Universities and other research institutions in Germany are not immune to espionage. But, they are often not even aware of the lurking danger. This has been revealed by a study carried out by the Max Planck Institute for the Study of Crime, Security and Law.
According to criminologists Michael Kilchling and Susanne Knickmeier, it is not always apparent to scientific organizations what data is worthy of protection or what its potential commercial value is to third parties. In their project “Economic and industrial espionage in Germany and Europe” (WISKOS), Kilchling and Knickmeier examined the threat to small and medium-sized enterprises (SMEs) and to scientific institutions. “Often there is a lack of awareness of the fact that, in a research project with papers that are to be published anyway, the raw data could well be of interest to third parties,” said project manager Michael Kilchling during a presentation at a security conference of the Max Planck Society. “To researchers the basic principle of open knowledge exchange and knowledge is very important,” explained project team member Susanne Knickmeier. The level of protection is therefore “not always consistently adapted to the protection requirements.”
For this reason, the WISKOS team has developed a guideline which is intended to provide low-threshold support to research institutions – both university and non-university – in raising awareness of, and preventing, espionage. The strategies listed in the guide include organizational, personnel and technical measures with which the institutes and universities can arm themselves against potential dangers.
The organizational prevention measures include:
- building security access regulations
- contractual regulation of the relationship with suppliers or external companies (e.g. cleaning company)
- the introduction of an internal reporting system.
Personnel measures include:
- raising awareness among employees (e.g. through training courses on IT security, data protection, dangers from scientific espionage)
- contractually regulated secrecy/confidentiality agreements
- the critical observation of future career activities and publications of persons who have left the university/science organization for property rights issues.
Technical measures include:
- access control, e.g. by means of key cards or biometric techniques
- the encryption of devices and emails
- regular updates of the software packages used and the operating system.
The complete guideline as well as brochures and other illustrative material can be found at wiskos.de/informationen_fuer/wissenschaftsorganisationen [in German].