Industrial espionage: How purchasing can protect themselves

Kloepfel Consulting GmbH / Industrial espionage: How purchasing can protect themselves

Industrial espionage: How purchasing can protect themselves

Reading time 3 minutes

Bugs, hidden cameras and tapped telephone lines – even in Germany such espionage actions are no longer uncommon. In this article we write about the risks and appropriate preventive measures.

The middle class as a target

Security structures are the key to success in the economy: While large companies such as global players usually have high-quality protection measures, this is less true for medium-sized companies. Often, avoided costs or preferred investments in machines in order to maintain competitiveness are the reasons why security structures in companies are only rudimentarily implemented. This makes SMEs a target.

One example of a “successful” espionage operation is a medium-sized company in Erlangen that specializes in high-tech turntables. Shortly before the discovery of the espionage attack, the German entrepreneur was granted a patent for an innovative turntable warehouse. The module and its components were presented at an international trade fair. The perfidy: At a Chinese stand, a component was found that came so close to that of the turntable specialist that it was immediately clear to the entrepreneur that he was the victim of an espionage attack. After a short time it was clear that his company’s IT was being attacked from China.

Such an experience is probably the nightmare of every entrepreneur. The damage a spying can cause is immense. The Federation of German Industries assumes that industrial espionage causes damage amounting to 50 billion euros annually. Every third company is affected and the number of medium-sized companies is rising.

Common forms of espionage

German competitors are also a dangerous threat because they can also gain access to information. Particularly popular with spies are those industries that offer technical know-how and are therefore on the lookout for innovations. These include, for example, the automotive and aircraft industries as well as mechanical engineering.

From hacker attacks on websites, online accounts and e-mail addresses to eavesdropping attacks with directional microphones up to the bug in a promotional gift: the creativity of data thieves to obtain important data such as construction plans and designs is hard to beat. So-called key loggers enable the perpetrators, for example, to log the entries made by employees on the keyboard and thus monitor them. The constantly evolving technology makes it very difficult to resist espionage attacks. The other side is represented by the employees: Almost every second crime is committed by their own employees, who often pass on sensitive data to the competition for money.

Data theft in purchasing

The data thieves are very interested in product developments and price information. These represent the largest part of the espionage targets, because with the help of this information clear competitive advantages can be achieved. But also supplier and purchasing conditions as well as stock levels can be obtained and thus lead to unfair advantages. The supplier is an important instance in the product development chain and has a high risk potential due to the confidential data regarding purchasing conditions or innovative components. Since some of the suppliers make their business relationships with the individual company public, they can simply be identified as their suppliers. This means that the company can also be spied out via the supplier. Therefore the procurement area is particularly endangered and must be sufficiently protected.

If you act carelessly, the competition may notice that a company wants to bring an innovative machine onto the market or is purchasing with better conditions. The competition could contact the supplier and ask for the corresponding discounts. Currently, the appreciation of purchasing in medium-sized companies is changing. New potentials are created to implement savings in purchasing. This is a competitive advantage that a competent buyer does not want to gamble away through espionage.

The most important protective measures in purchasing

But how must a buyer act in order to keep the risk potential in purchasing as low as possible?

It should be a standard procedure to install anti-virus software and a firewall on all computers. Since so-called phishing attacks make it possible to access sensitive data by opening fake WWW pages, e-mails or short messages, one should try not to transmit important documents via e-mail or fax. If this is difficult to avoid, encryption should be used here. In order to clarify important matters, personal conversations should be sought instead of telephone calls. Telecommunications must also be protected, as even amateurs are able to install a bug in the telephone set. Preventive measures for this are line monitoring or voice encryption methods. The encryption of internal communication, bug-proof cables and an interfering signal to superimpose the IT radiation are indispensable to protect against attacks.

Through practical workshops, scenarios and dangers in daily business can be identified and countermeasures taken. It is advisable to conclude a written non-disclosure agreement with the supplier in order to be legally protected in the event of spying.

Employees who are deliberately infiltrated, who store internal data and bug the telephones, are difficult to identify if they behave inconspicuously. As a result, activities that allow access to sensitive data should not be carried out by temporary staff or outsourced. Attackers also use social engineering to obtain relevant information from purchasing. This method exploits character traits such as friendliness and helpfulness to elicit valuable knowledge from employees. A simple example is that an attacker pretends to be a colleague and needs to have an “urgent” file sent to him. In order to avoid “social engineering” as far as possible, the screens should be locked when leaving the workplace so that unauthorized persons cannot infiltrate the computer network. A risky but efficient way to better assess future employees is to consciously expose them to a stress situation or a fictitious scenario during an interview that involves dealing with confidential information. The question might be how the candidate would deal with an unannounced gift from a supplier who sends nothing else or whose name is unknown. The “test” should, however, be dissolved in order to avoid damaging the relationship of trust between the employer and the potential employee. Finally, the sensitization of purchasers, suppliers and employees for the topic of industrial espionage, which is unfortunately still taken too lightly at present, helps.

It is a challenge to put interpersonal trust and caution, technically as well as personally, into practice in a balanced way. However, early implementation of protective measures is essential to lay the foundations for corporate security.

The authors:

Thomas Wandler, Partner Kloepfel Consulting Austria

Ilja Kipermann, Managing Director Kloepfel Outsourcing

For further information please contact: [email protected] oder [email protected]

Content

Back to Top