When you hear talk of espionage you tend to think of military facilities or major groups. Small- and medium-sized businesses are rarely mentioned. Are relatively small firms actually safe from attack? By no means: rather the opposite. The know-how and innovative capacity of small and medium-sized German companies are in demand all across the world. As a result, both foreign intelligence services and industrial spies are attacking such businesses with increasing frequency. By contrast with most major groups, medium-sized companies tend not to have adequate security systems. Why do the mid-market companies underestimate these dangers? As we show in our 2012 study of industrial espionage, the focus of interest is not only on results from the research and development side but, most frequently, on marketing data and information about planned acquisitions (M&A) or the manufacturing process. Unfortunately the medium-sized companies often tend to underestimate their own vulnerability. Industrial espionage is not only employed to get at the latest R&D results but more frequently is used to pinpoint the best sales staff, margins, reliable suppliers, the most lucrative customers or the most effective production process. What determines whether or not a company will become the target of spying? Every company should be aware that it is not immune from becoming a target of attack. This can either be a matter of opportunism or quite deliberate. Many technical attacks run via automated computer networks (often via botnets), which are used to send malware on a massive scale. However, we are more and more often seeing so-called advanced persistent threats (APTs), which involve spies directly targeting their attack on a company or an organisation and operating with all the means at their disposal. How high do you reckon the danger from state-sponsored spying programmes? The possibilities available to the intelligence services have long been known in security circles. However, the scale of surveillance has come as a surprise even to us. But the current discussion doesn’t change anything in terms of the requirement for data protection. Data that leave the company unencrypted can be tapped into at many points. This is why careful consideration should be given to deciding where exactly are the firm’s so-called crown jewels, the essential core data. Usually this is a matter of no more than five to ten per cent of the company’s entire body of information, which must be…