Skip to main content
Security Assessment

Protecting Trade Secrets from Physical Intruders

By September 7, 2018No Comments

Companies that hold trade secrets, intellectual property, or proprietary research are under attack. The attack is multifaceted and includes both cyber and physical intrusion.  As mentioned in the March 2018 Social-Engineer.org Newsletter, cyberespionage has “changed from isolated and individualized attacks to attacks run by distinct groups resembling traditional Mafia organizations.” Additionally, protecting trade secrets from physical intruders must be a priority. Companies are at risk from social engineering attacks that include physical intrusion. Tailgating is one of the most common methods used by intruders to gain unauthorized entry. An intruder may also pose as a contractor, business contact, delivery person, or employee to gain access to restricted areas where confidential information is kept. 

To protect trade secrets from physical intruders, a security strategy that includes both the technical and human side is essential. Simply being observant to strangers or unfamiliar faces in the workplace can improve security. This is well illustrated by what happened at Medrobotics, a company that manufactures and markets robotic surgical products. Due to the nature of their work, protecting trade secrets and intellectual property is a core company value.  Protecting Trade Secrets from Physical Intruders

CEO Catches Unauthorized Intruder

It’s 7:30 pm on August 28, 2017. The CEO of Medrobotics, Dr. Samuel Straface, is the last to leave the office for the day. On his way out, he notices a man in a conference room, inside the company’s secured space, with three open laptops. Dr. Straface does not recognize this man. He knows he is neither a contractor nor a business contact, he also knows there are no meetings scheduled at this time.  

Samuel Straface has a personal policy; if he doesn’t recognize you, then you have earned an introduction. This leadership style serves two purposes. First, it enhances a feeling of “team.” Each person who works for his company is important to him. Second, it enhances security. An unfamiliar face cannot unobtrusively slip in. Dr. Straface does not ignore the man in the conference room. Instead, he introduces himself as the CEO.  His conversation with the unknown man raises “red flags.” He calls the police. The police, in turn, call the FBI. The intruder is arrested on suspected corporate espionage charges.  

How Did the Intruder Gain Access?

August 28, 2017, marked a significant company milestone for Medrobotics. Earlier in the day, the company’s Flex robot-assisted surgery system had been used in the world’s first scar-free robotic colon resection at George Washington University Hospital. To acknowledge this achievement permission was given to celebrate at a nearby pub.  Executives, engineers, and staff rush the front door as they leave to celebrate. It’s believed that during this exciting rush the intruder, Dong Liu, slipped in. Despite Medrobotic’s policy requiring visitors to sign in, the visitor log for that day contains no record of Liu. Did he choose this time to access the building by pure coincidence? It’s still uncertain. However, in the FBI investigation, it was discovered that Liu had been contacting Medrobotic employees through LinkedIn. 

Protecting Trade Secrets – Lessons Learned

The experience of Medrobotics and the CEO, Dr. Straface, illustrates the value of a multifaceted approach to security. It’s important to combine the “human side” together with the technological side. Two takeaways to consider: 

  1. The CEO’s personal policy was a defensive strategy. Being alert to strangers enhances security. Therefore, implement a similar policy. By doing so you reduce the risk of strangers slipping in.  
  2. A lapse of security may have occurred while the staff rushed to leave the building to celebrate a company milestone. So, have a security plan ready for special occasions that create a diversion from what is normal or typical. 

In this age of economic and corporate espionage, protecting trade secrets, intellectual property, or proprietary research should be a core company value. Don’t wait until it’s too late.  Security training that includes physical intrusion as part of penetration testing is a necessity.  

Sources: 
https://www.medicaldesignandoutsourcing.com/medrobotics-ceo-thwarted-possible-corporate-espionage/ 
https://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/index.html 
https://www.social-engineer.org/framework/information-gathering/physical-methods-of-information-gathering/ 
https://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/index.html 

You May Also Like

Social Engineering News: Impersonation Attacks

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now