Read NBlog, the NoticeBored blog
Click the banner for the site map of NoticeBored.com, the information security awareness service
NoticeBored this month

   

Industrial espionage

Introduction and scope of the topic

See all the new postersWe often read about security incidents involving personal information in the newspapers.  Multi-million dollar credit card and social security number exposures grab the headlines and consume many column inches.  There are even websites dedicated to totting-up the sordid numbers.  There are laws and regulations to protect personal data, and most of us accept that our privacy is inherently worth protecting, no question.

When it comes to protecting confidential proprietary information belonging to corporations, however, the situation is less clear.  Someone taking, say, their former employer’s customer list to a new job may be ‘frowned upon’ but evidently this practice is often tolerated and is probably fairly common in practice.  Indeed professional résumés boast of prior work experiences and major projects, with the implication that proprietary knowledge and expertise gained on prior assignments is effectively for sale to the highest bidder. 

News stories involving industrial espionage are few and far between.  Why is that?  It’s conceivable that there are not many incidents, but it seems far more likely that most simply don’t see the light of day – in other words, they are kept under covers or quietly hushed-up, or perhaps they are just not identified as such.  As with personal data breaches, organizations are understandably reluctant to admit their security failures and discuss the vulnerabilities that were exploited, knowing that they reflect badly upon them and detract from their brands.  Possibly some fear that revealing incidents risks disclosing yet more of the proprietary information in question, or encouraging further attacks.  Without the legal pressures that force disclosure of many privacy breaches, organizations are within their rights to say nothing and evidently this is the most favored option in practice.

Outline of the awareness module’s content

The mind map shows key messages in the awareness materials:

All employees mind map

Starting on the left of the diagram, we discuss the possibilities of deliberate theft of trade secrets and other proprietary information by competitors or their agents, and the problem of the organization disclosing information to competitors - two quite different types of threat.  On the right, we outline a range of information security controls used to minimize the threats.  [Note: this mind map belongs to the ‘all employees’ stream, and as such is relatively high level.  The managers’ and IT professionals’ streams take slightly different, more detailed perspectives.]

There are 32 types of awareness material in the new module.  As always, the regular ‘awareness activities’ paper (now marked START HERE as a big clue!) suggests to the security awareness people how best to use the materials and provides creative awareness ideas linked to the industrial espionage topic:

Describes what's in the module

August’s NoticeBored module is packaged and delivered to subscribers as a compressed Zip file totalling about 60 Mb containing the editable MS Word, PowerPoint, Visio and JPG files, plus 4 screensavers, described above and shown on the directory listing below.  As well as the editable MS Word version of the newsletter, we’re including the secure Acrobat PDF version of the newsletter which can be freely circulated outside the organization.

NB module contents #87

NoticeBored is for you, yes you!

If this brief outline of our latest awareness module intrigues you, why not contact us to evaluate NoticeBored?  We’ll send you the contents of a complete module, plus an evaluation license for you to try them out.  There’s no commitment or charge to evaluate.  Find out what makes NoticeBored different and discover what led ENISA to describe us as “best practice experts” in security awareness.  We can even help you build a budget proposal to invest in a security awareness program.  When finances are tight, remember that awareness is the most cost-effective form of security.  A dollar spent on security awareness achieves much more than a dollar spent on security technologies such as firewalls, antivirus controls and suchlike.  Alert, security-aware employees who appreciate the symptoms of security attacks or incidents and know how to respond are far less likely to succumb.  Make security everyone’s business with NoticeBored.
NB home > NB this month >

Copyright © 2010  IsecT Ltd.