Written by: James Hart
The names have been changed, but the following story is a compilation of real situations faced by real businesses.
Doug Medford had never considered himself paranoid. But there were too many coincidences to merely be coincidental.
Medford, the CEO of a small Midwestern manufacturer, learned that an up-and-coming competitor from China had reached out to every single company on his customer list, just ahead of his busiest sales season. Not only was the other company’s product list an almost exact copy of his own soon-to-be-released update, the pricing was – in every single case – 5 percent less than what he had planned to charge.
It was obvious to him: Someone had stolen highly confidential information from his company.
Was it hackers? Medford could count on one hand the number of people who had access to those plans. They were among his most trusted employees, men and women that he had believed above suspicion. Now he was wondering if one of them had betrayed him — and whether that betrayal extended to even more sensitive information.
That’s why he was sitting in the office of his security consultant early on a Monday morning, telling his story and wondering if he was crazy to suspect that he had a spy on his staff. His company made parts for a very rare, very boring type of equipment, for Pete’s sake.
“You’re not crazy,” the consultant said, sipping his coffee. “Theft of trade secrets is a huge problem.” According to one report, the US economy loses about $225 billion to $600 billion each year to trade secret theft, counterfeit goods and pirated software. A lot of people assume it’s only about technology, but trade secrets like pricing structures, customer lists, they can be very valuable, too.
“But that’s not the real reason why you’re here, is it?”
When Theft of Trade Secrets Could Mean Losing the Company
Medford shook his head.
“No, it’s not,” he said. “Having our plan stolen is a pain in the neck, but we can create a new strategy in time for the big ordering season. What I’m really worried about is our proprietary process.”
The process had taken years and millions of dollars to develop. It was a competitive advantage that nobody else in their vertical had, and it allowed Medford’s team to build parts that were literally world class and capable of lasting years longer than competitors’ did.
Which is why the files on the process were kept strictly offline in a tightly controlled file system. They should have been impossible to access … but that’s what Medford had thought about this year’s business strategy, too.
A chill ran down his back. If he had lost that secret, the odds were good that he would lose his business, too. The process was that valuable.
The security consultant put down his empty cup and looked Medford in the eye.
“Economic espionage is a big problem, and because it involves a foreign entity, that’s what this probably is,” he said. “But you’re doing the right thing, and that’s on top of all the other investments you’ve made in security and prevention. Give me a few days. We’ll find out how this leaked — your team might not even be responsible — and see how bad the damage really is.”
Ruling Out the Possibilities
It was a little after 3 p.m. Wednesday when the security consultant knocked on the door of Medford’s office. The business owner looked like he had barely slept since their meeting on Monday.
“I’ve got good news and bad news, and then some great news,” the consultant said. “We know what happened and how, and unfortunately, it wasn’t hackers — someone on your team deliberately sold that information to the other company.
“But here’s the great news: They didn’t get anything on your secret process.”
Medford practically collapsed into his chair. The consultant sat down across the desk from him.
“Our technology team audited your system, and they didn’t find any evidence that any outsiders have accessed it,” the consultant said. “That’s great news. Your team has done a terrific job avoiding phishing attacks that could have undermined your security. The training has paid off there.”
But that’s only one way that bad actors can steal information from computers and smartphones. Business travelers have frequently seen their devices broken into while visiting other countries.
“So we looked at your team’s recent itineraries,” the consultant said. “You’ve had a few people on overseas trips recently, but none of them had your customer list or upcoming business plans on their machines.”
That was both good and bad, he explained. It meant that, in all likelihood, someone on Medford’s team had betrayed him.
How to Spot a Potential Traitor
“There’s a long list of indicators that someone might be tempted to steal sensitive information,” the security consultant said. That includes things like …
- Severe changes in behavior, work habits or general demeanor
- Unexplained affluence
- Financial hardship
- Excessive spending or excessive debt
- Inappropriate use of photocopy, computer or printer equipment
- Attempts to circumvent security procedures
- Unreported foreign national associations
- Excessive or unreported foreign travel
- After-hours access to buildings and classified material
- Substance abuse
- Unauthorized removal of classified or trade secret material
“On their own, none of these are proof that someone is a threat,” the consultant said. “Honestly, it doesn’t mean anything if someone meets most of the conditions on this list. But it can help you identify people who deserve a closer look.”
And that’s what the consultant and his team had done. In a series of private conversations with other employees, they were eventually led to one person.
“Cindy Milan, the administrative assistant for your senior VP of marketing,” the consultant said. “Once we sat down with her, she admitted to having copied and stolen the plan. She even tried to get access to your more sensitive files, but your document controls held.”
Medford almost laughed when he heard the name. Milan was in her mid-60s, a few years away from retirement and one of the least-threatening people he had ever met. She had joined the company more than 20 years and was absolutely the last employee he would have suspected.
“Turns out, the last few years have been rough for Mrs. Milan,” the consultant said. “Her husband was laid off and hasn’t been able to find a new job. They also owe a large amount of money for a couple so close to retirement.
“When we talked to the people closest to her, they noted that she had grown sharper and, well, angrier about how things were going at the company. Little comments here and there. And her schedule started to change. Suddenly, she was the very last person to leave the office almost every day. One person said they regularly saw her car in the parking lot on Saturday mornings.”
The Best Way to Catch a Bad Employee? Good Employees
It was a little surreal for Medford. He was stunned that Cindy — someone he thought liked working for him — could have betrayed him and put the livelihoods of all her coworkers at risk.
“I know this is a lot to process,” the security consultant said, “but there’s one thing I want to impress upon you. One of your people abused your trust, but the rest of your team is a big reason why we were able to find the leak so quickly. Ultimately, your employees are your first line of defense. They were observant, and once we asked the right questions, they were clearly able to point us in the right direction.
“But there’s still a gap in your training. To prevent a major breach, your people also need to be trained to report when they see something suspicious. The changes to Milan’ schedule — especially how she was spending large amounts of time alone in the building during off-hours — were a red flag.
“And if her manager had known that she was so bitter, it might have been an opportunity to address the root of her unhappiness before she committed a crime.”
After they planned out their next steps — including a promise to undertake a thorough risk assessment of other weaknesses and potential targets — Medford shook the consultant’s hand. The businessman looked exhausted.
“Listen, this is hard,” the consultant said. “But this is what a happy ending looks like in a case like this. Too many companies don’t catch the bad guy in time and end up losing everything. You’ve been betrayed, but you avoided a major loss of sensitive information. More importantly, you’ve gained something very valuable: You know how to prevent something like this from happening again.”
- Smart businesses identify their most valuable information — whether those involve technological advances or client lists — and build systems to control access to that knowledge.
- Technological security solutions (including encryption and firewall tools) are important, but it’s equally critical to train employees to spot potential warning signs and report them to management.
- Know the potential signs that an employee might be a security risk. While none of the signs are proof of wrongdoing, they could lead your team to intervene before an employee crosses a red line.
At Chesley Brown, we understand that planning for the unknown can be daunting. That’s why we’ve built a framework that enables businesses to navigate and anticipate risk before it becomes a crisis. We are here to manage risk so you don’t have to.
For industry-leading guides and analysis sign up for our blog below.
Maximizing safety for students and employees If you’re anything like me, keeping your family safe is your number one priority. During the Covid-19 pandemic, this means minimizing social contact to reduce the chances of infection. …Read More
Risk is not optional. If you own a business, chances are, you will confront risks at some point. What’s more, as your business grows, potential business disruptions will increase in both frequency and harm potential.…Read More
Why your business should be transitioning to touchless tech right now As a business owner in the retail industry, adjusting to the Covid-19 pandemic is a huge challenge. Nevertheless, you’ve crossed your t’s and dotted…Read More