India's growing corporate spy
threat By Indrajit Basu
KOLKATA - Several recent high-profile
cases have brought to the surface a disturbing
trend in the Indian corporate world: industrial
espionage.
The targets are mostly
multinational companies, but at times even large
Indian firms become victims. The culprits are
mostly foreign companies and smaller local firms
trying to gain an edge on their competitors.
According to a survey conducted last year
by the global
consulting firm Ernst &
Young, the corporate sector in India faces the
highest threat of fraud, including espionage.
Another study, also conducted last year,
by the Indian arm of the global consultancy firm
KPMG, said: "Organizations today face a completely
different set of challenges - globalization,
rapidly evolving technology, rapid development in
industry and business, risks and complexity of
information and data management; the list is
endless." KPMG said that in this changed scenario,
the risks of fraud faced by organizations in India
had increased manifold.
Neither spying nor
the extraction of sensitive information using
unfair means are new in India. However, such
activity has largely been limited to government
departments, defense establishments, and a few
stray instances involving the business world.
"What has changed in recent years," said
Ashwin Parikh of Ernst &Young, "is the
involvement of the corporate sector, and the
methods used. This practice of using students [for
instance] to pick up competitors' information has
become rather rampant now."
Parikh was
referring to a case that was exposed recently in
which a multinational bank in India, in the face
of the dismal record of its portfolio-management
services, hired a student from a premier business
school at a huge salary to investigate the
portfolio services of its competitors. The twist
was that the student would not disclose his
connections with the bank and pretend to be
conducting independent research.
In about
a month, the struggling bank had its competitors'
marketing strategies not only for their
portfolio-management schemes, but also for a few
other competing products.
Other methods
that have been exposed include hiring hackers to
break into a company's management-information
system, and a journalist employed by an Asia-based
consultancy firm on behalf of another
multinational bank to dig out sensitive
information from a bank in the guise of a special
feature.
In the most recent case, a US$200
million US-based water-treatment company, Purolite
Corp, has sued an Indian engineering company,
Thermax Ltd, which has a few ex-Purolite employees
on its payroll. Purolite alleges that Thermax
hired four of its erstwhile employees and gave
them senior executive positions just for "stealing
intellectual property". These employees, alleges
Purolite, took with them proprietary technology
and information, which were then used by Thermax
to compete against Purolite.
It's easy
these days According to KPMG, a big reason
corporate spying and fraud have increased in India
is a lack of ethical values. There is a clear need
for organizations and their employees to move
proactively toward the creation of a more ethical
workplace, KPMG says. Meanwhile Satish Maneshinde,
a Mumbai-based criminal lawyer, says that
"integrity is the cheapest commodity that can be
purchased in India today".
But according
to Raghu Raman, founder-director of the Mahindra
Special Services Group, an information-security
consultant, corporate espionage has increased over
the past few years more because prying into
someone else's information has become so easy.
"The information age, with its tools and
technologies, has made it much easier to gather
information and analyze intelligence," he said.
"To get a proof of this, just [type] in the name
of any CEO [chief executive officer] in a search
engine and you will be amazed at the amount of
information that becomes available to you.
"And this is just at the first level of
information," said Raman. "Trained intelligence
analysts can easily ferret out deeper information
through masqueraded phone calls, interviews of
employees, creating e-relationships with employees
or joining social-networking sites frequented by
them. Sometimes, in less than a few weeks,
analysts could map the entire company, its core
competitive advantages, including intellectual
property, future strategies, human capital and the
skeletons in its cupboards."
Corporate
India is naive The KPMG study indicates
that most local companies are unaware of the fact
that the greatest threat is from their own
employees because they do not have adequate
internal controls in place.
Most companies
in India are perhaps aware that they might have
been victims of some form of spying, data theft or
fraud at least once, says Vijay Mukhi of the
Foundation of Information Security and Technology,
but are not aware of how to deal with it.
Raman said: "Companies that invest
hundreds of thousands of dollars in firewalls and
public key infrastructure forget that over 15% of
their employees talk to headhunters and
prospective new employers or competition.
KPMG added that "the maximum threat was
perceived from the employees and the least from
outside".
No dirty linen in public,
please According to Satish Maneshinde, one
of the biggest reasons corporate espionage is
increasing unchecked in the country is that few
victims like to acknowledge the fact that their
information system has been broken into. "The
Indian legal system has a few pretty easy ways of
tackling corporate espionage," he said, "but they
are rarely used."
Raman says only 20% of
corporate espionage cases are detected, of which a
mere 20% gets reported while just 10% are solved.
Prevention is better than cure But shouting out may not be the best policy to
check fraud and corporate espionage, according to
Ernst & Young.
"Fraud is expensive and
disruptive, making prevention preferable to
investigation and recovery," says the Ernst &
Young study, adding: "Prevention and detection
also make good business sense as they provide cost
savings to organizations."
According to
Mahindra Special Services, employees must form the
organization's first line of defense and they
should be made aware of threats. The other
imperative is to think in terms of information
security, not information-technology security.
"IT certainly needs to be secure, and the
tools have their place in an organization," said
Raman. "But it must be a part of the overall
information security. Designing of robust
processes and standard operating procedures such
as classification of information and handling
instructions for classified information [in all
its forms] is an important part of this step."
Indrajit Basu is a Kolkata-based
journalist.
(Copyright 2007 Asia Times
Online Ltd. All rights reserved. Please contact us
about sales, syndication and republishing.)
Head
Office: Unit B, 16/F, Li Dong Building, No. 9 Li Yuen Street East,
Central, Hong Kong Thailand Bureau:
11/13 Petchkasem Road, Hua Hin, Prachuab Kirikhan, Thailand 77110
