Global articles on espionage, spying, bugs, and other interesting topics.

How To Protect Your Business From Spying

Corporate espionage is a very real threat

Levels of corporate espionage have significantly increased across all industry sectors in recent years, with the financial crisis exacerbating the problem. Technological advances and an increasingly transient workforce have contributed to the steady rise in espionage levels during the past decade. More recently, the increased competition between companies, heightened workplace pressures, large-scale redundancies and cost-cutting measures caused by the financial crisis have contributed to a dramatic proliferation in the scale and frequency of acts of espionage.

Most recent espionage cases can be attributed to weaknesses in organisational security with too few companies adopting adequate security measures to prevent a targeted attempt at corporate espionage. The opportunities, incentives and rationalisation for employees to become involved in corporate espionage have all escalated as a result of the crisis. Financial pressures have led to security cutbacks in many companies. These budget cuts have created gaps in control systems and thus have increased the number of opportunities for corporate espionage to occur. As such, many companies have become far more vulnerable as a result of the financial crisis.

This heightened vulnerability plays into the hands of criminal organisations that are becoming ever more successful at obtaining confidential corporate and personal data. Although financial data tends to be well sought after, other commonly stolen information includes customer lists, marketing information, redundancy lists, merger and acquisition plans, email controls, passwords and human resources records. The theft of any sensitive information is likely to have significant direct and indirect financial effects on the victim company. As well as the competitive advantage lost through the transfer of trade secrets, it can also lead to fraud, blackmail and identity theft. Corporate espionage and the loss of confidential information also cause great damage to a company’s reputation and a decrease in customer and client trust. A failure to adequately protect and dispose of confidential personal information can also cause a company great financial damage, due to the legal consequences associated with not complying with strict data protection laws.

Criminal entities involved in corporate espionage and data theft are booming in the current economic climate, due to a significant increase in the motivation for company employees to sell sensitive information. This motivational shift is largely the result of a decreased feeling of job security following widespread redundancies. Employees thus feel increasingly threatened and under pressure to commit corporate espionage to aid their own financial prospects, or to help them to find a new employer. Furthermore, the rationalisation for employees to commit corporate espionage has also increased as workplace morale dips due to lower-than-expected pay and job uncertainty. Dissatisfied workers and disgruntled former employees are far more likely to become involved in corporate espionage and other fraudulent activities.

Technological advances in recent years have enhanced the opportunities for employees to become involved in discrete corporate espionage. Spy products have proliferated across the Australian (and global) market place with prices that are affordable to the everyday consumer. Portable USB hard drives can quickly download huge amounts of information and can be easily used to steal confidential corporate information. The widespread use of emails have allows vast amounts of information to be intercepted and stolen, while a proliferation in the availability of listening devices have also contributed to the threat. Mobile phones have become a major security risk as their functionality increases, with widely available mobile spy software now able to turn the vast majority of mobile phones into portable espionage tools. Once installed (which can just take a matter of seconds), such spy software allows conversations to be listened to (even when not in a call, using the microphone), text messages to be viewed, and the exact location of the phone to be shown.

Those involved in conducting corporate espionage commonly include competitor companies, individuals sourcing confidential information for their own financial gain and, most frequently, internal sources. An increasingly transient workforce has meant that most staff members fail to build a lasting relationship with their employer and, as such, have few issues with stealing information due a lack of loyalty. Having said that, even the most trusted and longest serving employees may be carrying out corporate espionage, with numerous cases of internal corporate espionage going undetected for decades.

It only takes a matter of seconds for a disillusioned employee or a contractor staff member to steal vast amounts of information using a portable USB drive or web-based email account. A recent survey of Information Technology (IT) workers found that almost three-quarters of respondents claimed to have the ability to circumnavigate their company’s security controls in order to access confidential information. Furthermore, the same survey revealed that there had been a six-fold increase between 2008 and 2009 in the number of IT workers stating that, if laid off, they would take company information with them. Cleaners (and even security staff) can also pose major security risks, and companies should ensure that all external contractors undergo comprehensive background checks. Where possible, the movement of cleaners around sensitive areas of buildings should be closely monitored.

Many of the high-profile espionage cases in recent times have involved past company employees. The corporate espionage allegedly conducted by Hilton Hotels against Starwood Hotels last year centred on two senior executives that had moved from Starwood to Hilton. In a similar vein, the famous espionage controversy between Air Canada and Westjet involved a former Air Canada employee that retained access to his former company’s intranet after his departure. Even as recently as last month, it was confirmed that a former Michelin Tyre executive attempted to sell confidential research documents to Bridgestone for a hefty sum.

These cases show only too clearly the damage that departing employees can inflict on their former company unless adequate security systems are in place. Thankfully, the perpetrators of these crimes were caught, however, most companies would not know whether they have been the target of a good espionage operative, increasing the need to implement strict security controls within all corporate environments.

How to protect your business from spying

In the current economic environment, security should be of utmost performance to prevent the great financial and competitive losses that can quickly arise from espionage. Listening devices and other espionage aids frequently go undetected for months or even years, as they are normally well hidden within electrical equipment, lights, wall penetrations and a variety of other locations. Physical and technical security controls should be regularly enhanced to create multi-layered defences against the threat of espionage. Companies should regularly conduct counter-surveillance sweeps, which use a variety or methods, both technical (to detect signal transmissions) and physical (comprehensive searches for eavesdropping devices), to help ensure that a workplace remains clear of unseen security threats.

The steps outlined below should all be considered to help ensure that your company does not become a victim of corporate espionage. It is vitally important that all workforce members, from senior management to the most junior staff, embrace these measures for effective security controls to be implemented:

• Encrypt confidential electronic data, and ensure that hard copies of sensitive information are kept locked away in a secure location.
• Control and monitor the movement and downloading of confidential information, particularly during times of redundancies.
• Restrict the use of portable USB and other hard drives in the workplace. Access to web-based emails should also be restricted.
• All computers should be automatically logged off after a set period of inactivity.
• Maintain a policy to ensure that all employees regularly update their passwords.
• Ensure that sensitive information is only accessible to those individuals for whom it is essential.
• Dispose of all confidential information promptly and in a secure manner. All confidential documents should be cross-shredded after use.
• Keep a close watch on staff activity, transactions and suspicious behaviour.
• Establish an anonymous whistle-blowing program to help identity suspicious employee behaviour.
• Conduct background checks on all employees and contractor staff.
• Monitor the activities of all contractor staff while on site – particularly cleaners.
• Ensure that employees’ access to corporate information (and access passes) is restricted as soon as their redundancy or departure is announced.
• Undertake thorough audits of departing employees’ paper and electronic documents, with both a supervisor and member of IT security present.
• Ensure that a clean desk policy is enforced across the company.
• Undertake regular checks to ensure that all above measures are being complied with.
• Conduct regular counter-surveillance sweeps to help ensure that all board rooms and executive offices remain clear of listening devices.

There is no guaranteed solution to protect against espionage. The most effective means is to undertake a variety of measures utilising a security in depth principle. Multiple layers of protection, such as those listed above will certainly assist to mitigate the likelihood of your organisation becoming the target of corporate espionage.