Industrial Espionage Made Easy

By: RHYMER RIGBY, Financial Times, 2 June 2006 posted on 06-02-2006.

"Last year Manchester United discovered that its dressing room talks about team tactics had been bugged during a crucial match. Tapes of the talks had been offered to The Sun newspaper."
Similarly, the Japanese bank Sumitomo in London was alerted last year to its computers being physically bugged with keystroke loggers by a gang hoping to steal 220m Pounds; the bugs were thought to have been attached by cleaners.

In 2003, Boeing was stripped of US Air Force contacts worth Dollars 1bn when it was discovered that it illegally obtained documents from rival Lockheed Martin.

With all the worry about crime in cyberspace and tight physical security in the aftermath of terrorist attacks, businesses may sometimes forget that there are plenty of other opportunities for private information to be secretly obtained and misused. "Everyone's very keen to control who comes in and out of the building and protect cyberspace," says Crispin Sturrock, chief executive of information security company White Rock. "But there is a big hole in the middle. Far fewer companies prepare for industrial espionage."

Peter Yapp, deputy director of network forensics at Control Risks Group, adds: "If people want information from you, they'll go for the weakest link. If you've got a good well-managed firewall, that won't be it. It might be the bins, it might be overhearing conversations in the pub, it might be (bribing) a cleaner to obtain information. It doesn't have to be sophisticated."

> Brian Stapleton, head of financial investigation at the risk-consulting group Kroll, says companies appear to be increasingly "actively and regularly targeted". He ascribes this to the huge amounts of money that investors can make very quickly with access to secret information.

Eavesdropping on businesses has become easier as bugs have become more available, cheaper, powerful and smaller. A concealed MP3 player, for example, can record days of conversation. A phone bug can be planted in a room and dialed into from anywhere: the call often escapes detection because it resembles an ordinary mobile phone call. They are, says Mr Sturrock, "the current bug of choice".

They are readily available in shops such as Spymaster in London and on the internet and cheap enough to be disposable. Other James Bond-style gadgets, small and easily concealed - a fake smoke detector with a hidden camera, for example - are also very affordable.
Would-be spies are also happy to raid your rubbish. Many businesses believe a shredder takes care of sensitive information, but that faith is misplaced, Mr Sturrock explains. Shredding devices have six grades. Six is the most effective, but three is the most common. Any documents shredded by a machine below level five can be reconstructed with software or by sending the waste to be sorted in a country with cheap labour.

Technology has made spying easier, but so have new employment trends. The spying device at headquarters or in a hotel room or a bar may be a person. It might be the low-paid, probably unvetted and possibly temporary cleaner. It could be a disgruntled employee.

Staff can be persuaded unknowingly into giving out passwords, or they may give away information by talking loudly on a mobile phone or by mislaying a BlackBerry. Spies might operate near top-level staff's homes, looking for an open Wi-Fi Âconnection or cordless phone.

Industrial espionage tends to take place at times of high sensitivity and risk to a company, says Norman Bolton, a director of the security consultancy C2i International: "We usually find it happens to companies that are suffering." This often provides the combination of incentive (the company may be ripe for a takeover bid) and means (the employees are likely to be miserable or worried about job security).

Commercially sensitive information may not always take the form most obvious to staff: as well as information affecting a company's area of operation, spies could be interested in the details of a joint venture or technology transfer.

Many developing countries have neither the intellectual property law nor culture of information security that have developed in the west and far more is considered fair game.
Bill Waite, chief executive of Risk Advisory Group, says: "It's not unknown for hotel rooms to be entered at night and entire laptop hard drives to be copied. Those who this happens to usually don't have any idea what has gone on."

Spies can be defeated. On the bugging side, counter-surveillance companies can sweep the premises and throw "electronic blankets" over rooms during secure meetings. Very determined spies can use lasers to "read" the vibrations of a conversation or film videos through long lenses to be viewed by lip readers, so if the meeting is really sensitive, businesses can use secret locations with private entrances.

On the staffing side, prospective employees should be checked, and staff should be encouraged to tidy away papers and anything of a sensitive nature from their desks. They should not use shared printers for sensitive documents and should be wary when carrying sensitive information on their laptops. More businesses should remember that the only way to erase information on an old hard drive is to destroy the disk.

An important part of minimising risk, says Mr Stapleton, is maintaining loyalty and morale among employees. "Our view is that if you have a disgruntled and demotivated workforce, they will be far more open to approaches from outside agencies - and that is the easiest way to get information out." Industrial espionage may have replaced industrial action as a way of acting on a grievance.
"Don't forget", says Mr Stapleton, "there is still a lot of sensitive information inside people's heads."