Countermeasures to industrial espionage

Most South African companies don't take information security-related law seriously, and are exposed to industrial espionage.

Seth Mukwevho
By Seth Mukwevho, analyst.
Johannesburg, 06 Feb 2015

The ideal security system is one that is fairly monolithic in its overall structure, and has as many overlapping layers of security. In this Industry Insight, I shed light on the security measures: legal compliance, public-private partnership, vetting, compartmentalisation, and physical security. It is reasoned that such measures will constitute some of the barriers of corporate security.

Legal compliance

Industrial espionage is seen as poor corporate governance practice, which, if left unchecked, has the capacity to negate hard work, and ultimately leads to business insolvency. It also has the capacity to derail good diplomatic relations among nations, and may lead to other types of negative behaviours.

Most countries, therefore, use legal instruments to proscribe industrial espionage. An assortment of laws protects products of research and development, such as patent rights and intellectual property. Of the countries that prosecute business spying, the United States leads with its Economic Espionage Act of 1996 (EEA). The detailed nature of the anti-trade theft law such as that of the United States has not been adopted by other countries, most notably, European countries.

The implementation of the Electronic Communications and Transactions Act, 2002, by corporate SA, can go a long way to protect companies against industrial espionage. The aforesaid Act provides guidelines on how companies can strengthen their information security. Unfortunately, the studies conducted revealed that most companies in SA don't take information security-related law seriously, and as a result, they are exposed to industrial espionage.

Public-private partnerships

One of the most widely used measures for mitigating threats and crime in the international community is public-private partnerships (PPPs). In this Industry Insight, PPP refers to formal co-operation between the public and private sectors to combat industrial espionage.

The essential elements in the PPP relationship are an agreement to work together, delimitation of responsibilities, and appreciation of both negative aspects, such as risks and losses, and advantages, such as rewards, benefits and fruits of partnership.

In the information security environment, it is strongly emphasised that the relationship between the public entity and the private agency is structured and contracted. Such a contract should explain the responsibility of each party, disclose risks each contracting party is likely to incur from the relationship, and illustrate the benefits that are expected to accrue. The overriding goal of the PPP in the security environment is to protect trade secrets and assets, advance national security interest, increase security awareness, and ensure the well-being and integrity of the country.


Vetting refers to the process of diligent investigation and appraisal of counterparties and relevant constituencies, in particular, employees. Also referred to as a personal security clearance system, vetting is intended to ensure security-sensitive information and infrastructure is entrusted to people who have a disposition towards honesty, maturity, trustworthiness, tolerance and loyalty to preserve and protect assets from misuse.

Vetting is an ongoing process; on the human resources side, it starts before an employee is hired, and continues throughout the employment period. The objective is to promote consistency, encourage sustained acceptable behaviour, and maintain high security standards.

There are essential aspects that vetting regulations emphasise for appraisal. Personal details, criminal records and personal financial management areas are employee profile areas that should be subjected to stringent assessment.


Compartmentalisation refers to a process where an operational area is split into various inflexible segments. The aim is to protect business information about a product being developed from being leaked to inappropriate persons.

Each segment is responsible for producing a certain aspect of the final product. Employees of each segment are barred from accessing other segments or working on other aspects of the product. The effect of this policy is that product development information is contained, and any leak of information is not gravely disruptive, because it (information) is incomplete and useless.

Compartmentalisation in security works closely together with access control. Access control is aided by numerous instruments, such as locks, access gadgets, and biometric instruments. These instruments allow employees to have access only to areas in which they are relevant, and simultaneously prohibit them from precincts where their presence endangers security. An employee who insists on transgressing these boundaries is considered a security risk.

[Industrial espionage] also has the capacity to derail good diplomatic relations among nations.

Compartmentalisation works best in a strict environment; therefore, if the offending person is consistently not acquiescent to the security system, he is barred from the company. Applied correctly, compartmentalisation is an excellent concealment instrument, greatly reduces opportunities for information leaks, and frustrates espionage agents.

Physical security

Physical security is another best practice used to counter industrial espionage. Physical security refers to physical measures constructed to regulate the movement of people and preserve organisational assets from the reach of hostile entities.

The major objective of physical security installations is to control access to facilities, information systems and production operations. Efficient physical security protocols prevent access to intruders, delay illegal movements of hostile agents, and ensure protection of property. Adequate countermeasures protect client assets, personnel, intellectual property, and trade secrets, and prevent fraud.

From this perspective, physical security is no longer rooted in old prism, but rather in converged paradigm, including alternative power sources, data backup, fences, human guards, locks, fire suppression systems, biometrics, and video surveillance cameras, among others. For added value, physical security should be linked up with other corporate governance requirements and electronic security measures.

With regard to best practice for business security, a multi-layer counter-espionage framework is best suited for business protection.

#Mukwevho and Rabelani Dagada investigated industrial espionage as part of studies that were done under the auspices of the University of the Witwatersrand and the University of South Africa.