Need help?
Call now 0207 118 0808

GET PRICE NOW

Writer's Profile
Peter Juxon

Specialised Subjects

Communications, Computing, I.T., Information Systems

I am a recent post graduate student having followed up a Master’s degree in Mobile Computing and Communications. Also I am a CISCO certified Network Associate (CCNA) and Associate Member British Computer Society (AMBCS). Currently I am preparing for CCNP, professional certification for CISCO Systems Inc. I have vast knowledge and advanced skills in the networking, database and programming domain of Computer Science. During my spare time I usually prefer to review the IT literature available over the web and other sources. I enjoy reading books and journals related to IT innovation and new developments.

The discovery of possible threats, a policy for mobile phone use and measures to prevent industrial espionage in the future

Introduction

The security of a company’s confidential information is one of great concern for businesses. Their information must be protected and secured. In the past there have been reports quoting issues of information and business secrets leakage within a company. Taking vital issues into consideration, an analysis of the possible threats to a company’s confidential information and the risks involved has been carried out, and listed in the table below. A security policy for addressing mobile phones and other communication enabled devices has been included to limit any threats to information security within the company premises. Further important measures have also been addressed to avoid industrial espionage in future as there were a few reported in the recent past.

Task 1

Following is the table listing possible threats, risks and their countermeasures:

Threat Risk(s) Loss Countermeasures
Fire: is the heat and light Property, buildings, Workstations, Fire protection
energy released during a employees and IT networks, engineering, fire exits,
chemical reaction. infrastructure. buildings, fire extinguishers,
employees. sandboxes.
Floods: is an overflow of IT infrastructure, Networks, Flood risk assessment.
an expanse of water that communications. workstations.
submerges land, a deluge.
Earth Quakes: is the Property, buildings Workstations, Earthquake
result of a sudden release and IT Networks, engineering.
of energy in the Earth’s infrastructure, buildings,
crust that creates seismic business employees,
waves. continuity, contractors.
communications.
Landslides: is a Property, buildings Networks, Geotechnical
geological phenomenon and IT workstations. engineering.
which includes a wide infrastructure,
range of ground network systems.
movement, such as rock
falls, deep failure of
slopes and shallow debris
flows, which can occur in
offshore, coastal and
onshore environments.
Hacker:  uses advanced Computer Confidential Firewalls, data
computer skills to attack equipment access and information. masking,
computers. information steganography,
invading. chaffing and
winnowing.
Cracker: violates system Wireless networks, Company Copy prevention,
security with malicious software systems, secrets and ransom ware,
intent. digital distribution. data. surveillance.
Script Kiddie: break into Data, programs, and Equipments Virtual systems,
computers to create equipments. and data. honeypots, victim
damage. hosts.
Spy: hired to break into a Sensitive and Company Naval mine,
computer and steal confidential secrets and steganography,
information. information at information. Firewalls, CCT
specific computer. Cameras, alarms.
Employee: largest Employee Company NCIS (Naval Criminal
information security threat ownership, instant secrets and Investigation session),
to business. messaging can be equipments. BPO security,
used to intelligence cycle,
communicate trade ERM, CCT cameras.
secrets, industrial
espionage.
Cyber terrorist: attack Wireless networks, Networks, Firewalls, Honeypots,
network and computer Internet, system Workstations. virtual systems access,
infrastructure to cause intrusions, critical Hardware logging,
panic. infrastructure. BCP Cyber security.
Visitors: who visits an Equipments, data. Workstations. CCT cameras, security
organisation with the guards, alarms.
intent of queries or
lookups.
Contractors:  an Technical Workstations, CCT Cameras,
organisation or individual intelligence, information. LANTRIN alarms.
that contracts with another computer security,
organisation or individual industrial espionage,
(the owner) for equipments.
construction or some other
facilities.
Virus: is a computer Data and running Software Anti Virus software,
program that can copy processes, systems and firewalls, computer
itself and infect a programs. processes, security centers.
computer without the workstation.
permission of the user.
Spyware: is computer Personal Bank accounts Anti spyware
software that is installed information, and other programs.
surreptitiously on a intercept control. personal
personal computer to information.
intercept control over the
user’s interaction with the
computer.
Malware: is software Grey Net, web Workstation. Crypto virology, MRP,
designed to infiltrate or threats. windows powershell.
damage a computer
system.
Phishing: is the PayPal, IDN Bank Antivirus, firewalls,
criminally fraudulent homograph, Internet accounts, digital certificates.
process of attempting to fraud, web threat. username and
acquire sensitive passwords.
information such as
usernames, passwords and
credit card details.
Spoofing: is a situation in Short Message Data security. Signals intelligence,
which one person or Service, Internet session fixation.
program successfully fraud, IP address.
masquerades as another
by falsifying data and
thereby gaining an
illegitimate advantage.
Root Kit: is malware System processes, Software Antivirus, SpectorSoft.
which consists of a Port knocking. systems,
program designed to take database
fundamental control of a transactions.
computer system.
Botnet: term for a Web threat, bank Bank accounts, Hash Cash, Fast Flux
collection of software fraud, and identity sensitive
robots that run theft. information.
autonomously and
automatically.
Back Door: is a method Authentication Sensitive Card readers,
of bypassing normal byepass, digital information. biometrics.
authentication, securing distribution.
remote access to a
computer, while
attempting to remain
undetected.
Trojan: is malware that SafeDisks, Spyware Workstation. Cryptovirology.
appears to perform a Strike.
desirable function but in
fact performs undisclosed
malicious functions
Logic Bomb: is a piece of Software systems Software Antivirus programs and
code that intentionally and processes. systems. firewalls.
inserted into a software
system that will set off a
malicious function when
specified conditions are
met.
Integrity: comprises Valuation risk, Data. Firewalls, antivirus
perceived consistency of system integrity. software, security
actions, values, methods, centres.
measures and principles.
Confidentiality: has been System integrity, Information. Information System
defined by the (ISO) as information. security controls.
“ensuring that information
is accessible only to those
authorised to have access”
and is one of the
cornerstones of
information security.
Availability: degree to Internet privacy, Workstations Penetration tests,
which a system, or hacking, wireless. and steganography.
equipment is operable and information.
in a committable state at
the start of a mission,
when the mission is called
for at an unknown time.
Authentication: is the act Data transactions, Workstation, ATM, firewalls,
of establishing or communications. information, cryptography.
confirming something as networks.
authentic, that is, that
claims made by or about
the thing are true.
Access Controls: is the Authentication, Workstations, Signals Intelligence,
ability to permit or deny information, networks, hardware key,
the use of a particular application sharing, sensitive loggers.
resource by a particular network access information.
entity. control.

Task 2

Security Policy to address the use of mobile phones within the premises.

Purpose:

The purpose of this document is to ensure that there is clarity around the use of mobile phones on company premises.

Scope:

This document is applicable to all employees in every department in the company and to all visitors and contractors on company premises.

Introduction:

In the past there have been a number of incidents reported related to industrial espionage and other confidential leaks within the company, which mainly involved the use of mobile phones and other communication enabled devices. This policy is introduced following the evidence that mobile phones may lead to the communication of trade secrets and interfere with the normal working of employees, which may affect overall operations and the security of the company and other possible industrial espionage. On review, it is decided to impose a complete ban on the use of mobile phones and communication enabled devices, due to communications and the picture taking facility on many mobile phones. The R&D department has also issued an article, which confirmed that under certain circumstances, interference from mobile phones could affect the performance of some sensitive medical devices.

The issue for consideration is not simply communication between employees, visitors and contractors, but more significantly the potential for the camera and video facility to be used inappropriately and potentially illegally. This may lead to leakage of company secrets and other sensitive information.

Another consideration is the wide range of ring tones that can disruption in the working and research area for staff. In some cases there could be confusion with medical equipment alarm signals, resulting in genuine alarms being overlooked.

Use of mobile phones and other communication devices:

After considering the range of risks presented by the use of mobile phones on company premises it has been agreed that:-

Mobile phones may be used in the following areas:-

  • Lunch/Tea area.
  • Riverside pub and outside company premises.
  • Smoking area.
  • Entrance hall.
  • Staff car park.

The use of mobile phones by employees must not interfere with the work being undertaken and full attention to tasks must be observed all times.

Mobile phones may not be used in all other areas of the company including:-

  • Research and Development department.
  • Personnel department.
  • Marketing and Business development.
  • Strategic operations.
  • Information technology.
  • Customer Services department.

Communication:

Clear signage will be provided to identify those areas where mobile phones must not be used. Leaflets will be available explaining the company’s position on the use of mobile phones and this will be also included in information pack for visitors and contractors.

Enforcing the policy:

Departmental managers will:-

  • Ensure that if their area is designated as an area where mobile phones cannot be used there are clear signs demonstrating this.
  • Encourage staff in the area to advise any person using a phone within the area of the restrictions and ask them to move to suitable area.
  • Ensure that all staff report any use of a mobile phone to take photographs.

All employees will:-

  • Refrain from using mobile phones in areas as defined in this procedure and that are clearly signed.
  • Ensure that visitors and contractors are aware of this procedure and where mobile phones may be used.
  • Advise anyone using a mobile phone within a restricted area to move to a suitable area.
  • Advise anyone using a mobile phone to take photographs that this is against company procedure and if they refuse to comply, security must be called and the incident must be recorded.

Security:-

  • Assist with any visitor, contractor or member of staff who refuses to comply with company procedure.
  • Should the person refuse to cease using mobile phone then they should be escorted off site or a decision made to call the police.

Task 3

Industrial espionage refers to all the undercover activities that are performed by entrepreneurs for acquiring information on their rivals for commercial gain. As such, spying exercises are practiced by some leaders in the corporate world. Targeted victims of espionage activities range from rival business organisations to governmental agencies. Invariably, these deceived business units suffer huge monetary losses.

The real perpetuators are the executives of large companies, and they are rarely prosecuted. It is the small time offender who gets sentenced. Invariably, the transgressor gets apprehended in the very act of stealing the much sought after business information. Business competitors on the prowl seek information of all kinds. Every bit of information that is accessed is valuable and used appropriately. Strategy papers, engineering designs and details of new products help entrepreneurs supplement the information they have already gathered through reverse engineering. (Reverse engineering is the process of purchasing rival products and dismantling them to learn the secrets of the implemented technical know-how).

Information collection methods vary, agents might be recruited to work in the rival company and pass on the accessed information. Bribery of the employees of the rival organisation is also adopted. However, these traditional methods rely on engaging people to do the illicit work. The advent of computers has digitalised industrial espionage methods and has given a modern twist to white collared crime.

The most blatant of methods of industrial espionage are stealing laptops or breaking into the offices of the opponent and walking away with their desktops. A few cases of espionage activity came to light when bribed employees in the Research and Development wing of a well-known organisation were caught burning sensitive information on to CDs. Usually, the avaricious employees in any organisation prove to be the weakest link of the security chain. Such unethical employees are identified and approached by contacting them online.

Other unobtrusive digital methods pertain to installing key logger software programs that are used to record the keystrokes of the PC user. With this it is easy to gain access to user activity that would also include obtaining passwords, emails, etc. Detecting such spyware activity is becoming difficult as attackers have invented ways to avoid detection. Even if spyware activity is detected, pinning key logger activity as an industrial espionage act is difficult. Only digital forensics can help in such a scenario. Business revolves in the information that they have. Business processes, marketing strategies, product designs and customer records are some information that determines how a company will fare in the market. Most of this information is housed in the company’s computer servers which can be cracked within a few minutes by an expert hacker. Hacked information may lead to lost profits, lost customers, invalid transactions and a lot more. In short, industrial espionage can destroy a business that has been built for decades. Industrial espionage maybe committed by someone from within a company, someone from the competitors end or at the level of end users.

Advancements in computer technology have paved the way for rampant espionage through hacking and spyware. The same technology can be used by companies to build a defence line in order to protect valuable information from industrial espionage.

Measures to avoid industrial espionage:

The possible security measures that a company can utilise to avoid future information disaster are given below:

  • Protection of internal network: The system must be designed so that the internal network is not exposed. Company partners must not have a direct or indirect access to a company’s internal network since this will make it vulnerable to spying.
  • Secure intermediate storage: Information that is for retrieval must reside in a secure location. Storing the files on the web servers, at an outsourced site, or any other insecure network may make it an easy target from the competition. A strict protocol must be implemented when accessing internal data. Encryption may provide confidentiality but the file can still be deleted or modified.
  • Protect resting data: Encrypt all resting data since it will make it unreadable to hackers and will maintain high confidentiality. There are several digital measures that can help in protecting sensitive business information.
  • Protect from file deletion: This can be done unintentionally or intentionally. It is best to keep older versions of files so that one may revert back to a working system if there is an access failure due to deleted system files.
  • Measures against data tampering: An authentication process must be in place to ensure that access to sensitive data will only be for authorised personnel. It will be wise to use digital signatures so people can be held accountable for illegal access.
  • Regular auditing and monitoring: This will provide a review of the process and ensure that all security measures are being carried out. Random audits can be a major deterrent for probable abusers.
  • Server protection: Transmission of data to the end users must incorporate authentication of identity. There must be a safety measure to confirm that allowable actions are the only once taking place between server and end users.
  • User access schemes: Access to data should be classified according to departments and who can access it.

With the right security measures in place, a company will not have to worry about his staff adding a few zeros to company account or form a design being modified by a spy. It is vital that companies understand the perils of industrial espionage. Every organisation possesses sensitive proprietary information. Training must be imparted to company employees to learn how to effectively identify early warning signs of industrial espionage. Industrial espionage is not something to be taken lightly and is big factor in today’s high stakes competitive business world.

Information security efforts must therefore address comprehensive countermeasures that are as comprehensive as the methods employed against them. There are four parts of a comprehensive security effort that enhance and support each other: Technical, Operational, Physical, and Personnel Security. It is strongly recommended that a company should follow up on the following concepts.

Technical Security: Countermeasures reduce the vulnerabilities present in electronic systems. These countermeasures ensure the confidentiality, integrity and availability of computer systems and networks. A good technical security effort also protects other electronic systems such as voice mail.

Operational Security: Addresses the business processes in use by a company that could compromise information through non-technical means. Likewise, policies on restricting the use of open communication lines, such as the Internet and telephone systems/mobile phones, reduce the potential for the compromise of information.

Physical Security: A large number of information compromises occur due to simple breaking and entering and theft. Physical access to facilities should be carefully regulated and controlled. This includes limiting the access of visitors and contractors, as well as employees. Nobody should have a free roam of all corporate facilities. All employees must wear access badges that indicate their status, such as employee, temporary, visitor or contractor. This feature helps to reduce the threat of people overstating their authority. Obviously, there should be an operational security policy that encourages all people to look at badges. Another physical security issue to be addressed is the control of garbage. There have been numerous incidents of serious information compromises that have occurred solely from the content of an organisation’s garbage. Companies that have very high value information must also consider the control of their garbage.

Security programs must also stress the use of available protection mechanisms. Locks on office doors and file cabinets frequently go unused in many organisations. Clean desk policies, that require all sensitive information to be locked up, must also be enforced. There are also computer locking products available that prevent computer access if it is turned off or idle for a certain period of time. These products prevent the exploitation of computers that are not properly turned off when not in use.

Personnel Security: There must be a thorough investigation of all people with potential access to sensitive information. Since most information might be sensitive to different departments within an organisation, it should probably be a blanket policy to have a background check performed on all employees. The term employee is used broadly to include anyone with physical access to facilities or information. Facilities include any computer terminal that has access to corporate information.

Conclusions:

There is a tremendous focus by information security professionals on technical security. This is probably due to the traditional background of information security professionals being from a technical background. When they receive funding for their efforts, their initial reactions are to spend the money on what they are most familiar with, which usually does not include awareness programs or the acquisition of shredders. Firewalls and other security tools are important, but unfortunately they only address a small part of the problem. All recent studies show that insiders pose the most serious threat to information, and firewalls do little to prevent the abuse.

It is time for commercial information security professionals to realise that information security is more than computer security. A comprehensive security programme that includes all security disciplines is the only effective countermeasure to a co-ordinated industrial espionage attack. A determined attacker will exploit the most vulnerable access points, and will not stop trying until they get what they want or are caught. A detailed and continual awareness program is the best method to deter many attacks. If all employees know what to look for, then the chances for the attack to be successful are minimised.

The security of a company’s confidential information is one of great concern for businesses. Their information must be protected and secured. In the past there have been reports quoting issues of information and business secrets leakage within a company. Taking vital issues into consideration, an analysis of the possible threats to a company’s confidential information and the risks involved has been carried out, and listed listed in the table below. A security policy for addressing mobile phones and other communication enabled devices has been included to limit any threats to information security within the company premises. Further important measures have also been addressed to avoid industrial espionage in future as there were a few reported in the recent past.

Task 1

Following is the table listing possible threats, risks and their countermeasures:

Threat Risk(s) Loss Countermeasures
Fire: is the heat and light Property, buildings, Workstations, Fire protection
energy released during a employees and IT networks, engineering, fire exits,
chemical reaction. infrastructure. buildings, fire extinguishers,
employees. sandboxes.
Floods: is an overflow of IT infrastructure, Networks, Flood risk assessment.
an expanse of water that communications. workstations.
submerges land, a deluge.
Earth Quakes: is the Property, buildings Workstations, Earthquake
result of a sudden release and IT Networks, engineering.
of energy in the Earth’s infrastructure, buildings,
crust that creates seismic business employees,
waves. continuity, contractors.
communications.
Landslides: is a Property, buildings Networks, Geotechnical
geological phenomenon and IT workstations. engineering.
which includes a wide infrastructure,
range of ground network systems.
movement, such as rock
falls, deep failure of
slopes and shallow debris
flows, which can occur in
offshore, coastal and
onshore environments.
Hacker:  uses advanced Computer Confidential Firewalls, data
computer skills to attack equipment access and information. masking,
computers. information steganography,
invading. chaffing and
winnowing.
Cracker: violates system Wireless networks, Company Copy prevention,
security with malicious software systems, secrets and ransom ware,
intent. digital distribution. data. surveillance.
Script Kiddie: break into Data, programs, and Equipments Virtual systems,
computers to create equipments. and data. honeypots, victim
damage. hosts.
Spy: hired to break into a Sensitive and Company Naval mine,
computer and steal confidential secrets and steganography,
information. information at information. Firewalls, CCT
specific computer. Cameras, alarms.
Employee: largest Employee Company NCIS (Naval Criminal
information security threat ownership, instant secrets and Investigation session),
to business. messaging can be equipments. BPO security,
used to intelligence cycle,
communicate trade ERM, CCT cameras.
secrets, industrial
espionage.
Cyber terrorist: attack Wireless networks, Networks, Firewalls, Honeypots,
network and computer Internet, system Workstations. virtual systems access,
infrastructure to cause intrusions, critical Hardware logging,
panic. infrastructure. BCP Cyber security.
Visitors: who visits an Equipments, data. Workstations. CCT cameras, security
organisation with the guards, alarms.
intent of queries or
lookups.
Contractors:  an Technical Workstations, CCT Cameras,
organisation or individual intelligence, information. LANTRIN alarms.
that contracts with another computer security,
organisation or individual industrial espionage,
(the owner) for equipments.
construction or some other
facilities.
Virus: is a computer Data and running Software Anti Virus software,
program that can copy processes, systems and firewalls, computer
itself and infect a programs. processes, security centers.
computer without the workstation.
permission of the user.
Spyware: is computer Personal Bank accounts Anti spyware
software that is installed information, and other programs.
surreptitiously on a intercept control. personal
personal computer to information.
intercept control over the
user’s interaction with the
computer.
Malware: is software Grey Net, web Workstation. Crypto virology, MRP,
designed to infiltrate or threats. windows powershell.
damage a computer
system.
Phishing: is the PayPal, IDN Bank Antivirus, firewalls,
criminally fraudulent homograph, Internet accounts, digital certificates.
process of attempting to fraud, web threat. username and
acquire sensitive passwords.
information such as
usernames, passwords and
credit card details.
Spoofing: is a situation in Short Message Data security. Signals intelligence,
which one person or Service, Internet session fixation.
program successfully fraud, IP address.
masquerades as another
by falsifying data and
thereby gaining an
illegitimate advantage.
Root Kit: is malware System processes, Software Antivirus, SpectorSoft.
which consists of a Port knocking. systems,
program designed to take database
fundamental control of a transactions.
computer system.
Botnet: term for a Web threat, bank Bank accounts, Hash Cash, Fast Flux
collection of software fraud, and identity sensitive
robots that run theft. information.
autonomously and
automatically.
Back Door: is a method Authentication Sensitive Card readers,
of bypassing normal byepass, digital information. biometrics.
authentication, securing distribution.
remote access to a
computer, while
attempting to remain
undetected.
Trojan: is malware that SafeDisks, Spyware Workstation. Cryptovirology.
appears to perform a Strike.
desirable function but in
fact performs undisclosed
malicious functions
Logic Bomb: is a piece of Software systems Software Antivirus programs and
code that intentionally and processes. systems. firewalls.
inserted into a software
system that will set off a
malicious function when
specified conditions are
met.
Integrity: comprises Valuation risk, Data. Firewalls, antivirus
perceived consistency of system integrity. software, security
actions, values, methods, centres.
measures and principles.
Confidentiality: has been System integrity, Information. Information System
defined by the (ISO) as information. security controls.
“ensuring that information
is accessible only to those
authorised to have access”
and is one of the
cornerstones of
information security.
Availability: degree to Internet privacy, Workstations Penetration tests,
which a system, or hacking, wireless. and steganography.
equipment is operable and information.
in a committable state at
the start of a mission,
when the mission is called
for at an unknown time.
Authentication: is the act Data transactions, Workstation, ATM, firewalls,
of establishing or communications. information, cryptography.
confirming something as networks.
authentic, that is, that
claims made by or about
the thing are true.
Access Controls: is the Authentication, Workstations, Signals Intelligence,
ability to permit or deny information, networks, hardware key,
the use of a particular application sharing, sensitive loggers.
resource by a particular network access information.
entity. control.

Task 2

Security Policy to address the use of mobile phones within the premises.

Purpose:

The purpose of this document is to ensure that there is clarity around the use of mobile phones on company premises.

Scope:

This document is applicable to all employees in every department in the company and to all visitors and contractors on company premises.

Introduction:

In the past there have been a number of incidents reported related to industrial espionage and other confidential leaks within the company, which mainly involved the use of mobile phones and other communication enabled devices. This policy is introduced following the evidence that mobile phones may lead to the communication of trade secrets and interfere with the normal working of employees ,which may affect overall operations and the security of the company and other possible industrial espionage. On review, it is decided to impose a complete ban on the use of mobile phones and communication enabled devices, due to communications and the picture taking facility on many mobile phones. The R&D department has also issued an article, which confirmed that under certain circumstances, interference from mobile phones could affect the performance of some sensitive medical devices.

The issue for consideration is not simply communication between employees, visitors and contractors, but more significantly the potential for the camera and video facility to be used inappropriately and potentially illegally. This may lead to leakage of company secrets and other sensitive information.

Another consideration is the wide range of ring tones that can disruption in the working and research area for staff. In some cases there could be confusion with medical equipment alarm signals, resulting in genuine alarms being overlooked.

Use of mobile phones and other communication devices:

After considering the range of risks presented by the use of mobile phones on company premises it has been agreed that:-

Mobile phones may be used in the following areas:-

  • Lunch/Tea area.
  • Riverside pub and outside company premises.
  • Smoking area.
  • Entrance hall.
  • Staff car park.

The use of mobile phones by employees must not interfere with the work being undertaken and full attention to tasks must be observed all times.

Mobile phones may not be used in all other areas of the company including:-

  • Research and Development department.
  • Personnel department.
  • Marketing and Business development.
  • Strategic operations.
  • Information technology.
  • Customer Services department.

Communication:

Clear signage will be provided to identify those areas where mobile phones must not be used. Leaflets will be available explaining the company’s position on the use of mobile phones and this will be also included in information pack for visitors and contractors.

Enforcing the policy:

Departmental managers will:-

  • Ensure that if their area is designated as a area where mobile phones cannot be used there are clear signs demonstrating this.
  • Encourage staff in the area to advise any person using a phone within the area of the restrictions and ask them to move to suitable area.
  • Ensure that all staff report any use of a mobile phone to take photographs.

All employees will:-

  • Refrain from using mobile phones in areas as defined in this procedure and that are clearly signed.
  • Ensure that visitors and contractors are aware of this procedure and where mobile phones may be used.
  • Advise anyone using a mobile phone within a restricted area to move to a suitable area.
  • Advise anyone using a mobile phone to take photographs that this is against company procedure and if they refuse to comply security must be called and the incident must be recorded.

Security:-

  • Assist with any visitor, contractor or member of staff who refuses to comply with company procedure.
  • Should the person refuse to cease using mobile phone then they should be escorted off site or a decision made to call the police.

Task 3

Industrial espionage refers to all the undercover activities that are performed by entrepreneurs for acquiring information on their rivals for commercial gain. As such, spying exercises are practiced by some leaders in the corporate world. Targeted victims of espionage activities range from rival business organisations to governmental agencies. Invariably, these deceived business units suffer huge monetary losses.

The real perpetuators are the executives of large companies, and they are rarely prosecuted. It is the small time offender who gets sentenced. Invariably, the transgressor gets apprehended in the very act of stealing the much sought after business information. Business competitors on the prowl seek information of all kinds. Every bit of information that is accessed is valuable and used appropriately. Strategy papers, engineering designs and details of new products help entrepreneurs supplement the information they have already gathered through reverse engineering. (Reverse engineering is the process of purchasing rival products and dismantling them to learn the secrets of the implemented technical know-how).

Information collection methods vary, agents might be recruited to work in the rival company and pass on the accessed information. Bribery of the employees of the rival organisation is also adopted. However, these traditional methods rely on engaging people to do the illicit work. The advent of computers has digitalised industrial espionage methods and has given a modern twist to white collared crime.

The most blatant of methods of industrial espionage are stealing laptops or breaking into the offices of the opponent and walking away with their desktops. A few cases of espionage activity came to light when bribed employees in the Research and Development wing of a well known organisation were caught burning sensitive information on to CDs. Usually, the avaricious employees in any organisation prove to be the weakest link of the security chain. Such unethical employees are identified and approached by contacting them online.

Other unobtrusive digital methods pertain to installing key logger software programs that are used to record the keystrokes of the PC user. With this it is easy to gain access to user activity that would also include obtaining passwords, emails, etc. Detecting such spyware activity is becoming difficult as attackers have invented ways to avoid detection. Even if spyware activity is detected, pinning key logger activity as an industrial espionage act is difficult. Only digital forensics can help in such a scenario. Business revolves in the information that they have. Business processes, marketing strategies, product designs and customer records are some information that determines how a company will fare in the market. Most of this information is housed in the company’s computer servers which can be cracked within a few minutes by an expert hacker. Hacked information may lead to lost profits, lost customers, invalid transactions and a lot more. In short, industrial espionage can destroy a business that has been built for decades. Industrial espionage maybe committed by someone from within a company, someone from the competitors end or at the level of end users.

Advancements in computer technology have paved the way for rampant espionage through hacking and spyware. The same technology can be used by companies to build a defense line in order to protect valuable information from industrial espionage.

Measures to avoid industrial espionage:

The possible security measures that a company can utilise to avoid future information disaster are given below:

  • Protection of internal network: The system must be designed so that the internalnetwork is not exposed. Company partners must not have a direct or indirect access to a company’s internal network since this will make it vulnerable to spying.
  • Secure intermediate storage: Information that is for retrieval must reside in a securelocation. Storing the files on the web servers, at an outsourced site, or any other insecure network may make it an easy target from the competition. A strict protocol must be implemented when accessing internal data. Encryption may provide confidentiality but the file can still be deleted or modified.
  • Protect resting data: Encrypt all resting data since it will make it unreadable tohackers and will maintain high confidentiality. There are several digital measures that can help in protecting sensitive business information.
  • Protect from file deletion: This can be done unintentionally or intentionally. It isbest to keep older versions of files so that one may revert back to a working system if there is an access failure due to deleted system files.
  • Measures against data tampering: An authentication process must be in place toensure that access to sensitive data will only be for authorised personnel. It will be wise to use digital signatures so people can be held accountable for illegal access.
  • Regular auditing and monitoring: This will provide a review of the process andensure that all security measures are being carried out. Random audits can be a major deterrent for probable abusers.
  • Server protection: Transmission of data to the end users must incorporateauthentication of identity. There must be a safety measure to confirm that allowable actions are the only once taking place between server and end users.
  • User access schemes: Access to data should be classified according to departmentsand who can access it.

With the right security measures in place, a company will not have to worry about his staff adding a few zeros to company account or form a design being modified by a spy. It is vital that companies understand the perils of industrial espionage. Every organisation possesses sensitive proprietary information. Training must be imparted to company employees to learn how to effectively identify early warning signs of industrial espionage. Industrial espionage is not something to be taken lightly and is big factor in today’s high stakes competitive business world.

Information security efforts must therefore address comprehensive countermeasures that are as comprehensive as the methods employed against them. There are four parts of a comprehensive security effort that enhance and support each other: Technical, Operational, Physical, and Personnel Security. It is strongly recommended that a company should follow up on the following concepts.

Technical Security: Countermeasures reduce the vulnerabilities present in electronic systems.These countermeasures ensure the confidentiality, integrity and availability of computer systems and networks. A good technical security effort also protects other electronic systems such as voice mail.

Operational Security: Addresses the business processes in use by a company that couldcompromise information through non-technical means. Likewise, policies on restricting the use of open communication lines, such as the Internet and telephone systems/mobile phones, reduces the potential for the compromise of information.

Physical Security: A large number of information compromises occur due to simple breaking and entering and theft. Physical access to facilities should be carefully regulated and controlled. This includes limiting the access of visitors and contractors, as well as employees. Nobody should have a free roam of all corporate facilities. All employees must wear access

badges that indicate their status, such as employee, temporary, visitor or contractor. This feature helps to reduce the threat of people overstating their authority. Obviously, there should be an operational security policy that encourages all people to look at badges. Another physical security issue to be addressed is the control of garbage. There have been numerous incidents of serious information compromises that have occurred solely from the content of an organisation’s garbage. Companies that have very high value information must also consider the control of their garbage.

Security programs must also stress the use of available protection mechanisms. Locks on office doors and file cabinets frequently go unused in many organisations. Clean desk policies, that require all sensitive information to be locked up, must also be enforced. There are also computer locking products available that prevent computer access if it is turned off or idle for a certain period of time. These products prevent the exploitation of computers that are not properly turned off when not in use.

Personnel Security: There must be a thorough investigation of all people with potentialaccess to sensitive information. Since most information might be sensitive to different departments within an organisation, it should probably be a blanket policy to have a background check performed on all employees. The term employee is used broadly to include anyone with physical access to facilities or information. Facilities include any computer terminal that has access to corporate information.

Conclusions:

There is a tremendous focus by information security professionals on technical security. This is probably due to the traditional background of information security professionals being from a technical background. When they receive funding for their efforts, their initial reactions are to spend the money on what they are most familiar with, which usually does not include awareness programs or the acquisition of shredders. Firewalls and other security tools are important, but unfortunately they only address a small part of the problem. All recent studies show that insiders pose the most serious threat to information, and firewalls do little to prevent the abuse.

It is time for commercial information security professionals to realise that information security is more than computer security. A comprehensive security programme that includes all security disciplines is the only effective countermeasure to a co-ordinated industrial espionage attack. A determined attacker will exploit the most vulnerable access points, and will not stop trying until they get what they want or are caught. A detailed and continual awareness program is the best method to deter many attacks. If all employees know what to look for, then the chances for the attack to be successful are minimised.