Risk and Threats

Information Gatherers

When your competitor engages in using information gatherers (also known as competitive intelligence professionals) to work against your organisation, they should abide by local legal guidelines and ethical business standards. Competitive intelligence is an ethical and legal business practise, as opposed to commercial espionage, which is illegal. Regardless of this, there are thousands of information gathering firms, including surveillance providers, private investigators and “all-inclusive” TSCM companies, which cross the ethical line and engage in commercial espionage, the dark sister of competitive intelligence. These organisations have at their disposal surveillance equipment and methods to appropriate sensitive and strategic information from your business giving your competitors the upper hand.

Internal Threat

80% of information is lost through humans. In businesses, one of the highest causes of the loss of confidential information is through internal employees who accidentally mention sensitive information, or gain access to confidential information that they are not entitled to. Although employees have a duty to their employer and in most cases have signed confidentiality agreements, in reality these are often not implemented. This results in dilution of employee obligations, and sensitive information can, largely unintentionally, be passed to friends, family, competitors and unauthorised parties causing a loss to the organisation. Disgruntled employees are a particularly high threat as they have almost undetected access to obtain confidential information, plant devices and spy on the business for their own gain, or the gain for competitors, unions, foreign governments and other interested third parties.

Third Party Threat

Most major organisations outsource some or all of their business services, which range from basic maintenance to highly skilled operational tasks. Having third party employees within your office environment, in most cases working on your building out of normal working hours will expose the business to another level of risk. This provides access to confidential areas, where information can be copied and bugging devices planted for the purposes of information theft from the organisation. Your information is further vulnerable through third party offices that retain some of your information in their system.

Social Engineering

Social engineering is the exploitation of human relationships to gain valuable information by deceiving people, a process that requires a lot of social skill, deception and persuasion. A successful social engineer can extract confidential information from an unwitting and unprepared employee without them acknowledging they have been deceived. They exploit social and psychological behaviour patterns – turning human nature against us. People generally aim to encourage positive experiences in our social interactions and our endeavour to please and be helpful makes us vulnerable to manipulation.

The technology used for commercial espionage changes so rapidly that only professional service providers are able to adequately keep up with the developments in the surveillance market. Although there are thousands of various bugging devices, the types of attacks outlined here illustrate the key technology most commonly used by information gatherers in corporate environment.

Transmitting Attack

A transmitter is an electronic device that communicates information using an antenna and radio waves. These devices are very popular within information gatherers, as transmission enables to receive the conversations from a distance. A transmitter can be as simple as a mobile telephone or baby monitor ranging to a more comprehensive bugging system designed for professional large scale intelligence gathering over a long period of time. In most cases, transmitting devices are quick, cheap and easy to deploy, and therefore perfect for an unnoticed and undetected attack.

Recording and Storage Attack

The biggest threat here is all portable communications devices, such as mobile phones, notebook computers (tablets), answer machines, Dictaphones and any other item with a microphone, which are designed to record and store conversations. Whilst most people hardly notice the existence of these everyday devices, they are most likely to be the first used by information gatherers. Recording devices are small and easy to deploy into any office environment, enabling a quick attack to record and store conversations. Upon retrieval of the device, the information can be accessed and transmitted globally.

Interception Attack

Interception (includes telephone tapping, or wiretapping in the US) is the monitoring of telephone and Internet conversations by a third party. All commonly used transmitting communications devices such as telephones, mobiles telephones and all wireless office equipment (including wireless microphones) can be intercepted. It should be understood that all phone lines and signals are accessible externally by local network providers and governments. Telephone tapping involves tampering with the instrument and phone taps can be deployed to most phones. Interception is very effective method of information gathering, as it is done from a distance and is therefore almost undetectable.

Enhanced Optical Attack

Due to contemporary working environments, where most offices are in glass buildings, the use of enhanced optical devices by information gatherers is very popular. These devices enable sight through a window from a distance to monitor people, their lip movements, computers, keystrokes and documents. Often overlooked, this attack is a simple but effective way to steal valuable information without trace.

Induction Attack

Induction devices are designed access data transmissions by attaching (clamping) to cables of communications devices such as a telephone, facsimile or fibre optic cables without breaking or interrupting the flow of data. Although all cables are eventually external, the cables can also be attacked internally. Induction devices can be connected to a transmitting device or recording/storage device, which enables to steal information without detection.

Stethoscope Attack

Stethoscope devices are acoustic listening devices. This type of equipment is attached to the exterior of the building, for example to the walls, ceilings, floors, doors and windows. These devices operate on a similar principal as listening to conversations through a wall with a water glass. Stethoscopes can be connected to transmitting or recording devices to simply listen to all conversations where the device is deployed and steal the information without detection.

Modern office buildings and other working environments have hundreds of physical vulnerabilities in terms of information security. The following is a generalised and non-exhaustive list of typical weaknesses that illustrates the various angles of threats to confidential information within organisations.

Building Security

Most office buildings are physically secured as a standard. This is the first counter measure to prevent or deter attackers from accessing a facility, resource or information within the building. Physical security ranges from locked doors to multiple layers of manned guarding. In most office buildings, this counter measure is reinforced with an access control system (such as CCTV, intruder alarms etc) that acts as a second layer of protection against unauthorised entries. In cases where physical security is inadequate or does not exist, targeting confidential business information becomes an easy task. Thereby, information gatherers waste no time in gaining access to your building and either deploy unauthorised surveillance devices or walk out with confidential information in a physical or electronic format.

Acoustic Leakage

As most working environments are designed and built based on the “style over substance” principle, most offices experience major acoustic leakage problems. This means that confidential meetings and discussions are vulnerable to accidental or intentional eavesdropping from the areas in close proximity to the confidential offices and meeting rooms. The majority of the acoustic leakage problems can be countered with an appropriate technology.

Communications Equipment

The usage of communications equipment in the office environment also follows the “style over substance” principle. Therefore, the security of most telephones (hard wired and wireless), mobile phones and other communications equipment in offices are unprotected and open to unauthorised surveillance. Interestingly, this is contrary to the IT systems that use a VPN (Virtual Private Network) to securely transfer data information from end-to-end. The most effective solution for securing communications equipment is a private-key based encryption that is provided only by a handful of providers worldwide.

Wireless Communications

Wireless communications equipment (cordless phones in particular) is completely unsuitable for confidential business use as they have a minimal level of encryption and are designed for domestic use.

Clear Desk Policy

This is one of the most commonly overlooked and disregarded vulnerabilities to confidential business information. In the majority of corporate environments, most office employees do not clear their desks, store and dispose of documents or other office items (keys, USB devices, Dictaphones etc) securely. Most office environments are an open invitation to information gatherers to steal any confidential information on display.