Protecting Your Organisation From Espionage
Gone are the days when a simple sweep for bugs could solve all of your problems. Today’s world of espionage is so much more complex than ever before and it’s getting harder and harder to protect against the threats.
In the mid-nineties, I wrote an article titled “Surveillance in Society”. It was intended to highlight the ways in which surveillance had changed over the years, confirming many people’s thoughts, that they could not go about their daily business without being filmed or photographed multiple times. It was by no means a criticism of surveillance systems, rather, a means by which to relay to the community that surveillance is good for us. It protects us.
A lot has changed since then. No longer can we assume that what we do remains private.
Facebook, Twitter, Instagram, LinkedIn, Google+, iMessage, Whatsapp, Reddit and so on, are just some of the different mediums by which we communicate and therefore, by which we can be monitored. Everything you do online is recorded and in essence, available to anyone who wants to find it. Then there’s the hundreds of cameras surrounding us, the Internet monitoring, the tracking of your mobile phone as you walk or drive down the street, the data collation of your credit card habits, your shopping preferences, where you parked your car… and the list goes on. Scary huh?
Society has become so hooked on convenience, that we forget the fact that everything we do can potentially be used against us. But I’m not particularly worried.
I’ve always believed the point that if you’re not doing anything wrong, then you’ve nothing to worry about. I still feel this way, however, with the odd caveat!
When dealing with corporate entities, information is power. Who we meet with, where we shop, what we are worth and the deals we are working on, are all activities that we really ought to be protecting. That’s nobody’s business but ours and when it falls into the wrong hands, the outcome could be more than damaging to us, our reputation and the companies we represent.
Too many of my clients seem to miss this point. They often feel that an employee’s social activities and time away from the office is theirs and not to be concerned about. That might have been the case 15 years ago, but things are very different now. Most employees don’t think when it comes to sharing information and there is little delineation between personal and professional activities. They are too eager to post on their daily habits…
‘Off to the Gateway building for a meeting this afternoon’…
‘Just finished a pitch for a huge new portfolio’….
‘I can’t stand my boss – he thinks he’s the ruler of the world’…
‘looks like we are about to be acquired’…
Get the drift?
It’s not all bad though. Companies need to understand that such activities can be curbed and in most instances, it just takes a little bit of coaching.
We have long advocated the introduction of preventive counter-espionage training to our clients, whereby we regularly conduct awareness sessions with staff to educate them on the importance of maintaining confidentiality. Surprisingly, a lot of people don’t think about the consequences of their online actions. Often, they think their accounts are private and can only be viewed by a select group of people. Whilst this may be true, as soon as one of those people retweets or posts on your Facebook comment, the info is out! They may not have the same privacy settings as their friend, who thought the comments would remain private.
A good example of this scenario was played out in the recent Australian Election for Prime Minister. A make-up artist made a comment online, after meeting the incumbent Prime Minister Mr. Rudd and the then Leader of the Opposition, Mr. Abbott. She stated that Mr Rudd was extremely rude to her and that Mr. Abbott was a gentleman. She saw no issue in posting this, as she truly believed that her audience was a closed group of friends. The problem was, that one of her friends didn’t think and within moments, the comment was public and picked up by a savvy journalist. The crowd went wild!
Educating staff on the fact that anything posted online or sent via email may potentially become public knowledge, is critical. But that’s not all we need to be worried about.
Information is being handed to us on a platter and espionage is running rife.
In addition to the online leaking of information, internal data and paperwork must be protected. Organisations need to ensure that they have tight policies governing the use of USB and portable hard drives (all such devices should be encrypted), password management, document control and of course physical access to areas or devices containing critical information.
It’s a matter of thinking about security from the inside out.
Are cabinets containing sensitive information kept locked?
Are keys kept in a key safe?
Is there a clean desk policy in place?
Do staff ensure they don’t leave their laptops lying around both in and out of the office?
Are mobile phones and tablets password protected?
These are just a few items that need to be considered.
Espionage will typically occur from within an organisation, and is not just undertaken by outside operatives. Whilst usually targeted, it can also be opportunistic and is generally motivated by money, power or fame. Occasionally there may be a supposed moral or self interest reason for conducting espionage, as seen recently with the Snowden case in the USA – but that’s for another day’s post!
Information is valuable and forms the crux of any organisation. It is therefore susceptible to theft. However, with the right controls and attitude, it can generally be protected. Preventive measures are a first step, as opposed to having to deal with the financial and reputational fallout, should critical information be leaked to the wrong people.
The undertaking of technical surveillance countermeasures (bug sweeps) is also important, however, this is one of multiple streams required to protect you or your organisation from becoming the target of espionage.
By on 12/09/2013