- Security TWENTY
- Women in Security
Espionage is all around us, Alex Bomberg of IPI told the July 2017 print issue of Professional Security magazine; and security companies fail to understand the threats themselves. Most security professionals never have any training in countering espionage; ‘it isn’t taught at any level, it isn’t incorporated in IT security, security and risk management degrees; it’s something that’s literally fallen between the cracks. But it’s a big issue.’
About Alex Bomberg: He’s a member of think-tank Chatham House and the defence and security body RUSI (Royal United Services Institute); and a parish councillor in his part of Gloucestershire. Visit https://www.intelligent-protection.co.uk/index.html. Alex Bomberg is among the speakers at a BSIA networking evening at the London NW1 offices of Facebook, on October 24. Gary Hibberd, MD of Cyber Safeguard and Stephen Lampett, BSIA Technical Manager, are also speaking. Visit www.bsia.co.uk/events.
That necessary security specialist’s required basic understanding of counter-espionage should include guards on gates, Alex goes on. He gives the example of a Formula One racing team, that seeks to protect its technology from rival teams; or indeed from defence firms or motor manufacturers or betting rings who also might see a value in stealing data. A site guard, then, may be questioned by someone who turns up, asking what’s going on, at the site. Unless the guard has received training in counter-espionage, he won’t understand the importance of the question being asked, and how an answer might fit into a bigger picture. Or Alex offers another example, of the guard of a laboratory that is researching GM crops. ‘Counter-espionage starts with the cleaner and goes to the CEO,’ Alex says. ‘It needs to be from the bottom to the top, everybody in the company needs to have an understanding of it and should be taking responsibility for it.’ But as he adds, most companies don’t even have a policy about it. Whose responsibility is it – the facility manager, because offices are swept for ‘bugs’ (TCSM), or the IT manager, if it’s IT being hacked, or the security manager, even though none have training in it. ‘How do you counter something that you don’t understand?’
Espionage starts, Alex suggests, with a research phase; surveillance, and intelligence-gathering, to find out who the weakest person is in the organisation that the attacker can get the required information from. Hence Alex’s point about the cleaner and the CEO; the person showing interest in your organisation in the pub might be having an innocent conversation; but it might be part of a ‘bigger picture’ if others are being asked the same question. Hence the importance of a company policy in reporting any suspicions. Alex admits that people think of espionage as ‘James Bond’ and that it has to be big budget and high-tech. ‘It isn’t; most espionage actually carried out is done on a budget and is very low-tech.’ As he says, why spend £1m to get a piece of information when you can get it by blackmailing somebody. ‘That’s the reality of espionage, it’s all around us,’ whether in business, politics or sport.
If that sounds as if it’s overlapping into social engineering, it is – someone doing espionage is looking to ‘press someone’s buttons’, that you can shorten to MICE. Money, ideology, coercion and ego. Use whichever one or combination to get information out of a target. Alex goes through the four ‘exploits’, to use the IT term. Money – someone is skint or in debt, and you give £1000 in return for whatever. Once it’s given, you can coerce – having taken money, you can be blackmailed into giving more, or else. Ideology; you don’t believe in the path the company is going down, or you’re feeling overlooked. Straight coercion; you are cheating on your wife, or taking drugs in the works toilet, and if you don’t hand over information … as Alex says, it’s all extremely low-tech. And ego – if you give information, you are going to feel amazing. If you’re working abroad and someone says they’re from HM Government and they need your help, might your ego fall for it?! It all really does happen, Alex says, and many cases do not get reported, ‘purely because it’s damaging to the reputation of the company; and that’s what we are talking about here as well’. A loss of data, a hack or a breach, affects the bottom line.
What to do
What can companies do about it? Education is the number one thing, Alex replies; ‘educate the staff to the espionage threat, understanding the risks faced by the company and its clients’, to save potentially a massive amount of money in the long run. A basic understanding should be in every security professional’s tool-box, he adds, ‘because it overlaps into so many different areas’. Again thanks to James Bond, you may believe espionage only happens to exciting companies, high-tech labs and big-name firms; not an accountant. But they have invoice or other information passing through their hands that they don’t necessarily understand the importance of. Nor need that data be stolen through a hack; why should it, if it’s simpler to put on a high-vis vest, just walk in without challenge and pick up something (unshredded) from a dustbin, or a desk, or on a computer screen that you take a picture of with a phone? Policies to counter espionage (or indeed anything else) are useless, unless they’re monitored. Take social media, Alex says. Not that many companies have a policy on employee use of social media at all. “A lot of espionage is actually very easy, because of the information put out by employees, and the company.” A photograph for example might show an identity badge, that may be enough to enable those doing espionage to make a copy. Sometimes, Alex says, the worst people in the firm are the PR people, giving out messages, that many give away technical details of a product, that they shouldn’t. “This is why the whole workforce needs to have an understanding [of counter espionage].”
We seek to please
On social engineering methods, Alex points out that people seek to please; what if someone rings and says that they are interested in working with your company, and can they visit. Are you going to show those strangers around, or do you do due diligence first? But, Professional Security asks, isn’t it good manners, or good customer service, to want to please? Alex goes back to the ego, of ‘MICE’; you want to show your company off, to a potential client, rather than say sorry, I cannot show you that machining area, or the laboratory. “People don’t know when to say no. And it’s ok to say no.” Espionage – and this is a key point of Alex’s – is not a dirty word. Companies don’t want to talk about espionage, nor admit that they have a problem: “It’s all James Bond, it doesn’t affect them and their business.” Except that it does, if as an example you are an engineering firm that supplies parts to a defence firm. A break-in to that small supplier could be to steal plans, or interfere with a design, to change the grade of steel. A lot of people, Alex adds, don’t consider their sub-contractors. Alex suggests that counter-espionage should be like first aid at work: “Everybody should have it … every company needs to think about it.” Staff often know things they shouldn’t necessarily; it should not be disrespectful for colleagues to tell others that what they are working on, is none of their business.
Note that Alex hasn’t spoken so far technically, about eavesdropping or bugging boardroom meetings. Rather, he raises the point that everyone brings to the table their mobile phones, thanks to a policy of BYOD (bring your own device). “The concern with that is, you don’t know if someone has got software on their phone which is recording without their knowledge; that software is out there, for very, very little cost. That’s a major concern; it’s all very well getting the meeting swept for bugs, a TCSM [technical surveillance counter-measures] sweep prior to a meeting, although that is good practice today.” Instead, Alex’s concern is that security has not caught up with what mobile devices can do. People still think that they are carrying a phone; and not a computer, and camera, and transmitter.
How about a policy of visitors leaving their mobile in a locker, at reception. Most companies don’t want to spend money on security, Alex says; so if you can do things for free, that work, you are countering espionage. As with other crime, if you show you do basic security things right, and you aren’t an easy target, those doing espionage may well go elsewhere, Alex suggests. Talk about espionage, have a policy about it, put it on the agenda, he argues. Talking of easy targets, staff may be far more vulnerable when working from home, or a hotel room when travelling. If you take a wrong turning out of a restaurant when on a business trip, Professional Security suggests, and get robbed in an alley. A robbery, or espionage? Alex asks in reply. He returns to his point about talking about espionage, not as a dirty word; if you don’t, it becomes difficult to put two and two together.
Alex gave the case of a company that spent millions on its head offices, that had meeting rooms before its reception, and security. He recalled going to a meeting there: “I went to a dustbin in their meeting room and pulled out the next year’s forecast. They had had a financial meeting just prior.” Familiarity may breed contempt; you are used to handling that data innocently, but betting rings, competitors, foreign states, may each have a use for it.
Better or worse?
Are businesses getting better at countering espionage? we ask. Worse, Alex replies; as people rely on tech, and worry about the wrong things, such as phones being monitored or emails intercepted; or eavesdropping through windows on a conversation. What they should worry about are low-tech threats, of someone trying to bluff and walk their way into a site; not kicking the door in. Why eavesdrop Mission Impossible-style with lasers if you can hand out a ‘battery charger’ free at a trade show, that has a transmitter inside; or offer a new computer screen (actually with a camera) to a company, that the MD snaffles and plugs in.