May 25, 2007

India's growing corporate spy threat
By Indrajit Basu

KOLKATA - Several recent high-profile cases have brought to the surface a disturbing trend in the Indian corporate world: industrial espionage.

The targets are mostly multinational companies, but at times even large Indian firms become victims. The culprits are mostly foreign companies and smaller local firms trying to gain an edge on their competitors.

According to a survey conducted last year by the global consulting firm Ernst & Young, the corporate sector in India faces the highest threat of fraud, including espionage.

Another study, also conducted last year, by the Indian arm of the global consultancy firm KPMG, said: "Organizations today face a completely different set of challenges - globalization, rapidly evolving technology, rapid development in industry and business, risks and complexity of information and data management; the list is endless." KPMG said that in this changed scenario, the risks of fraud faced by organizations in India had increased manifold.

Neither spying nor the extraction of sensitive information using unfair means are new in India. However, such activity has largely been limited to government departments, defense establishments, and a few stray instances involving the business world.

"What has changed in recent years," said Ashwin Parikh of Ernst &Young, "is the involvement of the corporate sector, and the methods used. This practice of using students [for instance] to pick up competitors' information has become rather rampant now."

Parikh was referring to a case that was exposed recently in which a multinational bank in India, in the face of the dismal record of its portfolio-management services, hired a student from a premier business school at a huge salary to investigate the portfolio services of its competitors. The twist was that the student would not disclose his connections with the bank and pretend to be conducting independent research.

In about a month, the struggling bank had its competitors' marketing strategies not only for their portfolio-management schemes, but also for a few other competing products.

Other methods that have been exposed include hiring hackers to break into a company's management-information system, and a journalist employed by an Asia-based consultancy firm on behalf of another multinational bank to dig out sensitive information from a bank in the guise of a special feature.

In the most recent case, a US$200 million US-based water-treatment company, Purolite Corp, has sued an Indian engineering company, Thermax Ltd, which has a few ex-Purolite employees on its payroll. Purolite alleges that Thermax hired four of its erstwhile employees and gave them senior executive positions just for "stealing intellectual property". These employees, alleges Purolite, took with them proprietary technology and information, which were then used by Thermax to compete against Purolite.

It's easy these days
According to KPMG, a big reason corporate spying and fraud have increased in India is a lack of ethical values. There is a clear need for organizations and their employees to move proactively toward the creation of a more ethical workplace, KPMG says. Meanwhile Satish Maneshinde, a Mumbai-based criminal lawyer, says that "integrity is the cheapest commodity that can be purchased in India today".

But according to Raghu Raman, founder-director of the Mahindra Special Services Group, an information-security consultant, corporate espionage has increased over the past few years more because prying into someone else's information has become so easy.

"The information age, with its tools and technologies, has made it much easier to gather information and analyze intelligence," he said. "To get a proof of this, just [type] in the name of any CEO [chief executive officer] in a search engine and you will be amazed at the amount of information that becomes available to you.

"And this is just at the first level of information," said Raman. "Trained intelligence analysts can easily ferret out deeper information through masqueraded phone calls, interviews of employees, creating e-relationships with employees or joining social-networking sites frequented by them. Sometimes, in less than a few weeks, analysts could map the entire company, its core competitive advantages, including intellectual property, future strategies, human capital and the skeletons in its cupboards."

Corporate India is naive
The KPMG study indicates that most local companies are unaware of the fact that the greatest threat is from their own employees because they do not have adequate internal controls in place.

Most companies in India are perhaps aware that they might have been victims of some form of spying, data theft or fraud at least once, says Vijay Mukhi of the Foundation of Information Security and Technology, but are not aware of how to deal with it.

Raman said: "Companies that invest hundreds of thousands of dollars in firewalls and public key infrastructure forget that over 15% of their employees talk to headhunters and prospective new employers or competition.

KPMG added that "the maximum threat was perceived from the employees and the least from outside".

No dirty linen in public, please
According to Satish Maneshinde, one of the biggest reasons corporate espionage is increasing unchecked in the country is that few victims like to acknowledge the fact that their information system has been broken into. "The Indian legal system has a few pretty easy ways of tackling corporate espionage," he said, "but they are rarely used."

Raman says only 20% of corporate espionage cases are detected, of which a mere 20% gets reported while just 10% are solved.

Prevention is better than cure
But shouting out may not be the best policy to check fraud and corporate espionage, according to Ernst & Young.

"Fraud is expensive and disruptive, making prevention preferable to investigation and recovery," says the Ernst & Young study, adding: "Prevention and detection also make good business sense as they provide cost savings to organizations."

According to Mahindra Special Services, employees must form the organization's first line of defense and they should be made aware of threats. The other imperative is to think in terms of information security, not information-technology security.

"IT certainly needs to be secure, and the tools have their place in an organization," said Raman. "But it must be a part of the overall information security. Designing of robust processes and standard operating procedures such as classification of information and handling instructions for classified information [in all its forms] is an important part of this step."

Indrajit Basu is a Kolkata-based journalist.

No comments: