[BreachExchange] Could corporate spying be a larger threat to business security than cyber attacks?

[Audrey McNeil]

http://www.cityam.com/259028/could-corporate-spying-larger-
threat-business-security-than

When a fresh-faced graduate reported promptly one morning for his first day
at a financial institution, he offered up a passport as identification.

Reception staff checked his name off a list of other new recruits and
issued him with a building pass to join scheduled induction sessions.

He never attended the meetings, and instead swept through the company's
offices, stealing as much business critical information as he could before
anyone became aware of the breach.

Fake letter

The real new starter arrived an hour later with a genuine passport in hand.
The competitor’s espionage agents had targeted him via social media posts,
firstly bragging about his new job and secondly identifying his start date
and office location.

They sent him a fake letter, changing the arrangements for his first day
and by the time he arrived, the spy had left the premises unnoticed, taking
with him a substantial amount of commercially sensitive information in the
form of paperwork, and the laptops of two members of the senior management
team.

At the time of the incident, both managers had been away from their desks,
called to bogus meetings. The breach was significant and damaging to the
organisation, amounting to the theft of detailed strategic plans and
financial information.

National Cyber Security Centre

Today the UK government opened the National Cyber Security Centre’s (NCSC)
London Hub, warning that cyber attacks on business are increasing in their
frequency and severity. All of the focus is on cyber; however, companies
could potentially be left seriously exposed if all they have is a cyber
security plan.

The impact of business spying not involving a cyber intrusion is on the
rise and is one of the greatest security risks to businesses, dwarfing the
threat from cyber attacks.

The cost to business is as high as $1.1 trillion annually, according to
estimates compiled by G4S' corporate risk services division.

That compares to the impact of cyber-related espionage, which is estimated
to be $400bn a year, the stealing of business critical data through
infiltrating an organisation remotely.

Many businesses consider the threat of a cyber-attack to be their biggest
security concern and at their peril they ignore the threat of data loss
where corporate spies uncover serious shortcomings in physical security
arrangements.

Corporate spies play on basic weaknesses, knowledge gaps and human frailty
– there is little point in monitoring systems if you don’t also monitor the
people who have access to them.

While a cyber attack can bring down a company’s systems or access
confidential information, there are many more ways that competitors or
other corporate spies can attack a business. These methods can also enable
a more in-depth cyber attack later, compounding the losses already suffered.

Theft

Companies routinely have loss-prevention programmes to counter the theft of
equipment. But arguably the greatest threat to their business is the theft
of information on those devices such as mobile phones or laptops, rather
than considering the loss crudely in terms of the value of the devices
themselves.

It is much easier and quicker to walk off with a laptop or a stack of
documents than to access computer systems, and there are often fewer
barriers to doing so.

There are a number of things that businesses can do to protect their
information.

As part of a security audit, rights of access and rights of way for all
staff and all services staff such as cleaners, engineers and IT
professionals should be mapped out, agreed and tested.

Processes around new starters, external suppliers and visitors should be
rigorously assessed and shared with the relevant employees.

The risk from lost documents is one that is often superficially understood
but plans to mitigate those dangers are rarely well implemented. A clean
desk policy should be compiled and implemented, but a major challenge
around such policies is the ongoing and strict enforcement. This is the
critical element in such a policy which ties in with process around secure
and timely disposal of sensitive data printed out.

Based on the sensitivity of the data a company handles, one business
consideration is whether to ban printouts or to set up a process where
employees can only print out documents with an access card both to the
print room as well as the printer itself.

What to look out for: Potential workplace threats

Disgruntled employees, competitors, foreign governments, and suppliers can
act as an insider threat, over short and long periods of time, with little
chance of detection if the business is only focusing on external cyber
threats.

The insider threat is a growing problem through planted spies and contract
employees as well as employees being duped.

Sensitive information shared in conversations, meetings, telephone calls
and in paper documents is also vulnerable and if not protected, businesses
are at risk of being critically compromised.

Business executives are extremely vulnerable to spying when travelling.

Travel security programmes address terror threats, criminal threats,
potential political instability, even health and natural disasters, but
they rarely cover business espionage threats – even though the business
espionage threats almost always pose a more serious adverse business impact.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170217/61b083f3/attachment.html>