Written by: James Hart
The names have been changed, but the following story is a compilation of real situations faced by real businesses.
Doug Medford had never considered himself paranoid. But there were too many coincidences to merely be coincidental.
Medford, the CEO of a small Midwestern manufacturer, learned that an up-and-coming competitor from China had reached out to every single company on his customer list, just ahead of his busiest sales season. Not only was the other company’s product list an almost exact copy of his own soon-to-be-released update, the pricing was – in every single case – 5 percent less than what he had planned to charge.
It was obvious to him: Someone had stolen highly confidential information from his company.
Was it hackers? Medford could count on one hand the number of people who had access to those plans. They were among his most trusted employees, men and women that he had believed above suspicion. Now he was wondering if one of them had betrayed him — and whether that betrayal extended to even more sensitive information.
That’s why he was sitting in the office of his security consultant early on a Monday morning, telling his story and wondering if he was crazy to suspect that he had a spy on his staff. His company made parts for a very rare, very boring type of equipment, for Pete’s sake.
“You’re not crazy,” the consultant said, sipping his coffee. “Theft of trade secrets is a huge problem.” According to one report, the US economy loses about $225 billion to $600 billion each year to trade secret theft, counterfeit goods and pirated software. A lot of people assume it’s only about technology, but trade secrets like pricing structures, customer lists, they can be very valuable, too.
“But that’s not the real reason why you’re here, is it?”
When Theft of Trade Secrets Could Mean Losing the Company
Medford shook his head.
“No, it’s not,” he said. “Having our plan stolen is a pain in the neck, but we can create a new strategy in time for the big ordering season. What I’m really worried about is our proprietary process.”
The process had taken years and millions of dollars to develop. It was a competitive advantage that nobody else in their vertical had, and it allowed Medford’s team to build parts that were literally world class and capable of lasting years longer than competitors’ did.
Which is why the files on the process were kept strictly offline in a tightly controlled file system. They should have been impossible to access … but that’s what Medford had thought about this year’s business strategy, too.
A chill ran down his back. If he had lost that secret, the odds were good that he would lose his business, too. The process was that valuable.
The security consultant put down his empty cup and looked Medford in the eye.
“Economic espionage is a big problem, and because it involves a foreign entity, that’s what this probably is,” he said. “But you’re doing the right thing, and that’s on top of all the other investments you’ve made in security and prevention. Give me a few days. We’ll find out how this leaked — your team might not even be responsible — and see how bad the damage really is.”
Ruling Out the Possibilities
It was a little after 3 p.m. Wednesday when the security consultant knocked on the door of Medford’s office. The business owner looked like he had barely slept since their meeting on Monday.
“I’ve got good news and bad news, and then some great news,” the consultant said. “We know what happened and how, and unfortunately, it wasn’t hackers — someone on your team deliberately sold that information to the other company.
“But here’s the great news: They didn’t get anything on your secret process.”
Medford practically collapsed into his chair. The consultant sat down across the desk from him.
“Our technology team audited your system, and they didn’t find any evidence that any outsiders have accessed it,” the consultant said. “That’s great news. Your team has done a terrific job avoiding phishing attacks that could have undermined your security. The training has paid off there.”
But that’s only one way that bad actors can steal information from computers and smartphones. Business travelers have frequently seen their devices broken into while visiting other countries.
“So we looked at your team’s recent itineraries,” the consultant said. “You’ve had a few people on overseas trips recently, but none of them had your customer list or upcoming business plans on their machines.”
That was both good and bad, he explained. It meant that, in all likelihood, someone on Medford’s team had betrayed him.
How to Spot a Potential Traitor
“There’s a long list of indicators that someone might be tempted to steal sensitive information,” the security consultant said. That includes things like …
- Severe changes in behavior, work habits or general demeanor
- Unexplained affluence
- Financial hardship
- Excessive spending or excessive debt
- Inappropriate use of photocopy, computer or printer equipment
- Attempts to circumvent security procedures
- Unreported foreign national associations
- Excessive or unreported foreign travel
- After-hours access to buildings and classified material
- Substance abuse
- Unauthorized removal of classified or trade secret material
“On their own, none of these are proof that someone is a threat,” the consultant said. “Honestly, it doesn’t mean anything if someone meets most of the conditions on this list. But it can help you identify people who deserve a closer look.”
And that’s what the consultant and his team had done. In a series of private conversations with other employees, they were eventually led to one person.
“Cindy Milan, the administrative assistant for your senior VP of marketing,” the consultant said. “Once we sat down with her, she admitted to having copied and stolen the plan. She even tried to get access to your more sensitive files, but your document controls held.”
Medford almost laughed when he heard the name. Milan was in her mid-60s, a few years away from retirement and one of the least-threatening people he had ever met. She had joined the company more than 20 years and was absolutely the last employee he would have suspected.
“Turns out, the last few years have been rough for Mrs. Milan,” the consultant said. “Her husband was laid off and hasn’t been able to find a new job. They also owe a large amount of money for a couple so close to retirement.
“When we talked to the people closest to her, they noted that she had grown sharper and, well, angrier about how things were going at the company. Little comments here and there. And her schedule started to change. Suddenly, she was the very last person to leave the office almost every day. One person said they regularly saw her car in the parking lot on Saturday mornings.”
The Best Way to Catch a Bad Employee? Good Employees
It was a little surreal for Medford. He was stunned that Cindy — someone he thought liked working for him — could have betrayed him and put the livelihoods of all her coworkers at risk.
“I know this is a lot to process,” the security consultant said, “but there’s one thing I want to impress upon you. One of your people abused your trust, but the rest of your team is a big reason why we were able to find the leak so quickly. Ultimately, your employees are your first line of defense. They were observant, and once we asked the right questions, they were clearly able to point us in the right direction.
“But there’s still a gap in your training. To prevent a major breach, your people also need to be trained to report when they see something suspicious. The changes to Milan’ schedule — especially how she was spending large amounts of time alone in the building during off-hours — were a red flag.
“And if her manager had known that she was so bitter, it might have been an opportunity to address the root of her unhappiness before she committed a crime.”
After they planned out their next steps — including a promise to undertake a thorough risk assessment of other weaknesses and potential targets — Medford shook the consultant’s hand. The businessman looked exhausted.
“Listen, this is hard,” the consultant said. “But this is what a happy ending looks like in a case like this. Too many companies don’t catch the bad guy in time and end up losing everything. You’ve been betrayed, but you avoided a major loss of sensitive information. More importantly, you’ve gained something very valuable: You know how to prevent something like this from happening again.”
The Takeaways
- Smart businesses identify their most valuable information — whether those involve technological advances or client lists — and build systems to control access to that knowledge.
- Technological security solutions (including encryption and firewall tools) are important, but it’s equally critical to train employees to spot potential warning signs and report them to management.
- Know the potential signs that an employee might be a security risk. While none of the signs are proof of wrongdoing, they could lead your team to intervene before an employee crosses a red line.
At Chesley Brown, we understand that planning for the unknown can be daunting. That’s why we’ve built a framework that enables businesses to navigate and anticipate risk before it becomes a crisis. We are here to manage risk so you don’t have to.
Sign up!
For industry-leading guides and analysis sign up for our blog below.
Latest News
Podcast | Risk Takers Series #05 Corporate Counterespionage
Its not always the stuff of cold war spy novels but corporate or economic espionage continues to affect businesses all over the world both large and small at an exponential rate. It seems like there’s…
Read Morerisk-takers #04 Brad Orsini – Community-based Security
Visiting our places of worship shouldn’t be dangerous. Unfortunately, faith-based organizations are facing the difficult challenge of how to protect their congregations from religion-motivated violence, and still maintain the welcoming, open environment community members expect.
In this week’s episode Brent calls up Bradley Orsini, the Senior National Security Advisor of the Secure Community Network, the official safety and security organization of the Jewish community in North America to discuss these issues, lessons learned from the mass shooting at the Tree of Life Synagogue, and the most effective strategies faith-based organizations can use to protect their congregations.
Read MorePodcast | Risk Takers Series #04 Brad Orsini – Community-based Security
Visiting our places of worship shouldn’t be dangerous. Unfortunately, faith-based organizations are facing the difficult challenge of how to protect their congregations from religion-motivated violence, and still maintain the welcoming, open environment community members expect.…
Read Morerisk-takers #3 Surveillance Detection Routes (SDR)
Have you ever had a gut feeling you were being followed? You might not be so crazy after all. It’s a frightening thought. You’ve spent years building your business, but all it takes is one bad day to compromise that dream. In this week’s episode Brent sits down with FBI Special Agent (Ret.) Dell Spry to discuss surveillance detection routes, what they are, and how they can be used as a spy detector device to find out if you are under surveillance.
Read MorePodcast | Risk Takers Series #3 Surveillance Detection Routes (SDR)
Have you ever had a gut feeling you were being followed? You might not be so crazy after all. It’s a frightening thought. You’ve spent years building your business, but all it takes is one…
Read More