In a twist of irony, an Apple engineer used the company’s proprietary technology, AirDrop, to steal top-secret information about the iPhone maker’s driverless-car project. Xiaolang Zhang transferred 24 GB of trade secrets, including the future car’s electronic-circuit diagrams, to his wife’s laptop just before resigning from the company. He was arrested on his way to China to meet his new employer, self-driving car start-up XPeng. In August 2022, Zang pleaded guilty to trade secret theft, which according to CNBC, carries a maximum prison sentence of 10 years or a $250 000 fine in the US.

Industrial or corporate espionage is an age-old problem but the ‘thieves’ are becoming more sophisticated, according to Awie Vlok, a lecturer in innovation management and faculty member of Stellenbosch University’s department of business management. ‘There was a time when “spying and copying” was seen as business intelligence,’ he says.

During the Cold War, the economic returns from industrial espionage were so substantial that Harvard Business Review reported it to be ‘more effective than R&D’. The now-defunct East Germany, for example, saved around 75 million East German marks in R&D expenditure by stealing commercial secrets from West Germany. While this helped the former socialist country to narrow its innovation gap with the West, its reliance on espionage resulted in fewer patents and hurt its own ability to develop technology.

Today the players may have changed, but it’s still East versus West, with the US accusing China of stealing billions of dollars of intellectual property (IP) and commercial secrets every year.

While there is a difference between industrial espionage controlled by private companies for their own benefit, and industrial espionage driven by foreign states (also known as economic espionage), the line is blurring. In recent years, nation-state adversaries have been attacking private companies as part of their broader agenda. As most spying remains undetected, it’s difficult to gauge the full extent of the problem.

The FBI estimates that theft of trade secrets, together with counterfeit goods and pirated software, costs the US economy between $225 billion and $600 billion a year. UK security services firm G4S puts the global cost of corporate espionage at $1.1 trillion annually.

However, most cases are never revealed to the public, even if the targeted organisation is aware of being compromised. Many companies keep quiet because they can’t identify who is behind the spying, especially with the increasing incidence of cybersecurity breaches.

The key concern, though, is reputational damage. Companies exposed as victims of espionage are perceived as lacking in security protocols and, as a result, risk losing stakeholder trust and stock value.

The financial fall-out from IP theft can be significant, owing to business disruption that can negatively impact the supply chain and compromise client information.

In the digital era, perpetrators can steal trade secrets from any location globally while often remaining anonymous and unidentified for long periods of time, according to a PwC study on the scale and impact of cyber theft of trade secrets. ‘The majority of data available refers to cyber incidents rather than cyber theft of trade secrets specifically; hence there is a general lack of both qualitative and quantitative data on the subject,’ according to the research. It highlights that SMEs deserve special attention, because they generally lack the technical and investment capacities needed to counter cyber threats and are therefore more vulnerable than large corporates. This also applies to NGOs and the public sector, which often under-invest in cybersecurity. While industrial espionage can happen anywhere, R&D-intensive industries, such as IT, computer manufacturing, automotive, energy, aerospace, pharma and chemical, are popular targets.

Boland Lithebe, security lead for Africa at Accenture, says that ‘most companies are ill-equipped to detect cyber espionage, particularly if conducted by insiders. The lack of detection makes it difficult for the quantification of the crime, but no doubt, it’s happening. There is also no regulation in South Africa that enforces the disclosure of loss of information such as trade secrets. So organisations are not obliged to report’.

To protect your IP, you need to understand how valuable this intangible asset (which includes trade secrets, patents, trademark and copyrights) are to your company and how to manage it. Information about intangible assets is increasingly used to evaluate investments, according to Ocean Tomo, a US merchant bank for intellectual capital. In the 20 years leading to 2015, ‘the share of intangible asset market value increased from 68% to 84%’, says the firm, with the global pandemic further accelerating the trend. Intangible assets now command 90% of the S&P500 market value, said Ocean Tomo in July 2020. ‘Within the last quarter century, intellectual capital has emerged as the leading asset class.’

SA law rules that IP in the form of patents, designs and trademarks are registered rights governed, respectively, by the Patents Act, Designs Act and Trade Marks Act. The legislation is specific that, for example, under the Copyright Act, work needs to be original and in a material form, says Janine Hollesen, an IP director at Werksmans law firm.

‘Originality is not in the sense that it must be entirely unique but must not be copied from another source and must be created using skill, effort and time.’

In contrast, trade secrets and confidential information are not registered, she adds. ‘A perfect example of a trade secret is the formula for Coca-Cola, which, if it had been registered as a patent in the late 1880s, would have had to have been disclosed in the patent document and would now be in the public domain. The secret formula is a well-guarded secret, which has remained that way for nearly 140 years.

‘Trade secrets are usually protected by contract and it’s important to ensure that if any party has access to trade secrets or confidential information that the information is identified as such and the appropriate confidentiality and restraint obligations are agreed to.’

As IP awareness grows, Vlok finds that the IP practices of SA business are on par with other countries. ‘Students are increasingly demanding that the examiners of their assignments enter into non-disclosure agreements [NDAs] and clients are also demanding NDAs in consulting assignments,’ he says. ‘One student interviewed 15 technopark residents and found that eight had introduced “trade secret” protocols based on trust relationships instead of patents.’

Industrial espionage is a breach of trust as it’s often committed by malicious insiders. This has given rise to a ‘zero trust’ approach in cybersecurity, based on the premise ‘never trust, always verify’.

Here numerous security, ID and monitoring services are combined, referencing context and behaviour, to block suspicious activity before it causes damage.

‘Protection of anything electronic, including IP and trade secrets, must always follow the principle of defence in depth,’ says Lithebe.

‘In each area – network, people, data and devices – processes must be secured to ensure that a failure of one does not lead to the compromise of the organisation’s crown jewels. Recent techniques, such as zero-trust architecture, move the defences to focus on users, assets and resources. These principles should be considered to ensure that organisational assets are protected wherever they are.’

Humans are often the weakest link, making any organisation vulnerable to cyber espionage attacks, according to Spiros Fatouros, CEO of insurance broker and risk adviser Marsh Africa. ‘However, this weakest link of the security chain can turn into the best layer of defence with the right focus and attention. In order to establish a secure culture and make people part of the security programme, cybersecurity awareness training and phishing testing have become extremely important.’

He says insurance underwriters recommend that companies follow five key cyber hygiene controls, starting with multifactor authentication, which requires at least two pieces of evidence (factors) to prove the user’s identity. This is important because many users have one password across multiple sites.

Secondly, endpoint detection and response (EDR), which involves monitoring software for any devices that employees use to receive corporate information, whether it’s a laptop, desktop or mobile device. EDR flags any irregular activities and facilitates rapid incident response. Thirdly, encrypted, and tested backups are needed as a robust backup strategy for critical data and applications.

The next control is privileged access management, which requires higher security login credentials for users accessing administrator or privileged accounts. Special users – such as IT, network or database administrators – should only be allowed to carry out specific tasks through their privileged access. Lastly, companies need to instal email filtering and web security to avoid industrial spies gaining an initial foothold into the company network. Also, any web pages that may contain malware should be blocked.

There are also simple physical measures against information being stolen, such as a clean-desk policy, where employees clear their working spaces before leaving the office. Or a security audit of the premises to ensure only authorised access to sensitive spaces, including service providers such as cleaners, maintenance and IT personnel.

Another basic precaution is blocking any device with a camera. Visitor cellphones can either be locked away or their cameras covered with a tamper-proof security sticker.

Staying vigilant and up to date with technology is essential, as the case of Apple’s stolen trade secret showed, where the perpetrator is being punished. Industrial espionage may be here to stay, but there’s a lot that SA companies can do to safeguard their IP.

By Silke Colquhoun
Image: Ferdi Dick