The National Cyber Security Centre continues to warn businesses that cyber-attacks are on the rise, and that organizations should have the correct prevention strategies in place. But with all the focus on cyber, businesses could be overlooking a greater threat to their security; most commonly referred to as business espionage, or business spying.
Unlike corporate espionage, which involves corporations spying on other corporations, business espionage occurs when governments or competitors spy on businesses, whatever their size or function.
This can involve cyber-attacks, where systems are hacked and confidential data is downloaded, copied or stolen, but it also involves the use of listening or monitoring devices, hidden cameras and transmitters. In some cases, business espionage can be carried out by spies, who infiltrate organizations in order to access private information in various ways, from stealing or copying files to going through paper waste. These spies can be employees, former employees, cleaners, contractors or intruders.
An estimated US$8.5 trillion ($1.7 trillion per year) is lost worldwide in five years as a result of business espionage. To put this into context, that’s US$5.5 trillion more than all costs relating to the attack on the World Trade Centre in New York City in 2001, which were estimated at US$3 trillion for the five years following the attack.
Business espionage can have a catastrophic impact on businesses, and yet it is one of the least understood threats facing organizations today.
Consider all insider threats
Business espionage can come from many sources, including individuals, competitors, foreign governments or criminal gangs, and in most cases, perpetrators are able to get away with business-critical and confidential information long before anyone becomes aware of the breach.
In some cases, it can be as simple as a bogus new starter entering the building, armed with the right information to get by security, swiftly stealing confidential information in the form of documents, laptops or mobile phones before anyone notices.
Increasingly, spies are stealing personnel records, as these are also of great value to businesses. We could argue that accessing personal information about an organization’s people allows spies to better infiltrate the business, or even recruit new talent straight from within the business.
Business spies will develop detailed and strategic plans to infiltrate organizations and access their data. They will play on basic weaknesses, knowledge gaps and human frailty, which is why businesses must have the correct measures in place to monitor these threats. There is little point in monitoring systems if you don’t also monitor the people who have access to them.
Potential workplace threats include new starters, disgruntled or greedy employees, but also suppliers and contractors who may take confidential information with them, with little sign of detection. Sensitive information being shared via online platforms and telephones, or on printed documents is also vulnerable if not protected appropriately. Information can also be elicited by telephone and computer communications, or during conferences.
Business executives are particularly vulnerable to spying when travelling for business matters. This is because although most businesses will consider terror threats, criminal activity or even natural disasters within travel security programs, they rarely cover business espionage. The same risk applies for expatriated employees, stationed in foreign countries, as the company may not explain the threat of business espionage to them by fear of disrupting them.
Effectively protect your company’s information
Companies will routinely monitor equipment loss because of theft, but arguably a far greater consequence to the business is the information that can be found on these stolen company laptops or mobile phones. In fact, the information that can be accessed on these devices is virtually guaranteed to have a far greater value to the company than the equipment itself.
As well as setting complex passwords and passcodes, and installing software which allows the organization to track these devices, all sensitive data should be encrypted and copies should be saved to secure servers. Legal restrictions such as non-compete agreements, patents, and copyrights are also ways of protecting your data and your assets from competitors and former employees.
Good physical security and access control helps protect from business espionage. As part of a security audit, rights of access and rights of way for all staff and all services staff such as cleaners, engineers and IT professionals should be mapped out, agreed and tested. Firmer and more limited access control should apply to any external visitors.
Screening processes and background checks for new starters should also apply to contractors and partners, as in some cases they will have access to the same confidential data and premises as a full-time employee.
For companies or business departments that handle particularly sensitive data, one solution is to monitor printing, either by limiting access control to certain printers or printing rooms, or even through banning printouts entirely. Most printers will have the ability to store copies of up to 1000 of the latest printed pages, some of which may contain confidential information. One related spying issue is that printers and copiers can often be accessed remotely or the hard drives removed by repair/maintenance companies.
In departments where printouts are permitted, clean desk policies should be implemented and enforced, and processes should be in place around the timely disposal of sensitive data that has been printed out.
As well as implementing physical and IT security systems within organizations, members of staff should also be briefed appropriately. Whether they work in reception, sales, or IT, at operational or director level, educating your people on the threats of business espionage, and the ways in which to prevent it will go a long way in preventing your data from reaching the hands of the wrong people.
Bruce Wimmer, Senior Director of Corporate Risk Services at G4S, has been involved in investigations and security consulting for more than 40 years.