Physical and Personnel Security Countermeasures
Abstract
This chapter focuses on all the physical and security countermeasures that can and should be used by companies to protect their sensitive business information from spying. It is a comprehensive look at physical and security countermeasures employed by governments and companies. It also explains how implementing these countermeasures lowers the vulnerabilities and the business espionage risk.
Introduction
While everyone is always looking for an all-encompassing solution that will end all worries about business espionage, so far, no one has found one. And, after more than 40 years of looking for it myself, I am convinced there is no one “magic solution.” The answer to countering business-spying threats is the same as countering other security threats: develop strong risk-based overlapping and comprehensive countermeasures to threats. This will lower your vulnerabilities and ensure your business is prepared to deal with the inevitable and diverse business threats of today.
In some ways I think countermeasures (Chapters 9, 10, and 11) are the most important part of this book because, as noted in the discussion on the risk assessment process, strengthening security and lowering vulnerabilities is the best way to lower your security risk. And, if we do not lower our risk to business espionage threat, this whole process has very little value. But it is also important to know the major threats, their likelihood of occurrence, and the modus operandi most often used, which means making protective measure decisions based on the holistic threats.
Clearly one thing everyone needs to do is look at the best practices and physical/personnel security standards for effectively countering business espionage. There are security standards for supply chains, banks, water systems, chemical plants, and food industries, and associations such as the ASIS International have general physical security standards, while other associations such as the Transported Asset Protection Association (TAPA) have physical security standards for various sectors, including transportation. But there are not a lot of specified standards for protection from business espionage. The closest standards that have specific objectives related to information protection are set out in ISO 17799, but these are also oriented more toward the IT world, basically ignoring non-IT related threats and vulnerabilities. However, there are a number of accepted standards for physical security, and even though they are based on other threats, they can be invaluable in protecting against business spying. Many physical security standards apply to a number of security threats, including business-spying threats.
In this chapter, we will also look back at the case studies discussed in earlier chapters during this analysis and use them to identify the threats and modus operandi. We will then we can examine the vulnerabilities that allowed the threats to be successful. The key, then, is to develop countermeasures that will reduce those typical vulnerabilities and protect the business enterprise from the identified threats. I believe that the espionage committed in all my case studies and examples could have been prevented. Therefore, we will strive to set out principles that can help to prevent spies from successfully targeting businesses. In the rare case where it would have been exceptionally difficult to prevent an attack, countermeasures could still have been implemented to reduce the adverse business impact (consequences) of the spying attack.
As noted, there is no “magic solution,” and no single security strategy can prevent every business spying attack. There is also no perfect set of countermeasures, and any truly effective counterespionage program cannot be fixed and static as threats are constantly evolving and new vulnerabilities emerging. What protected you last year might not work as well this year. The threat vectors will be probing and trying to find new techniques so the countermeasures employed must be dynamic and constantly adjusting to the threat. There are also accidents and mistakes that must also be handled.
Even if you have your access control measures in place so it is very difficult for a human being to get into a controlled area, spies will try and use small remote-controlled devices flying through the air to bypass traditional physical security measures such as fences and gates. Now you have to adjust your security countermeasures. If you find the threat is coming from robotic cleaning services and the equipment they use, then you have to adjust countermeasures again. The process is ongoing and never truly ends.
When we talk about business espionage countermeasures, another term that can be used is risk management. The countermeasures we recommend will allow a business to manage the risk. While sometimes it may be necessary to accept a vulnerability or a consequence/business impact this should be an enterprise decision, and the business should manage the risk rather than just react to it.
One of the major factors in any risk management program or countermeasures approach is the cost. This can be calculated by looking at the amount of the security equipment that needs to be purchased and the security personnel that need to be hired or contracted. It may also involve the time taken away from operational activities by your employees for, among other things, their security-related education and awareness training. If the potential adverse consequences, based on the critical impact assets that are identified, are lower than the potential cost, that countermeasure is not cost effective. The good news is that many of the most effective countermeasures do not cost that much and many of the recommended countermeasures also provide enhanced security for other significant threats such as theft, workplace violence, and fraud.
Business Espionage Security Awareness Training
Without a doubt, one of the most effective things any company can do to protect its business secrets and sensitive information is to have a workforce that is educated and aware of business espionage threat. I have seen this attitude often, but if the leadership and workforce view business spying as one of those “James Bond” threats that only occur in the movies, there will be major vulnerabilities. I have delivered very few training sessions where I did not have someone in the company come up after the training to share a story about an incident, and how they now recognize that the incident may have involved someone using a business-spying technique.
It is important to understand that the security aspect of a company cannot protect everything by themselves. It is an established principle in security and law enforcement that law enforcement agencies need the public to report what they see and private security entities need the general employees of companies to be the reporting eyes and ears. Without that support law enforcement or security will not be nearly as effective as they could be if they were teamed up with all company employees. It must be clear that the security of a company’s sensitive information is the responsibility of every employee, not just those with “security” in their job title. Therefore, you cannot give some of the security responsibility to employees without empowering them with the knowledge of what they should be alert for and how to respond if they see or experience the possible threat.
In the U.S. Air Force, while stationed in Berlin, Germany, I was credited with having the best counterespionage education and awareness program in the entire Air Force. Our objective in the Air Force was to brief 100 percent of an installation’s personnel. My objective in Berlin was to brief, and otherwise educate, 400 percent of the Air Force population in Berlin (meaning I tried to ensure every employee was briefed four times a year). Many thought that was overkill even in what most acknowledged as the spy capital of the world at the time. We used bulletin boards, computer notes, wallet-sized cards, library displays, newspaper ads, and articles, and we delivered four different kinds of training each year. This included standard threat briefings, methods/techniques briefings, and what-to-do briefings. It also included bringing a former double agent in to provide a briefing on what it was like to work as a spy for the Soviet and East German intelligence services. As a result, the Air Force in Berlin had the highest number of active espionage cases ever uncovered at a single geographic location. Even special penetration tests against sensitive targets by U.S. Air Force penetration teams were detected and neutralized in record time. Was that because we were that good, or was it because we were just lucky? No! I have no doubt that our success in countering espionage in Berlin was due to the involvement of Air Force personnel throughout Berlin and their regular reports of suspected espionage or possible threats. They were involved because we worked hard to keep them educated and aware. They knew what to look for and what to do if they saw it. My experience is that the majority of employees will do this if they are properly educated and motivated.
Some of the so-called counterespionage education and awareness programs I have reviewed are no more than a review of existing security-related policies and procedures. Such an approach has little or no lasting value. Others are speeches that focus on penalties and consequences. Again, this is not effective and these programs leave employees saying the company’s counterespionage program is almost worthless.
Some will maintain that threatening people with punishment is counterproductive. While it certainly should not be the main thrust of your education and awareness program, depending on how you define “threatening” it may be one of the many subjects that should be addressed. Employees need to know the company takes protection of its sensitive information and trade secrets very seriously and will take appropriate legal and/or other action against anyone who is involved in the theft or compromise of their sensitive information. As we saw from looking at the case studies on the motivation of spies, if they think a company is not really serious about protecting its secrets, they will be more likely to engage in espionage and will rationalize that the company security is weak because the company does not really care. A good education and awareness program will not come across as a threat, but it will make it clear the company is very serious about protecting itself.
Key Elements of a Good Employee Counterespionage Education and Awareness Program
I am frequently asked what would constitute a good counterespionage security and awareness program. Once again, there is no “one-size-fits-all” solution, but the following are some of the key elements of a good education and awareness program for business espionage:
• Make sure employees understand that the senior leadership of the company strongly supports this program and expects them to do the same (having a leader introduce the training in person, or on video, and/or a letter from the president/CEO can help drive this point home).
• Make sure employees understand the threat of business spying is real; use real examples (many are provided in this book).
• Explain the different kinds of threats and the variety of methods used in business spying (employees say this helped them to spot a social engineering attempt, for example).
• Explain the value of the company’s sensitive information and the damage it could cause if the information is lost (make the loss personal by noting how many jobs or bonuses could be lost).
• Explain how to identify sensitive, classified, or high-impact information (whichever term you use).
• Explain what employees are supposed to be alert for, sensitive to, and why.
• Explain how employees can report spying attempts or even suspicions (stress that they do not have to have what they might consider proof before they make a report; you want them to report even suspicions). Normal channels include, as appropriate, reporting to supervisors, reporting to security, reporting via an anonymous-capable hotline or email, etc.
In addition, I recommend specialized counterespionage education and awareness programs. One of the most important is a counterespionage program that is linked to travel security and includes a focus on business-spying threats, especially in high-threat locations.
Other important and valuable specialized programs include tailored training for receptionists, administrative personnel, human resources staff, IT staff, sales and marketing staff, research and development staff, operations staff, senior leadership, and security personnel. The more training each of these functions get that is geared toward the threats faced and the methods used for their job and location, the more likely they will be able to spot, report, and defeat the threat attempts.
It is worth noting that many companies like to “cover” their security education and awareness at the new employee orientation program briefings, but then believe no additional training is needed. This is a serious mistake. While new employees should definitely get their trained on the company’s counterespionage program, the training cannot stop here. For one thing, new employees have repeatedly told me they are on “information overload” at orientation and they do not have the perspective they will have after being on the job for a while. Plus, threats are evolving and changing. Therefore, it is important that training not just be for new employees.
Counterespionage training should be held for all employees on a regular basis, especially for those that have access to sensitive information. Additionally, specialized training should be given to functions that are commonly targeted during business-spying attempts. Of course, awareness training cannot stop at awareness. It must include what to do when employees suspect business espionage, which is where a comprehensive reporting program comes into play.
Business Espionage Reporting Program
As mentioned in the preceding section, awareness is important but it is of limited value if employees are not using that awareness to detect potential threats and to respond appropriately, reporting to the head of the company’s counterespionage program.
With today’s technology there are a number of potential ways to report concerns. Probably the most important aspect is that employees report anything with possible (not just “confirmed”) business-spying ties as quickly as possible to the counter business espionage head That can be by telephone, by computer, by text, etc. It is often good to have a special “hotline” that operates 24 hours-a-day, 7 days-a-week.
Whatever reporting methods you rely on, it is important that employees in the company know the telephone number, email address, etc., that should be used. It is also important to think about the potential for reporting this anonymously if there is a fear of “getting involved” or “retaliation.” It is also important to think about the potential of alerting spies so they can cover their activities and possibly avoid being caught. The first objective is to know but if you can get the reporting individual or entity to think about how to report and not alert the spies, that is best.
For example, if you are concerned about someone monitoring the telephone system, it would be good to use a cell phone or another phone outside the office to make a call to the counterespionage contact person. Sitting at your desk and saying your office could be “bugged” is probably not the best way to make that concern known. Sending an email when someone believes the IT systems may have been hacked may also not be the best way to report a penetration concern. Once again, this requires education and awareness so that employees find it easy and a priority to report but get their concern reported quickly and securely.
It is also important that the reporting methods also be easy to use, allow for confidentiality, and be as timely as possible. It is also important that these reporting methods be widely known through education and awareness programs that include things like online and bulletin board posts, newsletters, sign boards, wallet-sized cards, pay statement notes, etc. They should also be integrated into all education/awareness presentations.
Travel Security Program that Includes Business Espionage Threat
This topic was discussed in Chapter 6, but the vulnerability of employees to business espionage as they travel is so important that it warrants being addressed in detail as a countermeasure. Currently a number of companies are concerned enough about their employees safety and security that they have a travel security program put in place to educate employees about travel to areas where physical threats might be high. There are a number of companies that provide travel security information to their traveling employees, which includes daily summaries of threats around the world. These services normally address threats from terrorism, civil disturbances, crime, even weather and health, but I can say that none of the top 10 (by volume of users) security daily reports/travel security programs address business espionage adequately. Most do not ever address business spying at all and those that do, do it very infrequently and incompletely. Usually it is included in a “special report” if addressed at all. While these services would quickly report a drive-by shooting or suicide bomber and have also become good at reporting certain IT losses, travelers have no idea whether their hotel room could be bugged and searched or if their driver might be recording their internal conversations. They do not know if the company they are dealing with and the hotel they are staying in are working together with government intelligence services to steal any and all business information. The bottom line is this: If you do not have a travel security program that specifically evaluates business espionage threat and provides examples and updates, you should get another travel security program service and make it clear that information on the business-spying threat is one of your requirements. Educated customers will force these travel security information providers to do what they should have been doing all along, which is to prepare travelers for the substantial business espionage threats they will face when they travel.
Closely linked to and sometimes overlapping the travel security program is the importance of requiring all employees to get advanced clearance of any papers written/published and any presentations being made in any forums around the world. If travel to an international forum is approved and the information to be presented is cleared, it is still wise to put the conference or program into a business-spying context and make certain the employee knows that this is a forum where someone could attempt to elicit further information from him/her. This kind of preparation is important to help deter and prevent effective business-spying targeting.
Executive Protection
Also closely linked to the counterespionage travel security program is any executive protection program the company might have. Executive protection programs also tend to focus on physical security and protecting executives from physical threats, but it is also important to understand that senior executives will be attractive targets for business espionage, including their executive offices, their homes, and their aircraft, vehicles, or hotel rooms when traveling or in transit. Since all of these provide an opportunity to spy on a company executive and gain knowledge of sensitive information it is important that counterespionage be incorporated into executive protection programs.
A TSCM sweep could be as important as a bomb-detection sweep. All the concerns about working from home, IT security, and trash covers apply to the executive’s home and especially to his/her vehicles, aircraft, and hotel rooms. Incorporating counterespionage measures and education/awareness training is an important part of executive protection. Executive protection is not just protection from physical harm, but protection from any potentially adverse acts or results that involve the executive.
All too often, security is afraid to approach senior executives with this kind of threat-awareness information. Yet senior executives may be some of the most significant sources of extremely sensitive information. Therefore, if your executive protection program is all about “body guards” you might not be that skilled in protecting sensitive information from compromise, a major vulnerability in an executive protection approach.
Clear, Demonstrated Senior Leadership Support
One of the most important things that can make a counterespionage program more effective is to make it clear that the most senior leadership of the company supports the program and agrees it is vitally important. Letters, emails, and videos or opening remarks by the CEO and/or president or similar level/titled senior leader are very important because it conveys a message to the entire company about the importance of protecting the company’s business secrets.
If the senior leaders (CEO, president, etc.) refer to some of the specific counterespionage security measures that are important, employees will take notice. For example, when company security procedures dictate wearing the company identification badge and challenging those without one, a CEO who prominently and always displays his/her ID badge and challenges people not displaying their badge will strengthen the security of the company by doing so. If, on the other hand, the CEO or president says “everyone should know me” and refuses to wear his/her company photo ID, most of the staff will decide they do not need to wear their IDs either. In no time the policy/procedure will be worthless. While most senior leaders will provide some level of verbal support, this is not a true investment of time and effort, and it also communicates loudly and clearly to staff that the counterespionage program is not that important.
While this is not a terribly expensive part of an effective program, it is a symbolically important and essential step. I call it the blessing or mandate “from on high.” It is important for an effective program, let alone for protecting the sensitive information executives routinely deal with.
Identifying and Properly Classifying Sensitive Information
It is important for those of us in security to understand that in order to run an effective and efficient business, information must be exchanged within the organization and with partners, clients, and suppliers. However, this does not mean that every bit of information in an enterprise should be equally shared with all other entities within or outside of the company. Remember the security principle discussed previously: You cannot protect everything, so it is important to determine what is important and warrants protection, which is closely linked to the potential adverse consequence if the information were compromised (there probably should be several levels of classification of information and data).
In the U.S. government/military there are four major classification categories:
1. For Official Use Only—for internal use but with limited damage if compromised; minimal controls.
2. Confidential—information whose unauthorized disclosure could cause damage to national security and must be protected.
3. Secret—information whose unauthorized disclosure could result in serious damage to national security and requires a higher level of protection.
4. Top Secret—information whose unauthorized disclosure could result in exceptionally grave danger to the nation and requires the highest levels of protection.
While there were once special categories of top secret information and caveats such as “no foreign release” or special code words attached to some information, the gist of these major categories relates to potential damage to national security. Classifications used in business should be similarly based on the potential damage to a business.
Several companies I have dealt with have used the same three categories—confidential, secret, and top secret—with an emphasis on the degree of danger to the enterprise’s business. Another company I have worked with uses three categories that are linked to the potential adverse impact on the enterprise if the information were compromised; they use “high business impact,” “medium business impact,” and “low business impact,” which are self-explanatory. Yet another company uses: Routine (meaning it is already known and is open-source data), vital (meaning it is important and the loss would hurt but the business could survive), and critical (meaning that the success and future of the company is directly linked to this information). This has allowed this particular company to focus on protecting its most critical sensitive information in terms of the adverse business impact.
In all of these examples, the focus is on the potential adverse impact if this information were compromised/lost. Would there be some damage, serious damage, or exceptionally grave damage? Answering that question is the key to determining the classification level. Then, of course, any documents or materials should be marked accordingly and the protection afforded should increase as the criticality goes up.
Some companies have come up with other terms that are linked to legal terminology such as “trade secret” or “proprietary information.” It is not important what label you put on the information as long as it reflects the value and sensitivity of the information and its potential adverse business impact if compromised. However, it is important that the meaning of each label is known throughout the enterprise. It might be helpful to work with a law firm that has both the personnel and intellectual property expertise to come up with the best terms and caveats for your particular business enterprise and country of origin.
The objective is to be able to determine what information you must protect from competition and then to focus on the highest level of protection to help prevent the most potential adverse business impact. Protection must include limiting the number of individuals who have access to highest business impact information and what protection must be given to those handling and using that information. Obviously this also means including the classification and protective measures in your counterespionage education and awareness program.
When you go through the important process of determining which of your assets have the biggest potential adverse business impact if lost, this is also an ideal time (and this should logically be a part of the determination process) to determine and assign a value to those assets. How much is the information or asset worth? How much research and development time and cost was invested? How much marketing will be/has been invested? How much have you spent to protect this information/asset? What would be the amount of money you could lose in business if a competitor had this hard-earned information and used it to compete with you? Knowing the value and having a process to determine that value is important because it is required by some state and federal laws (i.e., for trade secrets to be valued). It also can help you decide about the cost/benefit for protective measures. As we have said before, you do not want to spend more for protective measures than the information/asset is worth, but if, for example, protecting an asset costs US$50,000, but it is valued at more than US$50 million, there is a pretty clear cost/benefit rationale for investing in the protective measures needed to do so.
Another important aspect of this process is that many of the criminal and civil protections provided in jurisdictions that have such protection require that information/resources compromised be properly marked/identified legally to qualify for this protection.
The key is to have a process to identify, and the regularly review and update, the sensitivity and value of business information. As business decisions are made to invest in research and development, new products/services, new locations, new manufacturing sites, mergers and acquisitions, etc., it is important that these business decisions are properly evaluated in terms of the value and sensitivity. All resources, and associated information, should be protected according to their potential adverse impact and cost to the company. This includes government and regulatory requirements. All of this should be done upfront and not after the resource has been compromised or valuable information lost.
Include in Business Continuity/Disaster Recovery Plans
Just like business travelers who are prepared for traditional physical security threats such as terrorism, theft, workplace violence, severe weather, or natural disasters, many companies have some kind of business continuity and disaster recovery plans in place. However, most of the plans I have reviewed do not address the potentially catastrophic losses that can occur if business espionage succeeds and the company’s most sensitive information and trade secrets are lost.
It is important that business continuity and disaster recovery plans incorporate business espionage threat and make disaster recovery and business continuity plans to address it should it occur. This kind of planning will also help to drive home the importance of making every effort to prevent a successful business-spying attack because the consequences and adverse business impact will be addressed beforehand. This is where decisions can be considered regarding legal recourse or working with authorities for possible criminal prosecutions, if that option is available.
Conduct a Holistic Risk Assessment
One of the best ways to start building a good counterespionage program is to avoid the temptation to just start “throwing” security measures out and implementing them because “that’s what security does.” The typical security response is to get a few guards, put up a fence, install CCTV cameras, and institute some type of access control. Another common tactic is to use security measures that other companies have implemented. Instead of those approaches, when determining the countermeasures needed, start with a good, solid, holistic risk assessment that addresses all threats, including business espionage and the likelihood of its occurrence. Then look at established company standards and do a vulnerability assessment that addresses physical, personnel, and IT security in a synergistic manner. Finally, do a consequence/business impact assessment and know what and where the most sensitive information is located. Protect that first and foremost. When you put all of these components together into a risk assessment, you can design a countermeasures program that will be effective for your particular business. While your security program should be tailored to your particular circumstances, remember that it will only be a “snapshot” of time it was done. Threats, vulnerabilities, and consequences are always changing so you will want to do risk assessments on a regular basis. Do not accept anything less than a complete risk assessment that addresses all threats and their likelihood of occurrence, any gaps and vulnerabilities present within the company, as well as the possible consequences.
Well-Constructed, Comprehensive Security Policies and Procedures
It is important to have good, sound security policies and procedures as one of those fundamental building blocks to a good counterespionage program. In this context security policies will be formal, high-level statements or plans that embrace the goals and objectives of the enterprise. These include concepts we have addressed such as the principle that every employee is responsible for organizational security, as well as the idea that the least access necessary to conduct business is the best. To establish and promote these goals and objectives, you need policies, standards, and procedures in place.
Policies are mandatory and are defined by standards. Standards, in turn, are mandatory actions or rules. Finally, procedures are the steps taken to accomplish a policy goal. Procedures are the “how to” for protecting information and assets. They should All of the categories of security should be specifically addressed and include at least: access controls, registration of visitors, escort requirements, issuance, revocation and wear of identification, key control, property and removal controls, trash removal, information destruction, IT controls, information marking, classification, lock-up requirements, clean desk requirements, due diligence of business partners, hiring and termination procedures, background investigations, security education, and awareness training (new employees and recurring, specialized). These are some of the basic categories that should be addressed in an enterprise’s security policies and procedures.
Additionally, policies/procedures should address a travel security program and include a process for identifying and constantly reviewing/revising high-threat locations. Travel to any high-threat environment should be carefully considered; there should be a review and approval process and mandatory training to deal with the environment being visited. This might include advanced briefings/training for travelers to high-threat environments and a debriefing of travelers returning from high-threat environments. The U.S. military and government has implemented these procedures since the Cold War days for any travel to a high threat (in those days “Communist controlled”) country.
All of these policies and procedures should be reviewed and approved by legal counsel, and they should be regularly reviewed and revised as appropriate.
Create a Specific and Focused Information Protection Team
The company should also establish an entity, a kind of information protection team, responsible for the company’s information protection/counterespionage program. This team should be multi-dimensional and multi-functional. Some of the roles typically held on such a team include:
• Senior leadership representation
• Operations
• Legal
• Human resources
• IT (covering computer use, server rooms, telephone lines, mobile devices, etc.)
• Security
• Facilities
• Finance
• Procurement/Contracting
• Research and development (if appropriate)
• Event planners (if appropriate)
• Marketing (an opportunity to review all marketing materials, approaches)
• Sales
• Whoever is responsible for coordinating travel
Do Comprehensive Due Diligence of Partners, Suppliers, Vendors, and Clients
Due diligence is a concept that focuses on legal concepts to shield claims of negligence. When it comes to information protection it is a different concept. Too many companies consider due diligence only when it comes to business partners, suppliers, and vendors as it relates to legal registration and finances. While these are important, they are not necessarily the only or even the most important aspects of due diligence in the protection of sensitive information. In this context, due diligence is the process under which prospective relationships can be evaluated with respect to the potential for adverse consequences. Before entering into a business relationship with another organization, proper inquiries should be made to determine the suitability of the partnering organization and its elements or associates. This is especially important because it generally involves some sharing of proprietary information. In fact, in my experience, a large number of losses occurred when joint ventures, outsourcing, or subcontracting were involved. All too often we only did the level of due diligence that should have been undertaken before—after problems surfaced. In one case, when it was apparent there were some major intellectual property losses occurring, a client asked for due diligence on all their suppliers. We found that 75 percent of the suppliers were either owned by, or were affiliated with, their principal competitor. It is no wonder that company is not among the top in their industry and nearly went bankrupt in 2014.
At least seven types of information are warranted in due diligence as it relates to information protection:
1. Financial and performance metrics
2. Legal standing
3. Reputation including IPR violations, trade complaints, and expert-control issues
4. Potential links or ties with firms that are competitors, have IPR violations, trade complaints, or export-control issues
5. Ties to foreign-owned enterprises
6. Information security experience and expertise
7. Willingness to commit to and allow unannounced audits for compliance to security standards
At least all of these categories should be pursued in detail. This is more than the traditional due diligence done by most companies, but it will pay major dividends in preventing problems in the future.
Be Involved in Office/Site Location Selection
Closely linked with the due diligence concept for partners, suppliers, and contractors is doing a security risk assessment/due diligence on any office, production, or logistics related sites. While things like size, location, and price are obviously important selection criteria, it is also important to have information security and counterespionage elements involved in the selection process to ensure the company has considered all aspects and the total risk before making the ultimate decision on where they will locate. Additionally, it is important to have this aspect addressed in any contracts, requiring immediate notification if any listed competitor is expected to be in a building or on a site, at which point the contract would become null and void.
This is also true of selecting senior executive housing, expatriate housing abroad, meeting sites for important board, management, or sales gatherings and selecting law firms, accounting firms, and security or other service providers.
Since this is a dynamic aspect of business, it is important that this kind of counterespionage due diligence be ongoing and regularly reviewed to ensure there have not been changes, mergers, acquisitions, etc., that could impact information-related security.
Conduct Background Investigations/Personnel Security
It is also important to have a good process in place for conducting background investigations and other screenings for employees because my experience has shown that roughly 70 percent of problems encountered in business espionage involve or are somehow connected to employees and contractors. This process should include good background investigations and screening of employees that addresses issues potentially related to business spying.
Each location/jurisdiction might have slightly different laws and rules governing pre-employment and post-employment background investigations and screening, but ideally you should have an ongoing background investigation process in place. There should be regular background investigations of personnel with access to sensitive business information, because people’s situations and backgrounds change. Most places have security background investigation services that together with other security measures can be used to enhance security for all types of sensitive information.
Some of the minimum information that should be included in screening or background investigations includes:
• Driving records and history
• Drug tests
• Credit history
• Employment history and education verifications
• “Developed” references, which generally have more credence than one an individual provides on this own
Have the provided source provide the names and contact information for five more people that know your background investigation subject. Consider asking for another three to five names from this second layer. By the time you get three layers out from the self-provided references, you probably have a good idea if there are any problems. Hopefully, human resources, hopefully working together with security and legal personnel and those responsible for information security, have processes in place so the company does not easily hire someone who is being “planted” in the company by competitors. Likewise, the company should not hire someone who based on his/her background poses a major potential threat for compromise. Screening programs have to take protection of sensitive information into consideration as a part of the hiring process, and those doing the screening must have training and expertise on how to evaluate background and testing results.
For example, it is important to include credit checks/investigation, whenever possible, in screening individuals who will have access to sensitive information. Credit checks and investigations can also uncover important clues as to whether job applicants/employees may be susceptible to recruitment through the MICE or CRIME principles (discussed in earlier chapters). Evidence of large credit card balances and late payments is frequently indicative of a lifestyle that exceeds means, something that often makes applicants/employees desperate enough to commit acts of economic espionage or other trade secret piracy in exchange for the monetary rewards offered to them by competitors and foreign governments. An analysis of credit card receipts/spending can sometimes reveal (a) behavioral proclivities of applicants/employees that may be exploitable through sexual entrapment and compromise, and (b) evidence of extensive travel that provides opportunity for agent recruitment activities (money, ego, or ideology) by government spy agencies, competitors, or professional investigators. It is worth noting that prior to allegedly disclosing the trade secrets of his employer (Avery Dennison) to Four Pillars, Victor Lee made a large number of trips to Taiwan under the guise of family business, academic speaking engagements, and consulting activities.1 Proactive monitoring of his credit card activities by security and/or finance personnel might have revealed the extensiveness of these travel activities and triggered a subsequent security evaluation. This might have permitted Avery Dennison to remind Mr. Lee of the legal responsibilities and potential penalties associated with failure to comply with his nondisclosure agreement. This could, potentially, have deterred his business-spying activities prior to the loss of sensitive information and trade secrets.
For those employees who will have access to the most sensitive information it is also worthwhile to consider “enhanced” background investigations on immediate family members as well. Especially in Latin America and Asia, family ties are among the most important relationships one can have. It is good to know if a father, spouse, son/daughter, etc., works for a government agency, competitor, or a company that supplies or contracts with a competitor. This can mean a potential conflict of interest and should be known and considered as a part of the hiring process, or can be discovered during the regular background checks of existing key employees.
Remember to also look at where individuals have lived and where they were educated. This can be one area to address in pre-employment interviews and investigations. Additionally, knowing that money is a motivator, also look for any signs of undue affluence.
There are also other screening tools that can be of value when personnel have access to critically important information. Integrity and other testing programs can be of value to lower the likelihood of hiring someone who should never have been given access to critically important and sensitive business secrets.
When screening is discussed, the use of a polygraph examination often comes up. Depending on where the employee resides and the citizenship of employees, a polygraph may or may not be a viable screening tool. While I believe it has limited value as a screening mechanism, I believe that with a good examiner, the polygraph can be a valuable tool in interviewing individuals about a specific matter.
In my experience a polygraphs is only as good as the polygrapher administering the examination and interpreting the data. In reality, the polygraph is not invincible. Some experts will argue that you cannot “beat” a polygraph but you can “beat” an examiner. The bottom line to me, as a user of this tool, is that it should not be used as a major screening device, but it can be a valuable tool, where legal, in after-the-fact investigations and as a “deterrent.” It is always good to remember the famous comment that Richard Nixon, then President of the United States made when he said, “Polygraph them all. I don't know anything about polygraphs and I don't know how accurate they are but I know they'll scare the hell out of people.”2
The overall utility of polygraphs in counterespionage programs is limited by the (a) validity of the technology, (b) legal restrictions governing their use, and (c) reactive manner in which they are frequently used by security personnel. In this latter instance, security personnel use polygraphs to identify people responsible for compromising trade secrets or sensitive information after the fact. When used in this manner, polygraphs cannot be viewed as an adequate substitute for comprehensive security approaches that actively detect business spying, but they can provide a potential deterrent and demonstrate that a company takes protection of their sensitive information very seriously.
Use of polygraphs in personnel actions has significantly declined due to the passage of restrictive government laws and regulations. In place of the polygraph, many companies have substituted the use of integrity testing. “Integrity tests are designed to help identify job applicants who are likely to engage in employee theft and other undesirable behavior, such as on-the-job violence, illicit drug abuse, and disciplinary problems.”3 These tests are designed to reduce the threats of business spying through the use of an honesty hurdle during the selection process. Integrity testing methodologies generally consist of two types of assessment tools: (1) An overt integrity test and (2) personality-based tests. Overt measures of integrity function by focusing on an individual’s proclivity toward dishonesty by determining, for example, their attitudes toward theft and the way they deal with evidence of prior theft. The Personnel Selection Inventory and The Reid Report are examples of this type of testing. Conversely, personality-based measures assess the degree to which an individual possesses various traits that are correlated with dishonesty, theft, or other undesirable behaviors. An example of this type of test is the Hogan Reliability Scale.
There are certainly some indications to support the validity of integrity tests for assessing an employee’s behavioral potential for theft, dishonesty, and other undesirable behaviors. A report by Sackett and Wanek in Personnel Psychology notes that respondent scores on integrity tests correlated significantly with an individual’s tendency to steal or be dishonest.4
Few jurisdictions have placed many restrictions on the use of integrity tests, provided that these tests meet requirements for validity and do not adversely impact protected groups. There is some limited evidence to indicate that there exist no significant differences in the response patterns of job applicants on these tests when compared across demographic groups.5 However, evidence does tend to suggest that integrity testing can provide organizations with a mechanism to proactively “screen-out” job applicants who may become a potential or subsequent problem when it comes to protecting sensitive information.
Address Resignations and Terminations
Resignations and terminations can be very sensitive situations but from a counterespionage standpoint these are especially important milestones. As we have seen from our case studies, on many occasions individuals take information with them as they leave, especially if going to work for the competition. It is therefore important to recognize this threat and take as many precaution steps as possible to limit the loss of information by those leaving the company.
There are several steps that must be taken for all termination/resignation situations:
• First, everyone that is leaving should be interviewed and “debriefed” to determine why they are leaving and they should be asked if they are going to work for a company that is identified as a competitor.
• If an individual is knowingly leaving to work for a competitor or suspected competitor, it is important for HR and security to work with legal to make certain an appropriate cautionary legal document is sent to the competitor warning them about the consequences of using proprietary and classified information and trade secrets. Likewise, this should be communicated to the employee so they are thoroughly knowledgeable of what cannot be removed and/or shared with the competition. It would also include a review of what the consequences are if the employee violates this legal agreement.
• Then it is important to go back and look at what documents have been recently requested, what information has been downloaded, etc. A document inventory should be conducted and matched against sensitive documents the individual had access to or control of. It is recommended that interviews be conducted of colleagues to determine if the individual departing did anything unusual or suspicious.
• Finally, it is also important to block the access individuals have to company proprietary information in all forms. This might include physical removal of documents, an immediate stop to uncontrolled access (e.g., access ID card is removed from the system), and an end to IT and email access, including the individual’s PC or laptop. It is also highly recommended that the company consider reimaging the departing individual’s computer and other assigned mobile devices to see if there was any suspicious or unwarranted downloading or communication with the competition, which is best done by a business espionage expert.
Access controls
One of the more important physical security functions with direct applicability to protecting sensitive information and assets is the concept of access control. It is important to have good access controls, especially in areas where sensitive information is stored, worked on, and discussed. You want to do everything in your power to keep barriers between sensitive information and those who are not authorized access to that sensitive information.
While many companies “talk” about access control, not many have good access control systems in place. If you have unmanned, unmonitored doors there is a good chance they will occasionally be unlocked or propped open, and this compromises access control.
This is where the concept of “layered” security has special applicability. Access control is not just need at the main entrance; access controls are needed at all entrances/exits. At the main entrance(s) there should be a secondary barrier to prevent someone from circumventing the initial controls. A minimum of two access control points should occur at each entrance. Likewise, there should be secondary and even tertiary barriers that further restrict unauthorized movement within a facility or complex. Those areas that have sensitive information in development, use, or storage should have further restrictions, and not all employees should have access to these areas. This is where the idea of need-to-know should be considered.
Depending on the sensitivity of information/assets, a company might consider special access areas, where there is strict control of anyone entering. No visitors would be authorized without special permission and special precautions being taken. Cleaning people, maintenance staff, even contract security might not be allowed in some of these areas…at least without a controlled escort. Some of these areas might warrant not allowing anyone in the area alone—a so-called “No Lone Zone”—which would mean a minimum of at least two cleared employees would be required within the area, especially if it is contains especially sensitive information. It could also include mandatory intrusion detection system coverage/controls and some live, monitored CCTV coverage of entrances, walkways, etc., as appropriate.
Anyone given access to these special access locations should have specific prior approval. Historically it has been proven that if access is generally granted only by management, there will be those who take their role very seriously and some who will grant access to almost anyone for any purpose. By have an information protection team in place to review each access request, you are more likely to eliminate frivolous and high-threat access. This fulfills the “limit access” requirement and is obviously, by definition, linked to access control measures.
It is also especially important that the company have a strict “no tail-gating” policy and enforce it. I have seen a lot of very poor access controls and have exploited people “being nice” by not slamming a door in my face. Unfortunately, I should not have been allowed into the building/area. It is important to establish a culture that knows that no one is allowed to follow anyone in and each employee must use the card access reader and open/close the door. If this does not seem to be working, in spite of consequences for not following these rules, the company may have to use a turnstile to force employees to enter/exit one at a time, except during a fire/emergency. One way or another, access control must be established and maintained.
Then we have already mentioned the importance of restricting access for contractors and guests/visitors, as well as those employees who are terminated or who resign.
Secure Storage and Locks
In addition to access control issues, there are other physical security measures that can be used to protect sensitive information from potential compromise, including secure storage of sensitive information/assets, locked doors and solid walls, and locked storage containers or internal barriers that can delay or slow down an intruder or spy. Procedures for using secure storage and locks might include a security checklist that must be completed at least daily, or a container list that records each and every opening and closing/locking of each container. Some containers have “red” and “green” magnets or cardboard “flags” that highlight when a container is locked (green) and when a container is unlocked (red). This allows an inspection team to quickly spot if something has been left unsecured and highlights the importance of intervening to secure an unlocked drawer or container. Another requirement might be that any documents that are classified (e.g., “high business impact” or “secret” information) must have a colored cover sheet so anyone with temporary access cannot look at or read information that is printed or is on a computer screen. Again, it also highlights this information as sensitive and needing protection.
Importance of Information Security Manager(s) as Program Contacts
It is important to consider appointing “information security managers” in the various business units that handle and control sensitive information. These individuals, and their alternates, can be responsible for regular checks to ensure that all personnel are properly marking, handling, and protecting sensitive business information. This is very different from an IT information security manager. This general information security manager is the interface between the business functions and the requirements to protect information, whether those requirements come from corporate security or IT security.
These individuals can also assist in checking and ensuring that when individuals leave their desks or work areas, they have properly secured/protected sensitive information. This is the impetus of “clean desk” policy/procedures and is closely linked to IT policies/procedures that have automatic screen savers, time log-outs, and screen covers/filters. Information security managers can be an invaluable set of eyes and ears and an invaluable source of information on best and required security practices. With specialized education and awareness training they can become the “eyes and ears” of the counterespionage program and an important resource for counterespionage expertise and questions.
Document and Material Destruction/Trash Controls
Some of the most significant losses occur in the most mundane manner—accidental compromise by individuals who are uninformed about protection procedures for classified information and/or are lazy. I have found extremely sensitive information in the regular trash thousands of times around the world. Unfortunately, this includes examples of the U.S. military where I found, to my amazement, “top secret” material from every single division in the regular trash. In the corporate world the numbers are off the charts.
I have found at least a hundred electronic shredders either unplugged or being used as a storage table with all kind of things stacked on top and blocking the shredding slot. In all of these cases the message was clear—people were not using them.
In China I actually met individuals who had, in the past, specialized in assembling and gluing together strips of paper from strip shredders to try and recreate documents. I saw the results of Iranian students doing this with documents from the U.S. Embassy in Iran when “students” over ran the Embassy when the Shah was overthrown. There is even a current humorous television advertisement being used in the United States that shows a group of people urgently going through strips of shredded paper and finally assembling a child’s colored picture just as the manager’s daughter arrives and proudly notes her colored picture is on her father’s office wall. The truth is that if you can reassemble a colored picture, you can reconstruct any sensitive information that has been strip shredded. Treating all trash as potentially sensitive and having locked containers for all waste, readily available shredder/pulverizers, and locked dumpsters can help lower the threat to waste materials that have not yet been rendered unusable.
The bottom line here is that you must have a multifaceted program to protect sensitive information from being the target of a trash cover or dumpster dive. Rather than a strip shredder, you should always employ a cross-cut shredder or pulverizer that turns paper and electronic product into small pieces that are so mixed they are much more difficult to reassemble. It is important that these shredders be available in large numbers so they are convenient. Anything that is not convenient will not be used. If you have a so-called “centralized” shredder, it will not be widely used. Instead of having a centralized box for holding classified documents, do away with regular trash containers and put locked document holders at every desk and at every printer center. People are more likely to take their personal trash (cola cans, lunch boxes, used tissues, candy wrappers, etc.) to a couple of central regular trash containers than they are to use centralized classified document bins. Understand human nature and plan to protect information in spite of our natural character flaws. I recommend a cross-cut shredder at every desk where sensitive information is in document form or capable of being printed.
If you have a centralized document destruction program and a company that provides this service, do NOT allow that company to remove documents and destroy them off site. This totally defeats the purpose of classification, document, and access control. If there is any centralized document destruction it must take place under the direct supervision and control of trusted company information protection staff. This includes the removal process and the actual destruction. All destruction must take place on-site and under the direct control and supervision of trusted staff.
Too often staff hold documents in a box on or under their desk until they have a sufficient amount to take it to the document destruction container. It is essential that any document destruction container be locked (with a security lock) and be configured much like a mailbox so that once a paper or document is placed in the container, no one can get in and pull a document out of it. Spies know that if someone took the time to place a document or paper in a destruction bin, it probably was sensitive so these containers are magnets for business spies.
I highly recommend you drive home how important protecting and segregating sensitive information is by having security personnel check on desks and trash. Spot checks can be valuable at identifying and correcting problems. When doing the vulnerability portion of a risk assessment I often look at the “unclassified” general trash to see if there is anything potentially sensitive in the company’s regular trash containers. Seventy-five percent of the time I have been able to find sticky notes, printouts, or sensitive information in the regular trash. This is why business spies do trash covers and go through general trash. There are almost always “nuggets” of information carelessly discarded. I even did security test trash covers in the Air Force and, sadly, often found classified information in the general trash.
I have also conducted dozens of trash covers on behalf of companies. I will not do a trash cover unless I am in control of the reporting and can make certain I am not conducting business espionage when doing the trash cover for someone. I ensure that the business I am doing the trash cover for has a legitimate and legal reason for it. In these dozens of trash covers I have done, I have always been successful (over a reasonable time frame) in finding documents that, for example, demonstrate that a company has sensitive business information that originated with a victim company. I find it incredibly ironic that the very company that stole these business secrets originally is not protecting the stolen information and, instead of shredding or controlling destruction, allows the information to be uncovered in a regular trash cover.
Control of Office Machines
Since so many sensitive documents are printed on printers or copy machines, it is important to protect these from abuse or compromise. Since most office machines today have digital memory storage, it is important to prevent individuals from accessing them. This includes not allowing random remote access to the fax machine or copier via phone or computer lines, but also no individual should be permitted to remove the memory storage device without making certain there is no sensitive information stored on the device. It is also especially important to know how equipment is maintained. If it is a fax machine or printer, can it be remotely serviced? If it can, then information can be remotely downloaded. What about the service provider? Maintenance or repair of office machines must be closely monitored by knowledgeable staff if there is a chance there is sensitive business information on them.
Pro-Active Prevention Monitoring
One of the things that always amazes me is that employees can come into the office at odd hours, run up a huge printer/copier tab, download extensively, or email unusual addresses all kinds of sensitive documents and no one seems to know or care.
If security and management would use the tools often already at their disposal and monitor activities based on known modus operandi of business spies, they might often see an early “red flag” and reduce the damage and losses significantly. Even past spies have acknowledged that if someone was monitoring these activities it would have at least caused them to have second thoughts or take a totally different route (which, in many cases, would have meant substantially less loss).
Businesses should be encouraged to keep a record of which individuals are making how many copies and for what reason. Many businesses do this already but security doesn’t always look at the data, since most look at it as an accounting and financial issue. But printing excessively can also be a security issue. Security can work with management to determine if there is a reason for this. Perhaps a major proposal is being drafted, but then again what if there is no logical explanation? If one individual is making 20 times the number of copies that his/her colleagues are using, this is worth investigating. Instead of just letting the access control records and CCTV recordings be stored on the hard drive and using them for after-the-fact investigations—look at the records in a pro-active and preventive manner. Why is employee Y coming in on weekends at night? Why is he entering zone Z when there does not appear to be any business reason for it? Why is employee A taking a box out at night? Yes. The majority of the time there will be a legitimate reason for this “unusual” behavior but sometimes it will be an indicator of business-espionage-related activities. This tip could become the catalyst for an investigation that will uncover, and thus end, business spying against your company.
Use of Tiger and Red Team Testing
In fact, one of the most important things a company can do to ensure it is maintaining a good counterespionage approach is to constantly monitor and test the components that make up the program. For some reason this is where companies are often the weakest. They may spout the euphemistic phrase of “continuous improvement” and “we must protect our information” but very few companies actually mean it when it comes to security. Security is, in fact, one of the areas where testing can help to determine a program’s effectiveness. When there are failures on tests, there is opportunity to enhance or improve security measures.
In one of our tests, it took the penetrating agent 20 minutes and repeatedly stopping employees and even security personnel to try to “turn himself in” and close the test. This is after he penetrated sensitive areas by simply wearing a lab coat and piggybacking. This is after he took multiple sensitive documents laying out unprotected and photographed the manufacturing process. The initial reaction of corporate security was one of shock and outrage. When they found out the penetrating agent used a lab coat that he bought at a local medical supply warehouse they were enraged and claimed the test was “unfair” because their security was designed to stop people wearing street clothing. After some serious discussions about the realism involved in the test, corporate security reluctantly agreed that the test had shown them a vulnerability they had not considered. They were able to make changes and enhance their access control.
I have personally managed to walk through dozens of offices and talked with dozens of people after either sneaking in or piggybacking an employee. I took pictures and picked up documents. Most of the time I was never even questioned or challenged by any employee or security staff. In one instance, I was invited to an office party in the conference room. Yet another time, when walking out the front gate of a facility after getting inside by crawling, undetected, under the fence, I was challenged by a security officer. I thought to myself, better late than never. The officer told me that there were reports of a suspicious individual wandering around the facility and taking pictures. I told the officer I had seen someone dressed in all black and that I had wondered about that person too. I then told the officer I was going for midnight chow (it was 1 a.m.). and when I got back I would let him know if I saw this individual again. The security officer thanked me and let me walk out with my camera and a backpack full of documents and materials.
Yes…penetration tests, in fact tests of all kinds, can be of great value. They can let you know what is working and what is not working. In the latter case, testing allows you to make changes and improve your protection programs. It also gives you a measurable metric for establishing whether your counterespionage program is working or not, and drives home the point that company management takes protecting its business information very seriously.
In fact, in one instance we were told the company culture would not result in employees joining with security to enhance access control. Employees just did not care according to both security and human resources staff. We helped them design a competitive test that involved how long it took each division in the company to identify and report an unauthorized intruder. After two tests, the entire office was on guard, and two weeks later security caught a known building thief after he was identified by staff who thought the intruder was one of the tests. In this case the testing program resulted in employees identifying a real intruder. This is how a program such as this can enhance your physical security.
Non-Disclosure, Non-Compete, and Other Legal Agreements
One of the defenders of intellectual property and trade secrets is clearly the legal department and they have some valuable tools at their disposal. Even though the effectiveness of such legal documents varies from jurisdiction to jurisdiction and from situation to situation, you have potential legal recourse if an individual violates a company’s trust, policies, and procedures relating to protected information.
One of the more important documents that can be required of any employee given sensitive information is a non-disclosure agreement. This document is especially worthwhile because it allows the company to specifically identify the kind of information being addressed, the manners by which this information is to be protected, and the consequences if the agreement is not adhered to. Non-compete agreements are also of potential value but each jurisdiction has some unique rules that your legal counsel will have to examine. One issue is whether the employee resigns or voluntarily leaves, is terminated for cause, or was laid off. In the latter case, you might obviously have less latitude. But the non-compete is a potential legal tool that could be used when an employee or someone with authorized access to your sensitive business information abuses that access. Another legal document that could be of value in dealing with business spying is a signed requirement that any technical papers, publications, or presentations that involve a company’s sensitive information need to be approved by the company, in writing, before the information can be used. As we know from our case studies, there can be willful and accidental compromises of sensitive business secrets in these situations and this provides the company with an opportunity to discuss the situation and perhaps prevent an accidental or deter a willful compromise.
All business partners should also be required to protect your legitimate sensitive business information. Confidentiality clauses should be placed in all business contracts. This includes those involved in development, manufacturing, parts production, and even service providers.
Of course, none of these legal steps will absolutely prevent business spying or losses of sensitive information such as trade secrets, but having these legal agreements in place can provide you with one more defensive weapon. These tools also help to deter and show others the company is serious about protecting its business secrets. Using these tools can also help define trade secrets and other sensitive and controlled business information in the processing of creating them.
Limiting Where/How Company Information Can Be Worked On or Discussed
It is important that there be some restrictions on where sensitive and protected company information can be discussed and worked on. In most cases classified sensitive information should not be worked on in a forum or venue where unauthorized persons might be able to overhear or oversee that sensitive business information.
These protective restrictions should be specifically covered, with examples, in legal employment documents, company security policies/procedures, and in security education/awareness training. There should be no question in an employee’s mind that there is no excuse for working on sensitive information in a public venue where it can be overheard or overseen. This includes talking business secrets on a phone in places like restaurants, bars, hotel lobbies, airplanes, airport lounges, or in chauffeured vehicles or taxis. The list could go on and on, but the important thing is to get people thinking about how easy it is to overhear or to see something on a paper or computer screen when you are, for example, sitting right beside someone.
Since I travel a lot, I see a lot of things on computer screens in airplane seats or lounges. I also overhear some incredibly sensitive information being discussed on phones. While I can only hear one side of the conversation most of the time, what is sometimes loudly blurted out is shocking. It is clear that people are not thinking about the threat. My staff and bosses do not even mention me working a company report or document while on an airplane, because they know the risk. Clearly it is important to make certain employees understand business-spying threats through good education and awareness training and to ensure they are sensitive to all the different environments or ways that information could be accidently compromised. It is also important to discuss home offices, business centers, hotel lobbies, and many other venues where it might not be appropriate to work on or discuss sensitive business information. There are even some places in the office where it might not be appropriate. For example, in smaller offices visitors can often overhear conversations in cubicles within hearing distance from the chairs or couches where they wait. Another example is visitors and cleaning/maintenance/security staff walking through areas where whiteboards and computers are clearly visible to these people who do not need to know such information. After a secondary barrier of sound baffling was added to an office I consulted with, a newspaper reporter was waiting in the reception area and, as he was escorted back to executive offices, made the comment that the company’s security was like that of a secret government agency. Since the security measures were based on my recommendations, I took it as a compliment.
Develop Special Measures for Marketing and Sales Staff
Some of the most vulnerable parts of any company, when it comes to business espionage, are members of the sales and marketing staff, since they are all about getting the word out about products and/or services and are very knowledgeable about what’s going on within the company. This staff is also very vulnerable because even a novice in social engineering can manipulate most sales and marketing staff into providing some sensitive business espionage information. All you have to do is appear to be an interested potential customer with money to spend and the sales/marketing teams will be doing their best to win you over and that is an ideal way to elicit information.
Because sales and marketing people are all about getting information out to potential clients and the world, they are not the best at keeping business secrets. Some may give up key details, scheduling information, product and manufacturing specifications, and new products/services in development. But if they receive training on the threats to their profession, the modus operandi used against marketing/sales staff, and they see that senior management in the company expect them to protect their business secrets, this can be changed. It is important that the sales and marketing staff of a company are actively involved in protecting sensitive company information and resources.
Create a Company Security Culture
One of the most frequent things I hear is that the company culture is just not conducive to effective security. When I hear that I cannot help but wonder if that company “culture” will mean the company will not be around in another 10 years, when all of their business secrets are gone.
Company cultures can be developed and refined by company leaders. Is there sometimes an ethnic/country or regional influence? Of course, but even that can be taken on and changed if leadership charters the course and if employees understand “why.” It may not be instantaneous but a company culture can be changed and refined to make it more security conscious.
I have lived and worked in 12 different countries, worked in 63 countries, and in all 50 states in the United States. Every place I go I find there are cultural differences. Having been a consultant in many hundreds of companies all around the world, I am very sensitive to existing cultures, but when threats emerge and people give up implementing important countermeasures because the culture “won’t accept it,” this is a sign of bad leadership.
For example, I was talking with a company in Asia about a lack of security culture. The senior management told me it would just never happen because the employees did not like security. I had noticed that the company had an amazing culture of safety. Employees were wearing hardhats, safety glasses, reflective vests, and proper footwear. I mentioned that this was also not “cultural” for the environment. The leaders said they were forced to implement it by their corporate headquarters and it had been very difficult for them. I told them it was obvious that they had come a long way toward changing to a good safety culture, and they just needed to take a similar approach for security. They groaned.
Another company told me that their employees would not support security standards and would not report security issues because of their culture. I suggested we get representative employees involved in developing the standards and even the penalties. The company leadership told me it would not work, but finally gave in, while warning me it was a waste of time. The first half of the first day was slow, but once employees understood the potential adverse impact on themselves and their colleagues, they began to participate and soon we had standards and penalties that exceeded those in the home country of the company. We got there because we guided the employees to overcome their cultural barriers. It can be done but I’ll admit it is often not easy.
If employees understand the real threats out there and how those threats can adversely impact them and their job and pay, they tend to be more receptive. A lot of it depends on how it is presented. If it appears that the security measures are being implemented because the company does not trust its employees, it may not get a very favorable response by employees, but if employees believe the security measures are designed to protect them from any suspicion, as well as protect their job and both their, and the company's future, they are much more likely to be supportive.
I recommended that a company consider CCTV coverage that would monitor people working with a very sensitive, critical resource. Company leadership told me employees would never tolerate that kind of monitoring. When there was an incident and it appeared a compromise had occurred at the site, we were forced to ask some hard questions of employees. Employees became quite upset, but they also agreed that the circumstances left the company little choice but to draw the conclusion that something happened in their area. I mentioned that if we had CCTV coverage monitoring them they could have been cleared immediately. The innocent ones went, in mass, to leadership and demanded a CCTV camera be installed immediately or they threatened to resign. The key was to stress that the camera would provide exculpatory protection. That changed the culture from one of resenting CCTV monitoring to one that demanded it.
This is an important change that starts at the top. It is important that a company develops and maintains a culture of security. If a company actually has a culture that encourages good security measures, that company will not be a lucrative target for business spying. This is the culture I want to encourage you to develop and nurture.
Liaise with Counterespionage Government Agencies
It is important to be aware of the latest business espionage threats and sometimes government agencies that specialize in countering hostile intelligence services to help you better understand the threats present in a particular location. Generally speaking, many private company security elements are reluctant to work too closely with a government agency for fear that a possible compromise can end up on the nightly news and damage the company’s reputation. The other concern is that government agencies want companies to share with them, but they are less than willing to share information with private companies. All of these are valid concerns of some government counterespionage agencies, but I have found that these government agencies can also be good partners, depending the staff you deal with within the agency. With that in mind, it is good to meet with personnel and evaluate the agency as a whole. The potential benefits can be worth the effort.
Offensive Counterespionage
While most of the countermeasures covered thus far have been what I would term “defensive” in nature, there may be a time when “offensive” counterespionage countermeasures are warranted. A company should not automatically rule out such an approach. An “offensive” counterespionage program is activated when it becomes apparent that a business espionage operation is underway and the spying entity is using known business espionage techniques. If an electronic eavesdropping device is used or a driver or cleaning staff member is eavesdropping on conversations, then it is possible to consider passing incorrect information through that spying source. If a competitor or government is conducting a trash cover, throw a document into the trash that is false and misleading, one that could tie up the spies and/or mislead them. If a competitor is trying to hire away or recruit an in-place spy and their method is detected, consider allowing them to “recruit” an internal spy and pass them incorrect information. If a traveler’s room is bugged, consider a staged telephone call or staged discussion to mislead whoever is doing the monitoring.
This technique has worked for me on multiple occasions, and has been especially effective when someone is trying to get pricing or bidding information. It also has been used when a particular manufacturing technique does not work but documents and information are passed that causes the competitor to go down an expensive dead-end road before they discover they have been tricked. Such pro-active, offensive countermeasures can cause business spies to question every bit of information they get and often causes them to withdraw and become very circumspect in targeting a particular company for business spying.
Summary
The threat of business espionage is so widespread and has such serious potential consequences that it is worth dedicating some security resources to protecting a company’s most sensitive business information from compromise.
It is important to understand that good, basic physical and personnel security measures that can protect you and your employees from theft and robbery, workplace violence, or any number of other security threats also play an important role in the dealing with business espionage threat. But from the recommendations in this chapter it should be clear that all physical and personnel security countermeasures are linked to the business-spying threat and the modus operandi used by business spies, which means that traditional security measures need to be expanded and adjusted to incorporate the lessons learned.
If you implement some of these recommended countermeasures you can dramatically lower your vulnerability and, thus, risk exposure to business espionage. This, in turn, can then strengthen the business and make investments in research and development and new strategies more valuable and worthwhile.