Home/Blog/How to protect your business from corporate espionage and data theft

How to protect your business from corporate espionage and data theft

The theft of valuable or sensitive company information can damage a company’s finances and reputation. We explore several steps you can take to protect your business from corporate espionage and company data theft.

To understand how to prevent corporate espionage, we have to understand what it actually is.

What is corporate espionage?

Corporate espionage is used synonymously with industrial espionage, economic espionage, and corporate spying. Essentially, these terms mean the planned, unauthorised acquisition of sensitive corporate information such as trade secrets, customer records, and intellectual property. In the UK, corporate espionage is against the law under the National Security Act 2023, which addresses trade secret misappropriation, and the Trade Secrets (Enforcement, etc.) Regulations 2018. If personal information is stolen, the act of company data theft could also violate the General Data Protection Regulations and the Data Protection Act 2018.

What are some examples of corporate espionage cases?

Company data theft and corporate espionage can target many different forms of information. Some examples of high-profile cases of corporate espionage and company data theft include:

  • The development of Concorde. Concorde was a pioneering supersonic passenger airliner that flew at twice the speed of sound. It could get from London to New York in just 3 hours. Several people have been accused of selling inside secrets on the systems and development of Concorde to Russia, including an electrician who was subcontracted to work on the aircraft.
    Supersonic aircraft
  • Stolen parking assistance software. In 2022, a software developer called Mohammed Moniruzzaman was on a video call with his colleagues at NVIDIA as well as several people at his previous employer, Valeo. During the call, he shared his screen. Whilst doing so, others on the call noticed a file on his desktop – named “ValeoDocs”. This file contained source code that Mohammed wrote at Valeo when creating the firm’s parking and driving assistance software. Valeo’s employees recognised the code immediately. NVIDIA, a competitor of Valeo, hadn’t yet released its own parking and driving assistance software. If NVIDIA used the stolen files as a shortcut to developing its own parking and driving assistance software, it could have saved millions of dollars in development costs. Mohammed was convicted in Germany of infringing business secrets, and the dispute between Valeo and NVIDIA is ongoing.A screen on the inside of a car showing parking assistance software
  • Soda secrets. Back in the early 2000s, a lady named Joya Williams was working at Coca-Cola as the administrative assistant to the Global Head of Marketing. Thirsty for more than cola, Joya attempted to sell her employer’s secret documents and unreleased products in development to rival Pepsi for $1.5 million. Unluckily for Joya, Pepsi immediately told Coca-Cola about the leak. Coca-Cola then brought in the FBI to investigate, eventually resulting in Joya receiving an 8-year sentence for wire fraud and unlawfully stealing and selling trade secrets. Two accomplices were also charged.
    Image of fizzy brown cola liquid drink in a glass with ice

These cases show that corporate espionage can exist in many forms. The passing of information can be spoken, digital, printed, or physical.

Information can be a company’s most valuable asset. Customer records, intellectual property, business plans and physical prototypes should all be kept safe to stay competitive. If information like this falls into the wrong hands, the commercial damage can be immense – not to mention the potential reputational impact. Despite being illegal, industrial espionage is still a very real threat. Once information is out of the company’s hands, it may be impossible to trace. Perpetrators may never be caught if information is sold overseas, for instance.

How can your organisation prevent corporate data theft?

To prevent the theft of company data, organisations should prioritise identifying risks and doing everything they can to prevent espionage and corporate identity theft from happening in the first place.

Establish what your trade secrets are

To prevent the risk of corporate espionage and data theft, first, establish what your trade secrets are. What information and knowledge does your company possess that competitors don’t? Identifying valuable resources may involve looking outward to rivals’ operations, as well as inward to your own resources.

Bear in mind that physical artefacts can contain important information too. In the hands of an expert, a prototype or work-in-progress product could be reverse-engineered, revealing its secrets to a competitor and allowing them to beat you to the market.

Next, pinpoint your organisation’s vulnerabilities and which organisations pose the greatest threat of company data theft. Competitors are the obvious first stop, but not necessarily the most significant. Hackers target companies to obtain crucial information and then hold it to ransom by threatening to disclose it or sell it to the highest bidder. You should also consider ‘friendly’ avenues of corporate espionage. Customers, visitors, employees, and even business partners are all potential threats.

Secure your business premises through access controls, CCTV, and digital information logs

Many of the techniques that protect your organisation from burglaries and unauthorised access are also effective against industrial spies. Your offices, manufacturing plant, equipment and infrastructure should all be kept physically secure from intruders. Entry points need to be secured, and surveillance equipment installed where ethical to do so. Pay most attention to areas where the most valuable information and items are kept, and make sure they are protected with extra measures, such as locks, alarms, or safes.

Shred Station's truck security camera system showing one of the camera views from inside an on-site shredding truck. On the screen, you can seen a pile of shredded paperwork.

Secure your data

As the modern-day saying goes, ‘information wants to be free’. Left uncontrolled, organisations can leak data like sieves, and you need to be constantly vigilant to make sure your secrets don’t escape.

Digital information security has several aspects. First and foremost, the systems and data you use need to be secure in themselves, as do the servers on which they are kept. Special attention is needed if people are allowed to take equipment off-site (such as laptops), or bring their own devices to work. Using a signing-out system for work devices is crucial for monitoring which person has which device, and all work devices should be encrypted in case they are lost or stolen.

You’ll need to consider procedures for granting access to different levels or groups. Even senior personnel might not necessarily need access to everything, particularly if the information is highly technical or operational.

Remember that data can turn into paper at the click of a mouse. Once it’s printed out, information can go anywhere, with anyone, at any time. Every single member of your team needs to understand the risks of this and be encouraged to dispose of old paper records, digital devices, and things like product prototypes as soon as they’re no longer required. This should be performed by a fully accredited, secure shredding service.

Shredding service worker pulling confidenial waste bin

Train your workforce and don’t demonise whistleblowers

Once you’ve established security procedures, it’s important that people are trained to put them into practice. It’s no use having a watertight security policy if people don’t know what they have to do to enforce it. Staff might need regular refresher sessions, plus it’s worth consulting them on security flaws they may have spotted in their day-to-day work. Your organisation should also develop a whistleblowing policy – even if you only have a few employees. If people feel encouraged to report any suspicious behaviour, and can do so anonymously, they are more likely to speak up. If they are worried about backlash or there isn’t any incentive for them to help prevent data theft, they aren’t likely to engage.

Everyone with access to sensitive data and items should be subject to a background check when they join the firm, with regular re-evaluations later on. Exit procedures are important too, in order to prevent people from quite literally walking out the door with secrets when they move on from your firm.

Employees can also be asked to sign a non-disclosure agreement, and their access can be restricted if they are expected to leave soon.

Secure disposal of old records, data and artefacts

One of the most important steps you can take to guard against industrial espionage and corporate identity theft is to dispose of confidential records and valuable artefacts safely and securely when you no longer need them. To ensure that items aren’t kept longer than necessary, we recommend implementing a data retention and destruction schedule that all employees can access.

Documents including business plans, financial records, technical plans and more could all be enormously valuable in the wrong hands. The best way to dispose of all these forms of information, whether paper or digital, is by shredding. Paper, files, hard drives and removable media such as USB sticks and CD/DVDs can all be shredded, as well as items open to misuse such as old company uniforms.

Prototypes, unwanted products, and documents can be shredded, guaranteeing that their secrets can never be unlocked. Modern shredders can handle an enormous range of items and materials; you might be surprised at what can be disposed of this way.

At Shred Station, we can carry out secure paper, textile and product shredding at your own premises or at our own secure sites. All our staff are security screened to BS 7858, and our plant is protected by state of the art security measures. Once shredding is complete, we’ll give you a certificate of destruction to confirm that all your records and other items have been put beyond the reach of spies.