Industrial espionage is the covert, and sometimes illegal, practice of investigating competitors to gain a business advantage. The target of an investigation might be a trade secret, such as a proprietary product specification or formula, or information about business plans. In many cases, industrial spies are simply seeking data their organization can exploit to its advantage.
An industrial spy may be an insider threat, such as an individual who has gained employment with the company for the purpose of spying or a disgruntled employee who trades information for personal gain or revenge. Spies may also infiltrate through social engineering tactics, for example, by tricking an employee into divulging privileged information.
Spies sometimes physically breach the target organization and investigate the premises. In that case, they might search wastebaskets or copy files or hard drives of unattended computers. Increasingly, the intrusion is through the corporate network. Typically, a targeted attack is conducted to gain initial network access and then an advanced persistent threat is carried out for continued data theft. The capacity of cell phones to record and transmit can also be exploited by leaving a phone in a boardroom, for example, and monitoring a meeting remotely. Recording devices also may be secreted in a variety of items including eyeglasses, pens and USB sticks.
Industrial espionage is most often found in technology-focused companies, in part because of the considerable expense of technology research and development (R&D). At the same time, technology moves rapidly in active markets. This makes time-to-market for new products critical. Collectively, these elements incent individuals and companies in technology fields to spy on each other and, if need be, to obtain information illegally in order to achieve competitive advantage.
Industrial espionage and spying can occur in any industry -- from food and beverage to fashion and entertainment. However, technology is one of the most targeted industries. Key technology industries that are often targeted include computer, semiconductor, electronics, automotive, aerospace, biotechnology, energy, pharmaceutical and high-tech manufacturing. Each of these industries spends a considerable amount on R&D and all experience immense pressures to get products to market quickly.
The companies most vulnerable to industrial espionage are those that fail to carefully screen new employees, as well as the ones that use only minimal security on premises and over intellectual property (IP) and trade secrets that may be in their digital assets. Employee risks are significant because many industrial espionage and spying acts are perpetrated by disgruntled or opportunistic employees who commit theft of trade secrets or valuable information to use on their next jobs or to take to the open market for sale.
Companies with loose security controls and checkpoints over their IP and digital assets also are susceptible to a cyber attack or cyberespionage from an outside bad actor who has penetrated their network to steal information and gather intelligence. This espionage can come from domestic or foreign companies, because the world of corporate espionage is both varied and widespread. Although cyberespionage often involves IP or trade secrets, it can also come in the form of economic espionage that gives a nation access to a foreign power, so it can obtain sensitive economic information from a company or government.
Types of industrial espionage
Industrial espionage and corporate spying are conducted through a variety of channels and for various purposes. Some espionage is conducted through legal channels and some is conducted illegally. The following are examples of some common types of industrial espionage.
IP theft. This type of espionage comes in many different forms. For example, it can be a theft of engineering designs from an automobile or aerospace company; a formula for a new drug from a pharmaceutical company; a recipe from a food and beverage or vitamin supplement company; new robotic manufacturing processes from a high-tech manufacturer; or even pricing sheets and customer lists. These items may be stolen by outsider perpetrators or foreign governments, or by employee insiders who are disgruntled or see a way to get hired or compensated by a competitor for the theft.
Property trespass. Breaking into physical premises or files to obtain company information is another form of industrial espionage. A surprising number of critical corporate assets are still in physical form and may be obtained by insider employees or by outsiders who gain access to the premises.
Hiring away employees. Competitors frequently try to hire away employees from companies to gain access to information the employees have acquired on the job. Most of the time, the knowledge employees obtain on the job is part of the trade and is legitimately transferrable, but there also are times when employees leave with valuable trade secrets and formulas in their heads that they can put to work for their new companies.
Wiretapping or eavesdropping on a competitor. Those desiring information from a company can set up portable devices that listen in or record certain conversations, such as a confidential board meeting. In some cases, this wiretapping may be legal and authorized, but in others, it is illegal listening for the purpose of economic or strategic gain.
Cyber attacks and malware. Whether it is through a distributed denial-of-service attack or an infusion of malware that corrupts a company's network, companies, governments and organizations also seek to disrupt each other by sabotaging daily operations and disabling their ability to work.
Industrial espionage vs. competitive intelligence
Industrial espionage is distinct from competitive intelligence, which is confined to the gathering of publicly available information.
When organizations, companies and governments gather competitive information on each other, they research websites, publications, patent filings, articles and any other publicly available information that can tell them more about the organization they are researching. This type of espionage is open to anyone and is perfectly legal.
Industrial espionage, on the other hand, seeks to uncover nonpublic, proprietary information for a competitive or other advantage.
Notable industrial espionage incidents
Industrial espionage has always existed, and such espionage cases continue to plague companies and organizations of all types and in virtually every geographic area. The following is a sampling of a few incidents.
Patent law exploitation. In one case, a major semiconductor company sold an expensive, customized machine used in the semiconductor manufacturing process to a client in another country. The client's home country did not have patent laws that aligned with U.S. patent laws and the purchasing client company proceeded in its home country to legally reengineer the equipment and then commercialize it for sale in its country. The U.S. company's business in that country was undercut, so it attempted to sue its client. However, the lawsuit could not proceed in the client's home country where there was no patent protection or recourse available.
A disgruntled employee. In 2006, a disgruntled employee attempted to steal and then sell Coca-Cola's secret formula to Pepsi. However, she needed someone to help her. Through a friend of a friend, she found an ex-con to help her. She told him that she had highly classified information that would be worth money to Pepsi, but because she had signed a non-disclosure agreement with Coke, she could not sell the formula herself. The two decided to bring in a third person -- a white-collar embezzler who had done time with the other ex-con.
The embezzler wrote the infamous letter to the Coke exec, outlining the classified information he wanted to sell, and within two weeks, he received a response from a PepsiCo employee. The embezzler faxed 14 pages of Coca-Cola documents and received a wire transfer shortly after.
Unbeknownst to the embezzler, he was actually selling the formula to an FBI agent who was pretending to be a Pepsi executive. He also did not know that when Pepsi had received the initial offer letter for the information, Pepsi had immediately contacted Coke, which brought in the FBI to investigate and intercept the attempted espionage.
Shortly after the first exchange, the woman at Coca-Cola stole some classified paperwork and a product under development and had the embezzler approach the Pepsi exec again for more money. This time, they exchanged a portion of the goods for a box of cash. Days later, the Pepsi exec contacted the embezzler ex-con and offered to pay him more than a million dollars for the remaining trade secrets. The drop took place and shortly after, all three -- the woman who had worked for Coca-Cola and the two ex-cons -- were arrested. After a swift trial, the threesome was convicted and sentenced to prison.
Corporate acquisitions. Between 2014 and 2018, Chinese buyers acquired 51 Swedish firms and bought minority stakes in 14 additional ones. This included Chinese interests linked to the military, which invested in cutting-edge Swedish semiconductor startups. Similar acquisition activities are at work in the U.S. and the U.K.
Cyber attacks. In 2017, a petrochemical company in Saudi Arabia was victimized by a cyber attack that was intended to sabotage the firm's operations and trigger an explosion.
5 myths about industrial espionage
Sometimes companies can be caught unaware of industrial espionage risks that can do harm. Here are five common myths about industrial espionage:
- A U.S. patent provides complete protection for your product inventions and discoveries. If your company patents a product design, invention or discovery in the U.S., there is no universal international agreement among countries that will honor U.S. patent protections. A company must file for patent protection in each country in which it seeks to utilize its IP.
- Employees can be trusted. According to employee theft statistics from Comparecamp.com, in 2020, 95% of all companies said they had experienced incidents of employee theft and 75% of employees admitted they had stolen something from their employees at least once. Some of these thefts were of sensitive information.
- Most industrial espionage is conducted through cyber attacks. While a significant amount of industrial espionage is conducted over digital conduits, not all of it is. Bad actors still break into physical premises to steal information that is sensitive and that might not even be digitalized.
- Only bad actors commit industrial espionage. Employees still unwittingly share information verbally with others in informal conversation settings, like a backyard barbecue, a restaurant or a sporting event.
- Networks and digital assets with state-of-the-art security are safe. A company could have the most in-depth cybersecurity in the world, but if its IT department and business users fail to keep up with the latest security patches and practices, it is still vulnerable to a cyberattack.
How to protect an organization against industrial espionage
Companies can adopt the following practices to help protect against industrial espionage.
Carefully screen new hires. Many corporate HR departments routinely conduct background and security checks on individuals before they hire them, but not all companies do. Companies should carefully screen people before hiring them.
Monitor employee activities. Software now exists on virtually every network, hardware and software platform that can monitor employee activity such as access to specific data repositories, applications, and edge or portable devices. This security monitoring software can issue an alert if there is unauthorized access or if access is occurring in an area of the country or world where it should not be. This gives IT the ability to immediately investigate the incident.
Secure physical premises and assets. Companies can secure and monitor headquarters buildings and field offices. The includes requiring third-party service providers to also secure their physical premises as a condition to doing business with the company.
Secure digital assets. Security over digital assets should be implemented at the network, computer, application, and edge and mobile device levels. IT should ensure security patches are made promptly and check the incoming security settings on third-party devices such as routers and sensors to ensure they conform to corporate standards.
Fully patent company designs, inventions and discoveries. Any company contemplating the sale or use of its products to countries outside of the U.S. should apply for patents in those countries, as well as in the U.S., because there is no such thing as a universal international patent.
Use employee noncompete agreements. Engineers, scientists, attorneys and others who have access to sensitive information should be required to sign a noncompete agreement prohibiting sharing proprietary company information with a competitor for a period of at least one year after the individual leaves.
Audit your security regularly. It is advisable to hire an outside audit firm on an annual basis to review corporate physical and cybersecurity, as well as employee policies and practices.
Work with others to prevent industrial espionage. The Department of Justice (DOJ) acknowledges the widespread use of industrial espionage, especially by foreign actors. Foreign governments use private sector companies to acquire U.S. companies in order to obtain sensitive information. In other cases, foreign students attend U.S. universities to acquire knowledge, and U.S. professors are enticed to accept assignments in other countries in exchange for sharing or teaching what they know. While most of this activity is legal because of the openness of U.S. society and institutions, it can also become an economic threat. The DOJ and FBI have recently been sponsoring conferences and meetings with the private sector, academia and others on how to better protect U.S IP assets.