From the analysis of the primary and secondary data collected about industrial espionage in South Africa, it is evident that corporate SA should implement the following five measures to mitigate the problem - firstly, employ multi-layer security; secondly, employ the principle of 'need to know'; thirdly, e-mail communication; fourthly, protect mobile devices' data; and lastly, recruit quality and skilled employees.
1. Employment of multi-layer security measures
One-hundred percent information security may not be possible to attain; nevertheless, using a combination of measures can improve business security significantly. Each corporate entity needs a 'multi-layer security' solution to deal with information security risks and industrial espionage in particular.
The question is: given corporate Africa's industrial espionage record, what should its multi-layer security strategy entail? My opinion is it should contain education. This point is informed by the belief that some employees in companies can be the biggest risk, hence the ideal way that companies can minimise that risk is by training. The training module is global, and touches every aspect of security.
There are three areas identified that training should be focused on, namely physical security, the technical aspects and social engineering. Accompanying education is the testing of employees to assess whether they are internalising security lessons. The intention of training is to build awareness of business security and ensure security is deeply entrenched in the human resources component of the business organisation.
2. Employing the principle of 'need to know'
Training such as the one mentioned above should inculcate the principle of 'need to know', related to information security. Access to electronic and non-electronic communication systems should be extended to only those who need to know them and who will use them.
Advancing the theme of 'need to know', which is actually grounded in compartmentalisation, ICT applications such as e-mail should be encrypted and should have high-strength passwords. Encryption should be applied to crucial company strategy documents as well.
The theme emerging is that education makes employees more alert to security issues and the equipment they use should conform to that level of security.
3. Securing e-mail communication
E-mails are a major source of malware in any computer system. Some business information is also communicated to espionage agents through this medium.
In some instances, people store crucial business information on e-mails, sometimes using Web-based e-mail services such as Yahoo, Webmail and Gmail (Google). This is a major risk to the integrity of business knowledge management, and encourages industrial espionage.
One of the solutions is to automatically archive outgoing e-mails so the company can audit (when necessary) e-mail contents that were sent out as part of industrial espionage.
4. Securing mobile devices' data
Business information is also easily stolen from handheld, mobile devices such as laptops and cellphones. Business leaders use these instruments to communicate, and for some, to store information.
However, business information peddlers easily steal information from these devices, especially when they are linked to a cordless source of data such as WiFi. In SA, most techint (technical intelligence) takes place in this manner.
From the data analysis of the research on which this Industry Insight is based, it is noted that a security strategy appropriate for this type of electronic attack is what is known as 'air defence product'. I recommend the 'information wiper system', produced originally by Research In Motion (manufacturer of BlackBerry).
Information wiper is an automated information erasing system activated when a BlackBerry is lost. The 'air defence product' does two things. Firstly, it serves as an electronic sensor instrument around organisations and reports to the server of all illegal intrusions. Secondly, it provides detailed intelligence to the server administrator of all the activities of the malicious hacker. Therefore, the air defence system provides early-warning reports whenever a techint intrusion takes place.
The main emphasis is that business security systems should contain an effective early-warning capability, as in traditional intelligence organisations.
5. Employing quality and skilled human resources
Early warning calls for immediate response. Thus, it calls for quality human resources to deal with techint methods of industrial espionage. Analysis shows SA should invest in quality information security personnel in three areas, namely prosecutors, police officers (cyber cops) and the corporate sector, all of which are presently inadequate.
Education makes employees more alert to security issues.
Lack of capacity among police and prosecutors means cases involving techint, such as eavesdropping, bugging and industrial espionage, are not being prosecuted efficiently. It is also observed that court cases involving techint are difficult to be prosecuted successfully in SA. The corporate sector also lacks advanced knowledge with regard to problems related to technical intelligence.
The picture that emerges from consulting with various experts is that SA is extremely vulnerable in dealing with electronic methods of intelligence collection.
Unfortunately, information about security breaches reach businesses when much of the damage has been done. Furthermore, many CFOs are not educated in security and find it difficult to invest the huge financial resources needed to install effective multi-layer security systems. Most security managers still have a strong focus on physical security rather than the intrusive technical intelligence methods of espionage.
If the five information security measures discussed in this Industry Insight are implemented, corporate SA will go a long way to protect itself from industrial espionage.
#Mukwevho and Rabelani Dagada investigated industrial espionage as part of studies that were done under the auspices of the University of the Witwatersrand and the University of South Africa.
Share