Spies like us

Far from being something you only seen in James Bond films and television crime shows, industrial espionage is a real and growing problem for businesses.

The Institute of Directors (IoD) has warned that the potential of becoming a victim now seems to be bigger than ever.

About 60% of IoD members have suffered from theft – electronic or of the more traditional form – while 14% have reported internet crime in one form or another.

Bob Ayres, director at security consultancy Ayers & Associates, says there are countless different forms of espionage, highlighting an interesting internal example, when a bank was severely damaged by a virus suddenly appearing inside its extensive IT defences. 

“Initially a consultant was suspected of introducing the programme from his laptop,” Ayers said.

“The consultant was eventually cleared. Further investigation revealed that there were two competitors for the job of the retiring managing director: the chief information officer and the chief financial officer. We determined that the CFO introduced the virus to discredit the CIO.”

But what can companies do to make sure they don’t become a victim of espionage, whether it originates from external rivals or internal troublemakers?

Putting technology in place to protect your network is the obvious first answer, but as with any IT security initiative, ensuring employees do not jeopardise senstive information is key – which is where HR comes in.

Police say the companies involved in the Israeli scam used a “Trojan horse” virus, which works by installing itself within a computer system and then allowing hackers to monitor, track or even control that system.

Trojan horses can enter a company’s network via a number of routes, including removable media devices, such as USB keys and portable music players.

But a survey of more than 250 UK businesses released last week revealed that more than half have no controls in place to manage workplace use of such devices.

To avoid this type of scenario, HR departments must work with IT to ensure that employees are aware of the consequences of their actions, experts advise.

And it is not just about writing a policy, warned Andrew Wilson, project manager with the independent Information Security Forum.

“The only way you really raise security awareness is by changing people’s behaviour, which means changing the corporate culture,” he said. “You cannot do this by sending around security booklets and messages on mouse mats. It has to be driven from the top of the organisation.”

One way HR can improve security is by writing corporate asset protection into employees’ job responsibilities, with performances reviewed annually, suggests Richard Starnes, director of incident response at Cable & Wireless. Adherence to the corporate security culture should even influence bonuses, salary rises, he said.

“For most companies it is low on their list of priorities because it is wrongly regarded as a cost, not a benefit,” he said. “It is possible to develop a security culture, but you have to make it worthwhile for staff to buy into it for it to be effective. Money is the biggest incentive.”

Comments are closed.