The American Greed Report: Corporate spying costs billions, can it be stopped?
Hotel giant Hilton (NYSE: HLT) wanted to develop an all-new luxury hotel chain called Denizen to satisfy a growing market for high-end accommodations. Its competitor Starwood thought Denizen seemed very similar to its successful W chain. Too similar. And in 2009 Starwood Hotels & Resorts filed a corporate espionage lawsuit against Hilton, claiming two former executives who left to work at Hilton stole, and recruited others to steal, more than 100,000 documents full of sensitive information.
The documents, Starwood said, included trade secrets like a step-by-step guide to creating a new luxury brand from the ground up. Starwood said the name Denizen itself came from a concept Starwood developed for the W chain called the "zen den." In the end, Hilton settled with Starwood for $75 million and had to drop the Denizen brand. Hilton did not admit wrongdoing as part of the settlement, saying in a statement, "Hilton Worldwide regrets the circumstances surrounding the dispute with Starwood Hotels & Resorts Worldwide and is pleased to bring an end to this prolonged litigation."
According to the FBI, tens of billions of dollars are lost every year to corporate espionage. This may not just be a matter of how much money is lost, says Alan Brill, senior managing director of cybersecurity and investigations at Kroll. "It can be whether the business is able to continue or fail, whether all the customers are stolen away."
In many corporate espionage cases, employees who are leaving one company to join another steal information on their way out, as Starwood claims happened in its case. More recently, Waymo, the self-driving car unit of Alphabet (NASDAQ: GOOGL), Google's parent company, is also alleging that an outgoing employee stole company secrets in an ongoing civil lawsuit against Uber. Waymo claims a former engineer stole 14,000 company documents before going on to start Otto, a self-driving truck company later acquired by Uber. Uber has denied wrongdoing and has called the lawsuit "a baseless attempt to slow down a competitor."
Corporate espionage schemes can also occur when people already working for someone else infiltrate a company, or employees who've already left a company leave behind co-conspirators who send them data. Brill remembers one case where a construction organization couldn't figure out why a competitor was just barely underbidding them — until they realized insiders were providing a former employee with their bids.
The type of information stolen can vary. "Each company has its own crown jewels of data," Brill said, "whether that's a business process, a chemical process, a trade secret, costing figures from the cost accounting department, bids, profitability, or future plans."
Motives and methods
Many employees or former employees steal data purely for financial gain, but another common motive is revenge. "You're mad at the company, they fired you, you want to get back at them. And one way to do that is by taking information," said Brill.
Back in 1997, for example, an engineer at a company working for Gillette faxed and emailed drawings of Gillette's new razor to rival companies. The engineer said he stole the designs because he was angry with his boss.
The reasons people steal data haven't changed over the years — but technology has had a huge impact on the methods. "Thirty years ago I might have been dealing with people at a small casino who had a falling out and one of them is leaving to go to a competitive organization and they steal the high-rollers list," said Brill. "And they did that by probably taking last week's printout, and instead of shredding it, they put it in their bag."
These days, information goes out on USB memory sticks or is pulled off of laptop computers. Information is also commonly transmitted through File Transfer Protocol, or FTP, where files are transferred from one computer to another across the internet or a local network. Employees also use data-sharing services like Dropbox and video conferencing software like Skype to send confidential information.
Espionage happens in companies of all sizes, and can actually be easier to commit in small- to medium-sized businesses. "You would likely have more access to information than if you were in a large organization with a lot of people, sophisticated business practices and sophisticated information security," Brill said.
Signs someone is stealing data from your business
If your company has the technology to look at the network — it can be suspicious if an employee is sending emails to their home email address or another strange address, or if you see them using FTP or a USB stick.
Unfortunately, Brill says, companies often don't realize there's a problem until it's too late. "Customers start telling you they're getting a call from a competitor you've never heard of that is amazingly underselling whatever you're doing, or giving better terms than you have given confidentially to your customers," he said.
What companies can do to protect themselves
While we normally trust the people we work with, Brill recommends companies move more toward a "trust, but verify" approach. "I really do believe that people are honest, but I also know that there's a small percentage of the population that isn't," he said. "So I need to use technology to monitor what's going on in my network and try to get an early warning."
In the past, Brill says companies tended to build walls around the system, much like a medieval castle. The idea was, "I'm going to defend the perimeter, and I'm not going to let the bad guys in."
The strategy has shifted to having a good defense — but also monitoring the information that's going in and out. Consult with IT and risk management professionals who can help your company put protections in place. Some important steps companies can take:
Install technology that monitors everything going into your email system to determine if it's a legitimate message or if it's phishing or malware.
Monitor for what's going out of your email system as well by installing leakage control systems. These can, for example, tell whether data is being sent to Dropbox or personal Google, Amazon or Microsoft cloud accounts. They can also monitor for documents or spreadsheets going out.
Use whitelisting, which lets you specify which applications are approved to run on a computer system. Anything not on the whitelist won't run, which protects the network from malware and other harmful applications.
Consult with labor employment counsel to make sure your agreements on who owns intellectual property and prohibiting misuse or removal of such property are up to date.
Pamela Passman, president and CEO of the Center for Responsible Enterprise and Trade (CREATe), says one of the biggest challenges for companies is that they actually do have the ability to collect and monitor data, but they don't take the time to look at and analyze the data. When an incident occurs, "they'll often go back and say, 'Yeah, wow, there was a lot of activity that night.'"
Closely monitoring employees may seem like "Big Brother" watching to some, but Passman says keeping track of what goes in and out of your company electronically isn't too much different from monitoring what goes on offline. "Somebody sitting at their desk late at night when it's unusual to do that, someone's carrying out big boxes, somebody's going to take a look at that," Passman said. "So it's not too different from the physical world."
If you discover that data has been stolen
If the data's already gone, do everything possible to preserve the evidence. If a former executive has a laptop that they stole information off of, for example, get the laptop back before the person can destroy the information. If you determine you want to take legal action, you'll need to provide your attorneys with the best possible evidence of what happened and who was involved.
Putting technology in place that makes your business more secure can give you peace of mind and be an important investment in your company's future growth and innovation. "Just because you decide you're going to ignore a risk, doesn't mean that the risk is going to go ignore you," Brill said. "You need to think in terms of — this could happen."
More From CNBC
