It will never happen to us. Will it?

When considering the deliverables they expect from their Security team few executives ever map combating business espionage onto their radar. Indeed the term may be at best loosely understood and the probability is that the risk will be seen as something solely affecting others. The perennial need to validate time spent on Security against measurable risk and fiscal impact is never more difficult than when persuading of the need to protect against a seemingly nebulous threat. After all isn’t business espionage the domain of James Bond and fiction?

So what are we talking about? Business, corporate, industrial and corporate espionage are terms used to describe acts of subterfuge carried out for a commercial purpose rather than for national security. These terms are sometimes confused with business or competitive intelligence which is generally the legitimate use of open source public information to analyse business competitors and the market place.

Curiously business espionage suffers from an enforcement dilemma insofar that Europe has not legislated to provide protection. This is not so in the US who enacted the Economic Espionage Act of 1996. In the UK such activities may be prosecuted under the Theft Act 1968 but only where the theft of tangible property (not information) has taken place or, where personal information has not been adequately protected the Data Protection Act may have been violated. Employees may also breach their contracts of employment if they engage in appropriating information. What is unethical is not necessarily illegal and this is a classic example of where a clear wrong is not legislated for.

Despite this risk being low on most corporations radar it has, in the recent past, affected numerous organisations including those in the aerospace, high street retail, petroleum and electronics sectors to name a few.

Who is doing this?

At the high end of the scale certain national governments have long been suspected of targeting their agencies at corporations critical to the national infrastructure, or where contracts of national importance are being negotiated. Russia and China have been singled out by MI5 in this regard. In 2001 a BAe security officer, in the pay of a Russian agency, took a document from a security container and was imprisoned for 11 years for Official Secret Act and Theft Act offences.

The middle ground is taken up by former security service personnel who have the skills to conduct these activities. They share this arena with private investigators who may act on behalf of their client themselves or by employing ex security services people. The client will typically wish to place levels of cover between themselves and the activity. A considerable range of expertise, particularly technical, exists in the private sector to facilitate most activities and corporations are frequently under informed and protected against this risk.  

Finally there is the random opportunist. This person may be motivated by greed, financial hardship, redundancy, lack of recognition or simply a chance act. The unpredictability of this threat can make it the hardest to protect against.

What do they want?

Some of the answer to this question will either be relatively obvious or very specific to the nature of the business engaged in. Typical examples include information on mergers and acquisitions, intellectual property, strategy, financial status, key contract negotiating positions, third party relationships along with system and process vulnerabilities.

What do I look for?

Attacks against the corporation may come in many forms and, if conducted by professionals, may be hard to detect early. Individuals may create provable backgrounds, apparently relevant to the business, to enable them to pass with credibility into and business by acting as students, consultants, media representatives, auditors or some other professional. Frequently backgrounds will stand up to a level of scrutiny.

In a similar vein people may be placed into a business either by applying for positions on the payroll or as third party employees engaged in a variety of roles from IT to cleaning. Such people, invariably not senior in the organisation, can be very difficult to identify and, if caught, are unlikely to know their ultimate clients identity.  This strategy, particularly when placing full time employees, tends to be a long term approach which will be logistically supported by the agent’s real employer.

Social engineering remains a successful tactic for gaining information even in the most aware of corporate environments. This can take many forms from bogus phone calls targeting employees. These deceptions may appear to be from colleagues, vendors, recruiters, industry researchers, professional organisations, sister businesses and so forth.  This approach often involves calling a number of people around a business enabling a dossier to be compiled about key individuals. Identified employees are then targeted for information allowing the caller to offer a credible level of knowledge to gain trust.  A variation to this is the development of long term social contact with employees. This is difficult to set up and requires a substantial time commitment. However, if the stakes are high enough and the reward great enough, this exploitation of trust can yield a significant return on investment.
 
Most business leaders are peripherally aware of the threat from electronic bugging but it is rare for it to be taken seriously as a threat. It may be worth pondering where the estimated £10m annual spend on electronic surveillance devices in the UK is being deployed. Given such devices can be bought in most of the major cities in the world, often for a small sum, it could reasonably be interpreted as a testimony to the level of business espionage faced by home corporations and a risk indicator which we ignore at our peril.

The theft of equipment, particularly laptops, whilst invariably a routine crime, may also be espionage manoeuvre masking one purpose with another seemingly less serious. Even the most junior employees laptop may give VPN access to a corporate network and beyond to systems, databases and information. We cannot assume passwords to be barriers to experts in this field. They simply are not.

Denial of service attacks, such as making credible threats to bring down corporate Internet sites or networks, has been a tactic previously employed against financial services institutions by organised crime and will lead to some very difficult decisions in the Boardroom.  Another IT espionage tactic is the Trojan horse which leaks previously protected information directly to the receiving agent almost without risk to them.

What can we do about this?

 The start point for a meaningful corporate response to achieve a top down recognition of the risk at and to ensure managers and employees understand that the threat is taken seriously. A risk assessment and gap analysis should lead the way to good counter measure processes. Most of these processes will be simply good practice anyway and, if necessary, other arguments can be used for their use.

Knowing who you are letting through your front door is as valid advice business as it is for home owners. This includes good due diligence checks of third parties and comprehensive, risk based, pre-employment vetting during the recruitment cycle. On the back of this, in a world of outsource operations, building consistent staff vetting requirements into contracts with vendors who provide both core services and people. This will significantly enhance the protection of a corporations systems, sites or sensitive information.

The adoption of robust IT policies covering encryption, virus protection, password controls, firewall management, VPN and laptop use and the usual suite of corporate safeguards should be documented, monitored and applicable to everyone. Even those at the top!

It is crucial to create an environment as secure as possible from potential information loss. This may be achieved by a raft of simple measures including clear desk sweeps and the control of mobile camera phones (particularly in roles related to sensitive data) and USB sticks.  Other, business espionage specific, measures include periodic, or meeting specific, electronic sweeps and safe rooms constructed and maintained to be free of electronic bugging interference. The outlawing of mobile phones, the batteries of which are classically used to house two-way conversation listening devices,  from sensitive meetings is another easy protective measure, albeit potentially unpopular with those for whom the device is a lifeline never to be separated from!

A clear policy to control confidential documents is imperative but is significantly undermined without awareness and enforcement. Many such a policy looks good in the library but lack of compliance leaves the business exposed.  Coupled to this is the need for a clear desk policy with periodic compliance checks. The services of out of hour’s personnel, such as cleaners, can be bought for nominal sums to copy documents left at printers or use mobile phones to photograph documents left on desks.

Finally, ensuring a detailed investigation is conducted into any data loss incidents with the strongest possible action taken against any identified participants shows corporate resolve. In such cases the close support of corporate communications to manage media fall-out is simultaneously imperative to damage limitation.

In summary this threat will not affect us all but if our organisation is targeted the reputation, fiscal or integrity risk can be high. Routine security policies to address the issues raised in this article can go a long way towards combating the danger of business espionage but only if they are supported from the top and complied with throughout the business. Added to this is key protection from knowing who you are employing in the work place. Security can never be guaranteed but much can be done to minimise this risk.

“Companies need to recruit and train people in whom they have confidence and whom they can trust. It is confidence and trust that are real safeguards against fraud and disaster, and they can only be fostered and instilled on a sound ethical basis”

Sir Adrian Cadbury, Committee on the Financial Aspects of Corporate Governance, 2002

• FSA compliant pre-employment screens
• Approved persons' checklist - Download a checklist to help you assess the Fitness & Propriety of your Approved Persons
• Request a quote
• What can we Verify?