’s information handling responsibilities and the acceptable use policies for social media. Spell out the ramifications for policy violation in clear terms. Mark relevant documents (Confidential, Proprietary Information, Trade Secret, Intellectual Property etc.) to remind employees of the information in documents and their responsibilities associated with handling it.

Push the policy out to all employees with your other compliance documents on a regularly scheduled basis. Require policy attestation annually.

3) Education and Training: Providing regular education and training classes for all employees on social media usage and protecting trade secrets, intellectual property and proprietary business information is a valuable component of any InfoSec program which simultaneously increases employee awareness across the enterprise.

Require attendance and signed attestation upon the conclusion of the training.

4. Restrict Access: Create a “need to know” access level restricting sensitive information to employees whose job function, or performance, absolutely depends on accessing the proprietary or trade secret information. Educate employees with information access rights how that translates to their social media activity.

Many people think they need access to specific information to do their jobs but the reality is that few do.

5. Monitoring: Policy without monitoring is like ice cream without a cone. Telling employees what their information handling and social media requirements are but doing nothing to monitor their activities is ineffective.

Ensure your employee handbook covers monitoring and then regularly check to ensure that employees are in compliance.

The Bottom Line

There’s no mistaking the value social media has in today’s business environment. But for every positive use an app has there are negative uses as well and industrial espionage committed via social media tools, is definitely high on the risky business barometer.

It’s a “target rich” information environment out there right now and if your idea of protecting your sensitive business information involves ignoring the social media risk and sticking your head in the “it won’t happen here” sand, then your odds of ending up on the “victim line” in an F.B.I. investigation report go up… way up.

Those are my insights. What are yours?