At its most powerful, espionage uses trusted insiders to steal information covertly from an organisation, leveraging routes enabled by its cyber infrastructure. It is difficult to detect, it is impossible to eliminate entirely – and the number of incidents are growing as organisations becoming increasingly dependent on cyber infrastructure, giving both more opportunity and access to individuals.
There are three key steps an organisation can undertake in order to manage this risk effectively.
Firstly, treat the threat of espionage seriously.
This is a board-level issue, since an organisation's reputation, finances and operations are at stake. The real sources of risk and level of vulnerability must be identified and understood - in physical security, people management and culture, information assurance and technical measures. Once identified, a clear strategy with associated accountability is needed, that brings together the risk faced, the organisation's assets, and how they need to be protected.
Secondly, effective security can be source of real business value, not just an overhead.
The cyber challenge is not just one of reducing the risk of loss of IP/sensitive information. Organisational trust and effective security can serve as business differentiators, rather than a 'necessary evil'. The best organisations already know this and recognise that customers, partners and suppliers value those who can properly protect their confidential information and business interests. This is not to say that losses will never occur; but when they do, they are a rare exception and the organisation is seen to respond appropriately and learn from them. Most importantly, critical stakeholders will know that security is a priority, and their trust will not be significantly dented.
Thirdly, develop a culture of awareness and responsibility. If employees feel loyal to the business, and recognise that its success and their own are linked, then there are likely to be fewer insider-led incidents. Positive measures, such as incentives packages (for example bonus or share options) can reinforce this. Ensure that high quality line management is recognised and rewarded too, and that performance measures take into account good information management. An appropriate and pragmatic blend of controls and monitoring will help deter and detect negative or potentially damaging behaviour, so that timely and suitable action can be taken.
Applied well, these measures will drive down opportunistic crime and human error by insiders, help pick up and prevent serious employee disgruntlement, build an organisation's reputation for deserving their customers' trust and, as an additional benefit, provide a strong compliance story to tell.