Niccolò Machiavelli once said the problem with paying someone $150,000 to do a job is that if they receive a counteroffer for $150,001, then they might just switch allegiance.
This is the paradox of the mercenary. A person who performs a task for money can always be bought off by a person with a larger bank account.
In other words, it's almost impossible to buy loyalty, no matter how many team-building days your company runs. There's always a risk of a disgruntled employee walking out the door with your intangible assets.
It's also worth pointing out that not every leak or loss of crucial data is due to malice. A good chunk of examples happen because of mistakes or employees simply being unaware of the value of the assets for which they are responsible.
Thankfully, most people aren't "Machiavellian" types. They have neither the time nor the inclination to think about stealing secrets. Yet according to ProofPoint's 2022 Cost of Insider Threats: Global Report, so-called "insider threat" incidents have risen 44% over the past two years, with the average cost per incident rising more than a third to $US15.38 million.
A report from Verizon corroborated those numbers, showing a 47% increase in the frequency of incidents involving insider threats between 2021 and 2022.
What sort of confidential information is being stolen in these breaches?
Four recent examples show it's not just data or credit card numbers. Sometimes, ex-employees steal the crown jewels themselves:
- In late April 2022, Apple sued startup Rivos, claiming it took part in a conspiracy to poach 40 ex-Apple employees, some of whom stole gigabytes of confidential system-on-chip (SoC) technology which could "significantly accelerate" Rivos' own SoC development;
- In May of 2022, a research scientist at Yahoo! stole sensitive information about Yahoo! 's AdLearn product minutes after receiving a job offer from The Trade Desk, a competitor company that specializes in real-time programmatic marketing automation technologies;
- In August 2022, a handful of Microsoft employees exposed login passcodes to the company's GitHub infrastructure that would have given anyone, including attackers, access to Azure servers and potentially other internal Microsoft systems.
What's scary about these examples is that each of the employees involved in the thefts was likely "loyal" to the companies from which they stole, at least for a while. They probably never contemplated acting in such a way. And yet, something changed their minds.
Apple, Yahoo! and Microsoft likely spend hundreds of thousands of dollars each year on teambuilding events, training programmes and employee incentives to boost staff loyalty. But for those specific employees who were involved in corporate theft, none of these efforts was enough to avoid the betrayal.
Machiavelli's paradox of the mercenary points to the problem of money. However, the spook world has a broader explanation for why people betray their loyalty.
The idea goes by the acronym MICE, which stands for "Money, Ideology, Coercion or Ego." Some folks can be bought off with a bigger pay packet; others can be convinced by appealing to a higher cause; threats can tip others over the line while stroking the ego is sufficient for some.
Spies understand that no matter who you are, each of us is vulnerable to one or a mix of these four factors of persuasion.
They also know the easiest method of procuring confidential information is to target the softest part of the defence: the humans. Most cybersecurity systems are robust enough to withstand all but the most sophisticated breach attempts. But sweet-talking a disgruntled employee who has access to the key codes for the computer mainframe? That's a job for MICE.
The realities of staff disloyalty and cybersecurity are rather depressing, aren't they?
If a determined spy wants access to your company's trade secrets, there are a million ways for them to do so. No company has enough resources to protect against every vector of attack.
But the situation isn't hopeless. Far from it! The trick is to think differently about protection. Staying on the espionage theme, sometimes attack is the best form of defence.
This doesn't mean a company should hire its own spies or try to cajole the employees of a rival. Instead, a company's best defence is to build its brand.
A strong brand is a company's most important intangible asset because it captures the minds of the public using marketing techniques that follow the same model of MICE. For example:
A well-paid staff is generally happier (Money);
Workers who feel part of something bigger are more engaged (Ideology);
Strong enforcement of rules is always a good policy (Coercion);
Employees who are regularly praised for outstanding effort are more satisfied (Ego).
Furthermore, when a brand is well-known, it won't matter if a competitor steals its ideas. The market itself will be loyal to the company with the strongest brand. Did you know there are more than 20 Coca-Cola competitors? Coca-Cola doesn't really care because it has created a strong constellation of intangible assets and, arguably, one of the world's most recognizable brands.
Coca-Cola also has robust relationships with its suppliers and retail outlets. Try as they might, those 20 competitors can't get the same access to shelf space as Coca-Cola can. So, even if Coke's recipe were to be stolen, that rival would find itself holding a piece of paper with no way to use it.
The lesson here is that only the weak end up as prey in the corporate jungle. Companies that position themselves with the best possible constellation of intangible assets may still struggle with disloyal staff, but they will have a good chance of surviving the consequences of any theft.