Learning from Apple’s Spying Incidents – How to Protect your Company from Corporate Espionage

The two recent incidents at Apple remind is us that Corporate Espionage is a serious threat that your board should be aware of.  For the second time in 6 months, Apple, working with the FBI, is accusing a Chinese national engineer of stealing trade secrets related to self-driving cars.   The investigation was started when another employee reported seeing Jizhong Chen taking photographs in a sensitive area.

Apple Global Security searched Chen’s computer where they found thousands of files containing Apple’s intellectual property, including manuals, schematics, and diagrams.  They also found about a hundred photographs taken inside an Apple building.  Authorities apprehended Chen the day before he was set to leave for China where it was learned he had applied for a job with a competing autonomous drive company.

Espionage is something that can affect companies of any size and the likeliest threat is from within your organization.  G4S, a British multinational security services company headquartered in London estimates the cost of Corporate Espionage is as high as $1.1 trillion annually. By comparison, the impact of business-critical data being stolen remotely is estimated to be $400bn a year, G4S estimates.  Solely focusing on the threat of a cyber-attack and ignoring the threat of corporate espionage, this is a serious risk that boards should consider. Far bigger boards may want to ask management what their internal processes and protections are. Likely there are none. The board can then request management seek external expertise and create a plan.

First gather the data on who, what and how:

Who?  The spy could be a dissatisfied or disgruntled employee, a supplier, competitor, foreign government, anyone with access to sensitive data.

What are they after?

  • Trade secrets: protected information about existing products or products in development.
  • Client information: private client data, including their financial information.
  • Financial information: can be used to offer better deals to steal customers, win bids, or even steal employees.
  • Marketing information: Knowing your marketing angle will allow them to quickly respond and potentially spoil your campaign.

How can we protect our company?

  • Conduct a security audit of your premises. Identify and test the rights of data access and rights of physical access to sensitive spaces for all your employees as well as service providers (cleaners, engineers, IT professionals, etc.).
  • Review the processes you have for new employees, external suppliers and visitors. Share the information with relevant employees.
  • Initiate and enforce a Clean Desk Policy. A CDP is a directive that specifies how employees should leave their working space when they leave the office. Most CDPs require employees to clear their desks of all papers at the end of the day.
  • Blocking any device with a camera (including cell phones). Company provided phones frequently have cameras disabled. Visitors phones are either held or have cameras covered with a security sticker that will show if it was tampered with.
  • Data tagging and classification, encryption, tracking, and machine learning that analyzes behavior and looks for anomalies are all ways to fight “data leakage.”
  • Tracking printer and copier usage as well as restricting removable media storage, most especially USB’s.
  • Establish a process for the secure and timely disposal of sensitive printed material. Shred, shred, shred.
  • Badge access should be required for access to building, elevators, and sensitive floors making it difficult to just wander the buildings, even as an employee.
  • Use Security cameras in all common areas, entrances, hallways, etc.
  • Create a policy to protect sensitive data that covers how it is shared (or not) in conversations, meetings, telephone calls and paper documents.
  • Ensure business executives who travel to meetings or conferences stay vigilant. Provide annual training on safe travel and equipment security (laptops.)

These are just a few of the ideas for protecting against corporate espionage that your board might discuss.  A key way to thwart spys is to continuously educate your employees. Educate them about potential threats your company faces and the role they play in the security of your organization.  Teach them about simple security practices like changing passwords, and give them examples of social engineering attempts that they may encounter.  Your employees are your first line of defense in corporate espionage and potentially your best as shown in the Apple example. It was an employee who noticed something odd and reported Jizhong Chen.

The board may wish to ask for and to review managements complete and comprehensive internal espionage policies and programs.


  • PRINT: