The massive leakage of confidential information of the Government of India is shocking in its scale. The breadth and depth of the espionage is staggering. Corporate espionage targeting government departments ranging from oil & gas to defense has been exposed.
Lets put this in perspective. The Indian government is not yet digitized. The theft of information was in physical format with papers and files going missing. Both employees and external parties were in cahoots to pull off these “heists”, and heists they were, giving recipients of the information tremendous advantage in the market.
Now imagine the scenario where government was completely digitized i.e. a Digital India, as envisioned by PM Modi. Imagine the havoc that could have been created by internal theft of massive amounts of digitized information. Imagine the damage that could have been caused by hackers getting into government systems. India will, and should move towards using computing technology to increase efficiencies. However, it would be a case of one step forward and two steps behind if security is ignored.
In light of this massive government security exposures, we need to reflect on data security in our own organizations. Are we victims of corporate espionage? Have you asked yourself these questions:
– How do I prevent insiders from accessing confidential information that they are not supposed access?
– How do I prevent employees from taking company intellectual property when they leave the company?
– Are my computer systems protected against external threats?
– Do I have systems in place to prevent employees from simply emailing confidential data out without anyone noticing?
– Are my physical assets secure?
In order to prevent corporate espionage, a holistic approach is required. An approach that encompasses both physical and logical security is required. Some of the key measures (or controls as security professionals call them) that should be implemented are:
– Policies – Defined and published organization security policies that make it clear what is permitted and what is not
– Personnel security – This include measures like background checks
– Physical security controls – Video surveillance, perimeter security, physical access control etc.
– Logical security controls – Access control lists, data classification etc., DLP tools
– Network security – Firewalls, SIEM etc.
These are just some of the measures that should be implemented to prevent corporate espionage. It is recommended that a security audit/diagnostic be performed to understand the security maturity level of your organization. You will then be in a position to understand the gaps and plug them.
It is indeed better to nip corporate espionage in the bud using controls than have a forensic investigation sifting through the ruins.
(Confidis conducts security diagnostics and forensics. It provides recommendations to organizations to improve their security posture. Contact us for more information)