Business intelligence is a growing industry. All over the world, the ethical line is being breached for one or a group of people to benefit. This applies to corporations trying to gather information, or an unscrupulous employee trying to make some extra money.
The HP scandal last year highlighted this fact. HP needed to gather information on a group of journalists, and used a common but almost unspoken tactic. Namely, getting telephone records of journalists without their permission. The company also called its marketing department and pretended to be journalists.
The reason for these less-than-proper tactics is quite simple, the information was important to HP and the company needed to close the source of the information being leaked to journalists as quickly as possible.
Even more criminal, was the recent Coca-Cola scandal in the US where an employee tried to sell the formula of a new coke product to rivals Pepsi. The executives at Pepsi notified Coca-Cola and the FBI was brought in to investigate and eventually arrest and prosecute the employee and her accomplices.
Risks in the corporate world
There are two main types of risks companies face. Firstly, there is theft of property, such as stock, hardware, tools and furniture.
Secondly, there is intellectual property - such as in the case of HP and Coca-Cola. This happens when an employee, who could even be at board level, passes on company secrets for a fee or for some other reason.
Company secrets could be sold or staff approach competitors with databases or tender documents. Unscrupulous competitors could bribe desperate employees to obtain copies of quotes. And the list goes on.
As thieves become more innovative, surveillance methods need to be regularly reviewed. But we believe organisations are not placing sufficient emphasis on risk analysis, putting their companies at risk of key information being leaked.
Thieves are persistently looking for new ways of beating existing security systems, and are being successful at it.
In terms of the workforce, general market statistics reveal that 10% of staff are inclined to steal (this includes petty theft and large scale fraud), 80% are undecided and 10% will never steal and will not be swayed.
It is the 80% that need to be addressed. This section of the workforce needs to be made aware that the risk of being caught is too high.
Educating the workforce is therefore crucial. This can be done by advising staff that surveillance equipment is installed and that the company has zero tolerance for theft. They do not need to know what equipment is being used.
The problem is that companies often know that goods are being stolen, but cannot track how this is being done. And it is not possible to convict thieves without the proper evidence. Evidence can be gathered by using surveillance equipment.
In warehouses for example thieves often open sealed boxes containing expensive equipment such as cameras and DVD players, and steal the contents. The boxes are then resealed with items of the same weight.
Expensive copper pipes are stolen by putting smaller diameter copper pipes into bigger ones. Both scams can now be tracked and video recorded using inexpensive and easy-to-use equipment. Using informants could help companies know what to look for on CCTV.
Pinhole-size cameras are hidden inside false boxes in strategic locations, and can be hidden almost anywhere to record theft.
Surveillance systems now cost a fraction of what many organisations expect to spend. Devices are also getting smaller!
Companies are able to hire or purchase equipment outright, and systems can be built to specification. Installation is easy and there is not necessarily a need for a private investigator.
Court evidence
Before installing a surveillance system, certain internal legal procedures also need to be followed. Management must ensure that staff members are formally advised of the fact that surveillance equipment is installed.
This can be done by either notifying employees in their payslips or include the details in the employment contracts. The note will state that CCTV cameras are installed. You do not need to state that covert cameras are being used.
If there is suspected industrial espionage, companies need to take a different approach. Listening devices can be hidden very easily, so it is important to think about what information is useful to competitors and how it could be leaked.
Where can bugs be hidden?
Bugs can be hidden in boardrooms and offices, in the telephone system, in telephone cabling. But not all spies use electronic devices.
Confidential information can also be made available to unwanted sources by unguarded conversation. Disgruntled employees could pass on information or members of staff could be bribed by outsiders, while coercion is increasingly common with staff members or their families being threatened.
In addition, IT people who generally have access to confidential information, could be distributing information by e-mail, USB flash disk or DVD.
Cleaning staff also have access to key areas and information. Who throws out the waste paper and has access to your office after hours? Staff could be passing key information to the wrong people for a small fee, or sometimes doing it without even knowing it.
Where is the buggist?
The buggist can be anywhere, but is usually remote from the business. The bugging can be done via cellphone, the Internet, RF transmitter or by on-site recording.
Bugs can be detected with the use of electronic equipment or by carrying out a physical search. Electronic equipment is available and there are specialists who are able to do a physical bug-search on your premises. If you are concerned, then periodic de-bugging should be done by a reputable professional, someone who has a track record that can be checked.
How can companies protect information?
Here are a few basic suggestions:
Meet in a busy restaurant if you are concerned about the office. The noise level is generally high, making it difficult for sensitive microphones to pick up the conversation.
Background music could be played in boardrooms if a confidential meeting is taking place.
A bug detector installed permanently in a boardroom for example will also alert management immediately to the presence of a bug.
Close the curtains. Some bugging devices are able to translate vibrations off windows and monitor what is being said in the room.
It is wise to secure PABX and IT rooms by locking them and limiting access.
What do you do if you find a bug?
Should you destroy it? You could, but you could also feed disinformation putting the buggist on the wrong track. You could also entice the spy to return to the premises to fix the device and then apprehend the person.
Keeping employees honest
Employee contracts should have a clause that makes leaking information an offence and justification for dismissal.
It is important to polygraph key staff, or use similar methods, and include in the employment contract that a polygraph test may be given from time to time. We call this honesty maintenance.
Staff education is also important, explaining that not everyone is a criminal but that precautions need to be taken. The fact that staff are aware that the company is being vigilant in terms of information theft will act as a deterrent.
Technology now and in the future
There are so many technological ways for a buggist to gather information. Bluetooth, WiFi, RF, Cellphones, UHF, VHF, FM, hard-wired, etc, systems are easy to make and easy to install. Technology companies like Audiotel International are constantly improving and developing new detection devices to counter the buggist. It is my opinion that businesses focus just as much energy, if not more, on protecting information and procedures as well as employee honesty than on debugging and counter surveillance. Unscrupulous people will always find a way to gather information from a company. We just need to make it harder and make the consequences of getting caught more severe.
Background
The law
Most intelligence gathering is legal, such as examining corporate publications, websites and patent filings, taking apart competitor's products, studying the trade press and hiring a rival's former employees.
In terms of corporate espionage, intelligence gathering becomes illegal when companies resort to the interception of post, bribery, blackmail, theft, hacking into computer networks, technical surveillance and electronic eavesdropping.
Prevention of Corruption Act
The Act states that: "any person who, directly or indirectly -
(a) Accepts or agrees or offers to accept any gratification from any other person. Whether for the benefit of himself or herself or for the benefit of another person: or
(b) Gives or agrees or offers to give to any other person any gratification, whether for the benefit of that other person or for the benefit of another person. In order to act, personally or by influencing another person so to act in a manner:
(1) that amounts to illegal, dishonest, unauthorised, incomplete or biased; or misuse or selling of information or material acquired in the course of the exercise, carrying out or performance of any powers, duties or functions arising out of a constitutional, statutory, contractual or any other legal obligation;
(2) that amounts to the abuse of a position of authority; a breach of trust; or the violation of a legal duty or a set of rules;
(3) designed to achieve an unjustified result; or
(4) that amounts to any other unauthorised or improper inducement to do or is guilty of the offence of corruption.
Interception Act:
Interception of communication by party to communication
Any person, other than a law enforcement officer, may intercept any communication if he or she is a party to the communication. Unless such communication is intercepted by such person for purposes of committing an offence.
Interception of communication with consent of party to communication
Any person, other than a law enforcement officer may intercept any communication if one of the parties to the communication has given prior consent in writing to such interception, unless such communication is intercepted by such person for purposes of committing an offence.
Prohibition on manufacture, possession and advertising of listed equipment
(1) Subject to subsection (2) and section 46, no person may manufacture, assemble, possess, sell, purchase or advertise any listed equipment.
(2) Subsection (1) does not apply to any telecommunication service provider or other person who, or law enforcement agency which manufactures, assembles, possesses, sells, purchases or advertises listed equipment under the authority of a certificate of exemption issued to him or her or it for that purpose by the Minister under section 46.
Harold Marshall is the managing director of Marshall International.
For more information contact David Marshall, Marshall International, +27 (0)11 622 3660, [email protected]
© Technews Publishing (Pty) Ltd. | All Rights Reserved.