When a fresh-faced graduate reported promptly one morning for his first day at a financial institution, he offered up a passport as identification.
Reception staff checked his name off a list of other new recruits and issued him with a building pass to join scheduled induction sessions.
He never attended the meetings, and instead swept through the company's offices, stealing as much business critical information as he could before anyone became aware of the breach.
The real new starter arrived an hour later with a genuine passport in hand. The competitor’s espionage agents had targeted him via social media posts, firstly bragging about his new job and secondly identifying his start date and office location.
They sent him a fake letter, changing the arrangements for his first day and by the time he arrived, the spy had left the premises unnoticed, taking with him a substantial amount of commercially sensitive information in the form of paperwork, and the laptops of two members of the senior management team.
At the time of the incident, both managers had been away from their desks, called to bogus meetings. The breach was significant and damaging to the organisation, amounting to the theft of detailed strategic plans and financial information.
National Cyber Security Centre
Today the UK government opened the National Cyber Security Centre’s (NCSC) London Hub, warning that cyber attacks on business are increasing in their frequency and severity. All of the focus is on cyber; however, companies could potentially be left seriously exposed if all they have is a cyber security plan.
The impact of business spying not involving a cyber intrusion is on the rise and is one of the greatest security risks to businesses, dwarfing the threat from cyber attacks.
The cost to business is as high as $1.1 trillion annually, according to estimates compiled by G4S' corporate risk services division.
That compares to the impact of cyber-related espionage, which is estimated to be $400bn a year, the stealing of business critical data through infiltrating an organisation remotely.
Many businesses consider the threat of a cyber-attack to be their biggest security concern and at their peril they ignore the threat of data loss where corporate spies uncover serious shortcomings in physical security arrangements.
Corporate spies play on basic weaknesses, knowledge gaps and human frailty – there is little point in monitoring systems if you don’t also monitor the people who have access to them.
While a cyber attack can bring down a company’s systems or access confidential information, there are many more ways that competitors or other corporate spies can attack a business. These methods can also enable a more in-depth cyber attack later, compounding the losses already suffered.
Companies routinely have loss-prevention programmes to counter the theft of equipment. But arguably the greatest threat to their business is the theft of information on those devices such as mobile phones or laptops, rather than considering the loss crudely in terms of the value of the devices themselves.
It is much easier and quicker to walk off with a laptop or a stack of documents than to access computer systems, and there are often fewer barriers to doing so.
There are a number of things that businesses can do to protect their information.
As part of a security audit, rights of access and rights of way for all staff and all services staff such as cleaners, engineers and IT professionals should be mapped out, agreed and tested.
Processes around new starters, external suppliers and visitors should be rigorously assessed and shared with the relevant employees.
The risk from lost documents is one that is often superficially understood but plans to mitigate those dangers are rarely well implemented. A clean desk policy should be compiled and implemented, but a major challenge around such policies is the ongoing and strict enforcement. This is the critical element in such a policy which ties in with process around secure and timely disposal of sensitive data printed out.
Based on the sensitivity of the data a company handles, one business consideration is whether to ban printouts or to set up a process where employees can only print out documents with an access card both to the print room as well as the printer itself.
What to look out for: Potential workplace threats
Disgruntled employees, competitors, foreign governments, and suppliers can act as an insider threat, over short and long periods of time, with little chance of detection if the business is only focusing on external cyber threats.
The insider threat is a growing problem through planted spies and contract employees as well as employees being duped.
Sensitive information shared in conversations, meetings, telephone calls and in paper documents is also vulnerable and if not protected, businesses are at risk of being critically compromised.
Business executives are extremely vulnerable to spying when travelling.
Travel security programmes address terror threats, criminal threats, potential political instability, even health and natural disasters, but they rarely cover business espionage threats – even though the business espionage threats almost always pose a more serious adverse business impact.