Corporate Spying: Snooping, by Hook or by Crook

Corporate spies come in many guises, but they all have one thing in common: They want to use your company's secrets for competitive gain. This is a five-step guide to how snoops operate.

"Why would it be far-fetched?" Winkler asks. "In America, it's just not done, typically. However, the reality is that throughout the rest of the world, competitive intelligence is just a fact of life. Americans are fairly naive about how things are handled."And If All Else Fails...The fact is, other countries can have vastly different ethical and legal guidelines for information gathering. Almost everything we've talked about so far is legal in the United States, or at least arguably so in the hands of a clever lawyer. But there's another realm of corporate sleuthingbugs, bribes, theft, even extortionthat is widely practiced elsewhere.

In his days as a global security consultant, Motorola's Boni saw plenty of it. Once, a local bank in South America brought in a security consultancy to sweep the place of bugs. When the loss of information continued, the bank hired a different security team. "They found 27 different devices," Boni recalls. "The whole executive suite was wired for motion and sound. The first team that came in to look for bugs was probably installing them."

Espionage is sometimes sanctioned or even carried out by foreign governments, which may view helping local companies keep tabs on foreign rivals as a way to boost the country's economy. One common ruse is to organize professional conferences and invite native scientists who have emigrated to the United States. In other situations, the government might bug hotel rooms or tap phones, as the French are known for doing. (For more information on which countries pose the greatest risks, see "It's Not Just the French: Espionage Around the World," Page 30.) Espionage can be a lot cheaper, after all, than investing in research and development, and it's very difficult to defend against when it's backed by a foreign government.

That's why no one set of guidelines for protecting intellectual property will work everywhere in the world. The CSO's job is to evaluate the risks for every country the company does business in and act accordingly. Some procedures will always be the same, such as reminding people to protect their laptops. "The countermeasures stop the vulnerabilities," says Winkler, regardless of the source of the threat"whether it's petty crime, organized crime, a foreign competitor or a foreign company." And some things will be different. Executives traveling to Pakistan might need to register under pseudonyms, have their hotel rooms or work spaces swept for bugs, or even have security guards help protect information.