Data theft and industrial espionage

Knowledge is power and the unscrupulous are stooping to ever-new lows to steal a march on their competitors. Justin King, from C2i International explains how you can stay one step ahead

Knowledge is power and the unscrupulous are stooping to ever-new lows to steal a march on their competitors. Snooping for advantage is a well-known practice in politics and diplomacy - Kofi Anan being the latest high-profile victim - but such activity is becoming more prevalent in the commercial world, enabled by more affordable technology and a glut of unemployed eavesdropping experts from the eastern bloc.

We've all heard the accusations that the US is using its Echelon eavesdropping network to spy on European companies on behalf of domestic firms but it's not confined to the biggest players: nearly half of fast-growth companies in the UK suffered information breaches or spying over past two years, says PWC.

Businesses which generate valuable proprietary data and those operating in highly competitive fields are most commonly targeted. Within this group, fast-growing companies with their attentions elsewhere are the most vulnerable: they can all expect to be the subject of competitor intelligence work carried out by rivals, but it takes shift in mindset to guard against the kind of underhand tactics deployed by some.

There are a number of precautions which can be taken to minimise the chances of important information falling into the wrong hands. The first step however is to realise the biggest threat isn't from external agents. Controls on physical access and firewalls, whilst a necessary part of the security mix, aren't in themselves sufficient to safeguard data.

In reality, most security breaches are internal in origin and low-tech in nature. A recent survey (by forensic recovery specialist Ibas) revealed 70% of people have stolen key information from work. Whether such activity benefits competitors depends on the individual or group's motivations which can range from pure opportunism to financial gain or revenge. It's not unusual even for love gone sour to be a factor.

There are a number of straightforward measures which can minimise the risks, in the context of an overarching security strategy.

What you can do

Everyday waste generated by a company can contain important information, which can be extracted by experts not intimidated by normal shredding. Many organisations need to consider cross-cut shredders and burn bags. Even with these precautions, waste removal still needs to be closely monitored.

Clear desk policies are often required to keep sensitive information or carelessly placed computer disks away from cleaners and other facilities management staff. Other policies relate to the kind of devices allowed on premises: Samsung banned the use of camera phones on its premises to prevent industrial espionage. Furthermore, it's sensible to control the use of physical copying devices including CD writers.

Access to areas such as the telecommunications room needs to be monitored and controlled: access codes need to be regularly changed and access approval constantly reviewed. We also often recommend installing inexpensive and discrete tabs which pass across the join in a phone's casing. If they are broken, chances are an attempt has been made to place a bug on the phone.

Organisations might want to adopt procedures such as drawing blinds or screens when discussing certain very sensitive topics in boardrooms for risk of information theft by means of lasers which 'read' vibrations caused by speech.

Regular bug sweeps should be undertaken at odd hours - it is possible to buy an anti-bug pen/wand to do this yourself. Keep it in your top pocket and all you have to do is glance down to see if the top is illuminated - alternatively extend the aerial and quickly sweep a room for bugs.

Eavesdropping devices are available on the high street and come in a variety of forms to blend into an office environment. For example the microphone mouse, which looks and feels like a regular mouse but transmits every sound for meters around up to a receiver which can be a couple of miles away.

Other devices include key-stroke recording keyboards which have been used in at least one high-profile case to catch out an FBI mole. After analysing the data they supply, it's possible to pick out typed passwords. Recording briefcases can, for example, be left in a meeting whilst excusing yourself, to hear what your contacts are saying. Furthermore, microphones and cameras can be hidden in anything from radios to wall clocks, sockets and smoke detectors.

Finally, regular updates from security staff should keep employees aware of the risks whilst training should be provided to point out how to safeguard information, both personal and commercial. It's often the most routine activities which provide the crucial access point for data thieves: we conducted a risk assessment where it transpired a CEO was unaware that his communications were being intercepted whilst in transit and at his holiday home abroad.

It's far better not to have to shut the door after the horse has bolted: having overt policies in place is often the best way to deter data thieves and demonstrate to competitors and errant employees alike that such activity won't be tolerated.