Q&A with Michel Juneau-Katsuya, CEO, The Northgate Group
Corporate espionage can be an exciting topic. International spies, top secret research and, of course, the notorious honey-pot trap — the downfall of many a young engineer in a foreign country. At its core, however, it’s about losing market share, contracts and competitiveness.
Michel Juneau-Katsuya, a former senior intelligence officer and senior manager with the Canadian Security Intelligence Service, estimates that corporate espionage costs Canadian companies billions of dollars a year. Now CEO of The Northgate Group, a security consulting firm, and guest professor in criminology at the University of Ottawa, he believes that companies must take a new, more vigorous approach to securing their confidential information.
Later this year, Juneau-Katsuya will heading up a conference, CISC2011: Protecting Your Company Against Corporate Espionage. It will be held Nov. 28–30 in Ottawa. Among presenters are members of several government departments, including the National Defence’s national counter-intelligence unit, which is responsible for investigating all spy activities against the department and its subcontractors.
Juneau-Katsuya, co-author, with Fabrice de Pierrebourg, of Nest of Spies (2009), will also be presenting at the conference.
Recently, Canadian Security spoke to Juneau-Katsuya about how significant the problem of corporate espionage is, mistakes companies make and ways to prevent competitive information from falling into the wrong hands.
CS: Is corporate espionage a significant problem in Canada?
Juneau-Katsuya: It’s huge. I would dare to say that, if it were not that terrorists shed blood, by far the greatest national security issue that Canada currently faces would be corporate espionage.
In 1995 we demonstrated that we were losing $10 billion to $20 billion a year. The U.S. at that time was losing an average of $25 billion, which is twice as much as us. But, because they are 10 times bigger than us, we were actually losing five times more. The reason is that Canada is a knowledge-based society. We have phenomenal research centres. We are at the cutting edge of research and technology in many different fields. And that becomes extremely attractive to foreign entities and industrial spies.
Since the end of the Cold War, we have moved from military confrontation to economic confrontation. And some players out there are playing in a very sophisticated way, and they are using their national intelligence services to come and spy on Canadian companies to steal their secrets. We lose market share, we lose contracts, we lose our competitiveness when that happens. And market share is revenue.
CS: What are the main mistakes companies make that lead them to lose competitive information?
Juneau-Katsuya: First, they do not perform a good threat-risk assessment. A good threat-risk assessment, from an executive point of view, can be simplified into an equation: “threat to” plus “threat from” equals vulnerability.
“Threat to” is “What do I need to protect?” Fortunately, about 90 per cent of security companies can give you a decent assessment of what you need to protect. It can be your intellectual property, trade secrets, production secrets, your people, R&D, information like that.
You also need to do the “threat from” or “Who wants to go after me?” If you don’t perform that, you will be lost. If you haven’t identified the “threat from,” you won’t be able to be very precise, and you will be condemned to taking something off the shelf — putting in bars or guards, putting in access control cards. But what if the problem is the employee you just hired, who’s got a gambling issue and wants to steal some technology to pay a debt? In that case, you have to able to protect yourself, and you have to be able to assess the risk.
The moment you have a clear picture of your vulnerability, you can optimize the use of your budget on security. And you don’t need to be a security expert. A CEO can understand “threat to/threat from.”
Companies often fail to perceive security as a strategic investment versus simply an expense, an overhead, or as a liability issue. If you do it intelligently, it’s something you can promote as part of the value of doing business with you because you have a better sense of what security is and how to protect your company.
CS: In addition to doing a good threat-risk assessment, what are some of the other measures companies should take to prevent competitive information falling into the wrong hands?
Juneau-Katsuya: Business culture is pivotal. You can have the best access control, the best firewall, the best polices, but if people aren’t using it or respecting it — like the people who, to take a simple example, put a chair in a door to keep it open when they want to go for a smoke. It’s the same mentality, the same problem: people who take shortcuts, or don’t pay attention to what they are doing. These are the things that will be exploited.
So reassess the way you do business. An interesting fact is that 80 to 85 per cent of the spy cases we investigate have an insider or someone who has legitimate access to the information. We actually grant access to the people who will leak it. And it’s not always done out of malicious intention. It can be done in a very naïve way, where you leak information to someone you shouldn’t share it with.
Check your polices, the way you handle information. Not just the way you store it; it’s how you destroy it, as well. The management of information is “from cradle to grave.” Do background checks on people coming in, whether employees or visitors, temporary staff or exchange students. You’ve got to be able to assess where they’re coming from, what they can do and how they will do.
And don’t be afraid to give a lot of awareness sessions. If people don’t know they can be part of the problem, they will not be part of the solution. It’s a question of a warning, of raising the sophistication of both the executive and the employees.
CS: Can you tell me something about the conference?
Juneau-Katsuya: The purpose of the conference is to raise awareness, to bring together the people who know about it and can talk about it and to bring solutions to people.
It’s also an attempt to create intelligence capability for ourselves. Governments do not understand the reality of the private sector. Companies must do it themselves. But to have your own intelligence unit is expensive. If we can organize ourselves collectively, we can practice economy of scale. And then, small and medium businesses could come into it, instead of just having it for the big guys. We’ve got to share information with one another.