This article is Part 3 of a 3-part series. The purpose of the series is to familiarize the reader with the most common indicators of corporate espionage and advice on how to combat it. This advice is a compilation of our experience at while investigating these types of cases. For a description of the differences between corporate espionage, economic espionage and competitive intelligence, click here for Part I: WHAT IS CORPORATE ESPIONAGE? To learn more about the root causes that invite espionage, click here for PART II: 5 RED FLAGS YOU’RE A VICTIM OF CORPORATE ESPIONAGE.
Every company should have a plan or Standard Operating Procedure (SOP) to combat corporate spying. Your SOP needs to be specific. It won’t help you if it’s fuzzy, vague and just another check-the-box scenario. Bottom line, your SOP should be designed to block the corporate spy’s sources of information and guide your next step when there is a security breach. Your SOP, at the minimum, should include the following components:
- Prevention – Honestly assess your weaknesses and address them; this goes back to the five red flags discussed in Part II but should also cover physical security issues.
- Training – Employees should be trained on physical security and awareness of corporate spying techniques.
- Periodic Review – Things change and the SOP needs to change with them.
- Investigation – If there is a security breach, you’ll want to know what to do next.
If you are preparing a SOP for dealing with corporate espionage, these are some of the questions you should ask yourself:
- How are employees paid in comparison to others who work in the same field or have similar skills? If we can’t compete with pay, can we compete in other benefits or ways that will help make up for a lack of pay?
- Is there real communication between management and staff and how do we define “real communication”? If there is a lack of communication, what are the causes and how do we address those causes?
- Are we vetting/checking backgrounds of employees before hiring? Are we periodically vetting throughout employment and how often should background checks reoccur?
Will there be different levels of vetting for different positions? Who will conduct the vetting/background check?
- What are our vulnerabilities regarding physical security and how can we address those?
- Do we have specific rules to protect our information? (e.g. employees must lock desktop computers when they are not in use, all filing cabinets and desk drawers must be kept locked when their owner steps away, no documents can be left on desks overnight or when employees take a break, everyone knows what documents can be thrown in the trash can and what has to be shredded, etc.)
- How in-depth should we go to train employees to spot corporate espionage tactics such as pretext calling and unusual inquisitiveness?
- How in-depth should we go to train employees in physical security?
- Will the training be formal (classes) or informal (covered in meetings or email)?
- Who will conduct the training?
- How often/when should this training take place?
- Do employees know exactly who to report to if they have suspicions or something doesn’t “seem right”?
- How often/when will we review the SOP?
- Who will be responsible for the SOP review?
- What practices or circumstances have changed in the company that needs to be addressed in the SOP?
- How do we measure or determine the SOP’s overall effectiveness and its various components?
- What types of security breaches require contacting law enforcement? Do we know exactly which authorities to contact?
- What types of security breaches require contacting a private investigator or security expert?
- What types of security breaches do we handle in-house and how do we handle it?
- What do we do if an employee is suspected of espionage but there’s no concrete evidence?
For some more ideas, you can incorporate into your SOP, click here to read Protecting Key Assets: A Corporate Counterintelligence Guide, published by the National Counterintelligence and Security Center. But remember, your SOP doesn’t need to be fancy or vie with the U.S. Tax Code in length; it just needs to be specific.
“Don’t doubt for one minute people aren’t trying to compromise your corporation because we’re doing it all the time.”
~Former corporate spy