When most of us think of spying, we think of popular characters such as James Bond or a John Le Carré novel – state security teams snooping on and battling belligerent states or terrorists.
The availability of modern surveillance technology, however, means that any organisation or individual can ‘snoop’ on people or information of interest and commercial espionage is big business. Counter Surveillance is no longer just the stuff of spy fiction, it is something that every security manager should be aware of.
The Value of Data
We live in an age where data and intellectual property can be extremely valuable, even invaluable. It could be commercial information, such as financial trading or business changes that can affect share prices. It could be expensive research or valuable ideas. It could just as easily be theft of the latest blockbuster movie or hit TV series before it is released.
Most businesses are also entrusted with the data of their customers, be that financial details or personal information. Think about an insurance business for example - consider all the personal data held on its systems. With the imminent arrival of GDPR, there is an ever-greater focus on keeping data secure from theft and safe from prying eyes.
Security of Devices
In the past, the target for many commercial espionage attacks was online systems. This is still the case today, but the use of effective firewalls and network security has made it much harder to target well-managed systems.
There is now a greater focus on infiltrating mobile devices, which can represent the weak point of any secure network. It is vital that mobile devices are properly protected on a software level, but also kept safe physically. It is all too easy to leave a device in a public place or on public transport where it can be stolen or infiltrated.
When staff travel outside the country of operation, it is worth remembering that network security can be compromised by various groups, especially in territories with inherent security risks. Using an unsecured Wi-Fi connection, for example, can be problematic and leave sensitive data at risk.
If you suspect a device has been infiltrated, it needs to be treated as if it were a spyware device. Disconnect any network connections, power it down, ensure the camera lens is blocked and don’t discuss anything sensitive around it (just in case recording is taking place!)
The Role of Physical Security
Access control systems play a vital role in combatting commercial espionage. Whilst there is a great focus on shoring up IT/IP and communications systems, it’s equally important to ensure nobody gains physical access to facilities too.
Any sensitive areas must be well protected, such as office work areas (with access to PCs, laptops and smart devices) and perhaps more importantly, any server facilities or IP network equipment. For a trained infiltrator, these could be key areas to access your data or implant technology to spy on your communications.
It’s very important to have a rigorous security regime in place as well as the technology. Security teams need to be vigilant to potential intruders or suspicious activity. They need to understand how intruders can ‘tailgate’ authorised people and ensure that all these potential loopholes are closed.
The whole organisation and its teams need to be alert to potential dangers. For instance, it’s very easy for workers or cleaning staff to inadvertently let people through secure doors out of politeness, or a seemingly abandoned USB stick could be checked for data and malware secretly embedded on the network.
Much like international espionage, commercial spying can employ any number of devious tricks to infiltrate security!
Naturally, effectively countering potential commercial espionage depends upon the organisation, its needs and the potential threats it faces.
The most sensitive information should be stored in a high-security data centre. Sensitive discussions shouldn’t be made over unsecured lines and should only be held in rooms/areas that have been checked for unwanted surveillance equipment.
Even a smaller/more modest business that stores its data in a shared data centre may want to employ physical locks on its server racks to prevent theft or tampering.
Securing highly valuable or sensitive data/items may involve seeking help from specific counter-espionage experts – an organisation such as the TSCMi (Technical Surveillance Counter Measures Institute) can offer further advice on professional assistance.
Whatever the need, it is important that any organisation’s security team considers the threats and potential implications of espionage and employs the best security it can to protect itself and its customers.