The discovery of possible threats, a policy for mobile phone use and measures to prevent industrial espionage in the future
Introduction
The security of a company’s confidential information is one of great concern for businesses. Their information must be protected and secured. In the past there have been reports quoting issues of information and business secrets leakage within a company. Taking vital issues into consideration, an analysis of the possible threats to a company’s confidential information and the risks involved has been carried out, and listed in the table below. A security policy for addressing mobile phones and other communication enabled devices has been included to limit any threats to information security within the company premises. Further important measures have also been addressed to avoid industrial espionage in future as there were a few reported in the recent past.
Task 1
Following is the table listing possible threats, risks and their countermeasures:
| Threat | Risk(s) | Loss | Countermeasures |
| Fire: is the heat and light | Property, buildings, | Workstations, | Fire protection |
| energy released during a | employees and IT | networks, | engineering, fire exits, |
| chemical reaction. | infrastructure. | buildings, | fire extinguishers, |
| employees. | sandboxes. | ||
| Floods: is an overflow of | IT infrastructure, | Networks, | Flood risk assessment. |
| an expanse of water that | communications. | workstations. | |
| submerges land, a deluge. | |||
| Earth Quakes: is the | Property, buildings | Workstations, | Earthquake |
| result of a sudden release | and IT | Networks, | engineering. |
| of energy in the Earth’s | infrastructure, | buildings, | |
| crust that creates seismic | business | employees, | |
| waves. | continuity, | contractors. | |
| communications. | |||
| Landslides: is a | Property, buildings | Networks, | Geotechnical |
| geological phenomenon | and IT | workstations. | engineering. |
| which includes a wide | infrastructure, | ||
| range of ground | network systems. | ||
| movement, such as rock | |||
| falls, deep failure of | |||
| slopes and shallow debris | |||
| flows, which can occur in | |||
| offshore, coastal and | |||
| onshore environments. | |||
| Hacker: uses advanced | Computer | Confidential | Firewalls, data |
| computer skills to attack | equipment access and | information. | masking, |
| computers. | information | steganography, | |
| invading. | chaffing and | ||
| winnowing. | |||
| Cracker: violates system | Wireless networks, | Company | Copy prevention, |
| security with malicious | software systems, | secrets and | ransom ware, |
| intent. | digital distribution. | data. | surveillance. |
| Script Kiddie: break into | Data, programs, and | Equipments | Virtual systems, |
| computers to create | equipments. | and data. | honeypots, victim |
| damage. | hosts. | ||
| Spy: hired to break into a | Sensitive and | Company | Naval mine, |
| computer and steal | confidential | secrets and | steganography, |
| information. | information at | information. | Firewalls, CCT |
| specific computer. | Cameras, alarms. | ||
| Employee: largest | Employee | Company | NCIS (Naval Criminal |
| information security threat | ownership, instant | secrets and | Investigation session), |
| to business. | messaging can be | equipments. | BPO security, |
| used to | intelligence cycle, | ||
| communicate trade | ERM, CCT cameras. | ||
| secrets, industrial | |||
| espionage. | |||
| Cyber terrorist: attack | Wireless networks, | Networks, | Firewalls, Honeypots, |
| network and computer | Internet, system | Workstations. | virtual systems access, |
| infrastructure to cause | intrusions, critical | Hardware logging, | |
| panic. | infrastructure. BCP | Cyber security. | |
| Visitors: who visits an | Equipments, data. | Workstations. | CCT cameras, security |
| organisation with the | guards, alarms. | ||
| intent of queries or | |||
| lookups. | |||
| Contractors: an | Technical | Workstations, | CCT Cameras, |
| organisation or individual | intelligence, | information. | LANTRIN alarms. |
| that contracts with another | computer security, | ||
| organisation or individual | industrial espionage, | ||
| (the owner) for | equipments. | ||
| construction or some other | |||
| facilities. | |||
| Virus: is a computer | Data and running | Software | Anti Virus software, |
| program that can copy | processes, | systems and | firewalls, computer |
| itself and infect a | programs. | processes, | security centers. |
| computer without the | workstation. | ||
| permission of the user. | |||
| Spyware: is computer | Personal | Bank accounts | Anti spyware |
| software that is installed | information, | and other | programs. |
| surreptitiously on a | intercept control. | personal | |
| personal computer to | information. | ||
| intercept control over the | |||
| user’s interaction with the | |||
| computer. | |||
| Malware: is software | Grey Net, web | Workstation. | Crypto virology, MRP, |
| designed to infiltrate or | threats. | windows powershell. | |
| damage a computer | |||
| system. | |||
| Phishing: is the | PayPal, IDN | Bank | Antivirus, firewalls, |
| criminally fraudulent | homograph, Internet | accounts, | digital certificates. |
| process of attempting to | fraud, web threat. | username and | |
| acquire sensitive | passwords. | ||
| information such as | |||
| usernames, passwords and | |||
| credit card details. | |||
| Spoofing: is a situation in | Short Message | Data security. | Signals intelligence, |
| which one person or | Service, Internet | session fixation. | |
| program successfully | fraud, IP address. | ||
| masquerades as another | |||
| by falsifying data and | |||
| thereby gaining an | |||
| illegitimate advantage. | |||
| Root Kit: is malware | System processes, | Software | Antivirus, SpectorSoft. |
| which consists of a | Port knocking. | systems, | |
| program designed to take | database | ||
| fundamental control of a | transactions. | ||
| computer system. | |||
| Botnet: term for a | Web threat, bank | Bank accounts, | Hash Cash, Fast Flux |
| collection of software | fraud, and identity | sensitive | |
| robots that run | theft. | information. | |
| autonomously and | |||
| automatically. | |||
| Back Door: is a method | Authentication | Sensitive | Card readers, |
| of bypassing normal | byepass, digital | information. | biometrics. |
| authentication, securing | distribution. | ||
| remote access to a | |||
| computer, while | |||
| attempting to remain | |||
| undetected. | |||
| Trojan: is malware that | SafeDisks, Spyware | Workstation. | Cryptovirology. |
| appears to perform a | Strike. | ||
| desirable function but in | |||
| fact performs undisclosed | |||
| malicious functions | |||
| Logic Bomb: is a piece of | Software systems | Software | Antivirus programs and |
| code that intentionally | and processes. | systems. | firewalls. |
| inserted into a software | |||
| system that will set off a | |||
| malicious function when | |||
| specified conditions are | |||
| met. | |||
| Integrity: comprises | Valuation risk, | Data. | Firewalls, antivirus |
| perceived consistency of | system integrity. | software, security | |
| actions, values, methods, | centres. | ||
| measures and principles. | |||
| Confidentiality: has been | System integrity, | Information. | Information System |
| defined by the (ISO) as | information. | security controls. | |
| “ensuring that information | |||
| is accessible only to those | |||
| authorised to have access” | |||
| and is one of the | |||
| cornerstones of | |||
| information security. | |||
| Availability: degree to | Internet privacy, | Workstations | Penetration tests, |
| which a system, or | hacking, wireless. | and | steganography. |
| equipment is operable and | information. | ||
| in a committable state at | |||
| the start of a mission, | |||
| when the mission is called | |||
| for at an unknown time. | |||
| Authentication: is the act | Data transactions, | Workstation, | ATM, firewalls, |
| of establishing or | communications. | information, | cryptography. |
| confirming something as | networks. | ||
| authentic, that is, that | |||
| claims made by or about | |||
| the thing are true. | |||
| Access Controls: is the | Authentication, | Workstations, | Signals Intelligence, |
| ability to permit or deny | information, | networks, | hardware key, |
| the use of a particular | application sharing, | sensitive | loggers. |
| resource by a particular | network access | information. | |
| entity. | control. |
Task 2
Security Policy to address the use of mobile phones within the premises.
Purpose:
The purpose of this document is to ensure that there is clarity around the use of mobile phones on company premises.
Scope:
This document is applicable to all employees in every department in the company and to all visitors and contractors on company premises.
Introduction:
In the past there have been a number of incidents reported related to industrial espionage and other confidential leaks within the company, which mainly involved the use of mobile phones and other communication enabled devices. This policy is introduced following the evidence that mobile phones may lead to the communication of trade secrets and interfere with the normal working of employees, which may affect overall operations and the security of the company and other possible industrial espionage. On review, it is decided to impose a complete ban on the use of mobile phones and communication enabled devices, due to communications and the picture taking facility on many mobile phones. The R&D department has also issued an article, which confirmed that under certain circumstances, interference from mobile phones could affect the performance of some sensitive medical devices.
The issue for consideration is not simply communication between employees, visitors and contractors, but more significantly the potential for the camera and video facility to be used inappropriately and potentially illegally. This may lead to leakage of company secrets and other sensitive information.
Another consideration is the wide range of ring tones that can disruption in the working and research area for staff. In some cases there could be confusion with medical equipment alarm signals, resulting in genuine alarms being overlooked.
Use of mobile phones and other communication devices:
After considering the range of risks presented by the use of mobile phones on company premises it has been agreed that:-
Mobile phones may be used in the following areas:-
- Lunch/Tea area.
- Riverside pub and outside company premises.
- Smoking area.
- Entrance hall.
- Staff car park.
The use of mobile phones by employees must not interfere with the work being undertaken and full attention to tasks must be observed all times.
Mobile phones may not be used in all other areas of the company including:-
- Research and Development department.
- Personnel department.
- Marketing and Business development.
- Strategic operations.
- Information technology.
- Customer Services department.
Communication:
Clear signage will be provided to identify those areas where mobile phones must not be used. Leaflets will be available explaining the company’s position on the use of mobile phones and this will be also included in information pack for visitors and contractors.
Enforcing the policy:
Departmental managers will:-
- Ensure that if their area is designated as an area where mobile phones cannot be used there are clear signs demonstrating this.
- Encourage staff in the area to advise any person using a phone within the area of the restrictions and ask them to move to suitable area.
- Ensure that all staff report any use of a mobile phone to take photographs.
All employees will:-
- Refrain from using mobile phones in areas as defined in this procedure and that are clearly signed.
- Ensure that visitors and contractors are aware of this procedure and where mobile phones may be used.
- Advise anyone using a mobile phone within a restricted area to move to a suitable area.
- Advise anyone using a mobile phone to take photographs that this is against company procedure and if they refuse to comply, security must be called and the incident must be recorded.
Security:-
- Assist with any visitor, contractor or member of staff who refuses to comply with company procedure.
- Should the person refuse to cease using mobile phone then they should be escorted off site or a decision made to call the police.
Task 3
Industrial espionage refers to all the undercover activities that are performed by entrepreneurs for acquiring information on their rivals for commercial gain. As such, spying exercises are practiced by some leaders in the corporate world. Targeted victims of espionage activities range from rival business organisations to governmental agencies. Invariably, these deceived business units suffer huge monetary losses.
The real perpetuators are the executives of large companies, and they are rarely prosecuted. It is the small time offender who gets sentenced. Invariably, the transgressor gets apprehended in the very act of stealing the much sought after business information. Business competitors on the prowl seek information of all kinds. Every bit of information that is accessed is valuable and used appropriately. Strategy papers, engineering designs and details of new products help entrepreneurs supplement the information they have already gathered through reverse engineering. (Reverse engineering is the process of purchasing rival products and dismantling them to learn the secrets of the implemented technical know-how).
Information collection methods vary, agents might be recruited to work in the rival company and pass on the accessed information. Bribery of the employees of the rival organisation is also adopted. However, these traditional methods rely on engaging people to do the illicit work. The advent of computers has digitalised industrial espionage methods and has given a modern twist to white collared crime.
The most blatant of methods of industrial espionage are stealing laptops or breaking into the offices of the opponent and walking away with their desktops. A few cases of espionage activity came to light when bribed employees in the Research and Development wing of a well-known organisation were caught burning sensitive information on to CDs. Usually, the avaricious employees in any organisation prove to be the weakest link of the security chain. Such unethical employees are identified and approached by contacting them online.
Other unobtrusive digital methods pertain to installing key logger software programs that are used to record the keystrokes of the PC user. With this it is easy to gain access to user activity that would also include obtaining passwords, emails, etc. Detecting such spyware activity is becoming difficult as attackers have invented ways to avoid detection. Even if spyware activity is detected, pinning key logger activity as an industrial espionage act is difficult. Only digital forensics can help in such a scenario. Business revolves in the information that they have. Business processes, marketing strategies, product designs and customer records are some information that determines how a company will fare in the market. Most of this information is housed in the company’s computer servers which can be cracked within a few minutes by an expert hacker. Hacked information may lead to lost profits, lost customers, invalid transactions and a lot more. In short, industrial espionage can destroy a business that has been built for decades. Industrial espionage maybe committed by someone from within a company, someone from the competitors end or at the level of end users.
Advancements in computer technology have paved the way for rampant espionage through hacking and spyware. The same technology can be used by companies to build a defence line in order to protect valuable information from industrial espionage.
Measures to avoid industrial espionage:
The possible security measures that a company can utilise to avoid future information disaster are given below:
- Protection of internal network: The system must be designed so that the internal network is not exposed. Company partners must not have a direct or indirect access to a company’s internal network since this will make it vulnerable to spying.
- Secure intermediate storage: Information that is for retrieval must reside in a secure location. Storing the files on the web servers, at an outsourced site, or any other insecure network may make it an easy target from the competition. A strict protocol must be implemented when accessing internal data. Encryption may provide confidentiality but the file can still be deleted or modified.
- Protect resting data: Encrypt all resting data since it will make it unreadable to hackers and will maintain high confidentiality. There are several digital measures that can help in protecting sensitive business information.
- Protect from file deletion: This can be done unintentionally or intentionally. It is best to keep older versions of files so that one may revert back to a working system if there is an access failure due to deleted system files.
- Measures against data tampering: An authentication process must be in place to ensure that access to sensitive data will only be for authorised personnel. It will be wise to use digital signatures so people can be held accountable for illegal access.
- Regular auditing and monitoring: This will provide a review of the process and ensure that all security measures are being carried out. Random audits can be a major deterrent for probable abusers.
- Server protection: Transmission of data to the end users must incorporate authentication of identity. There must be a safety measure to confirm that allowable actions are the only once taking place between server and end users.
- User access schemes: Access to data should be classified according to departments and who can access it.
With the right security measures in place, a company will not have to worry about his staff adding a few zeros to company account or form a design being modified by a spy. It is vital that companies understand the perils of industrial espionage. Every organisation possesses sensitive proprietary information. Training must be imparted to company employees to learn how to effectively identify early warning signs of industrial espionage. Industrial espionage is not something to be taken lightly and is big factor in today’s high stakes competitive business world.
Information security efforts must therefore address comprehensive countermeasures that are as comprehensive as the methods employed against them. There are four parts of a comprehensive security effort that enhance and support each other: Technical, Operational, Physical, and Personnel Security. It is strongly recommended that a company should follow up on the following concepts.
Technical Security: Countermeasures reduce the vulnerabilities present in electronic systems. These countermeasures ensure the confidentiality, integrity and availability of computer systems and networks. A good technical security effort also protects other electronic systems such as voice mail.
Operational Security: Addresses the business processes in use by a company that could compromise information through non-technical means. Likewise, policies on restricting the use of open communication lines, such as the Internet and telephone systems/mobile phones, reduce the potential for the compromise of information.
Physical Security: A large number of information compromises occur due to simple breaking and entering and theft. Physical access to facilities should be carefully regulated and controlled. This includes limiting the access of visitors and contractors, as well as employees. Nobody should have a free roam of all corporate facilities. All employees must wear access badges that indicate their status, such as employee, temporary, visitor or contractor. This feature helps to reduce the threat of people overstating their authority. Obviously, there should be an operational security policy that encourages all people to look at badges. Another physical security issue to be addressed is the control of garbage. There have been numerous incidents of serious information compromises that have occurred solely from the content of an organisation’s garbage. Companies that have very high value information must also consider the control of their garbage.
Security programs must also stress the use of available protection mechanisms. Locks on office doors and file cabinets frequently go unused in many organisations. Clean desk policies, that require all sensitive information to be locked up, must also be enforced. There are also computer locking products available that prevent computer access if it is turned off or idle for a certain period of time. These products prevent the exploitation of computers that are not properly turned off when not in use.
Personnel Security: There must be a thorough investigation of all people with potential access to sensitive information. Since most information might be sensitive to different departments within an organisation, it should probably be a blanket policy to have a background check performed on all employees. The term employee is used broadly to include anyone with physical access to facilities or information. Facilities include any computer terminal that has access to corporate information.
Conclusions:
There is a tremendous focus by information security professionals on technical security. This is probably due to the traditional background of information security professionals being from a technical background. When they receive funding for their efforts, their initial reactions are to spend the money on what they are most familiar with, which usually does not include awareness programs or the acquisition of shredders. Firewalls and other security tools are important, but unfortunately they only address a small part of the problem. All recent studies show that insiders pose the most serious threat to information, and firewalls do little to prevent the abuse.
It is time for commercial information security professionals to realise that information security is more than computer security. A comprehensive security programme that includes all security disciplines is the only effective countermeasure to a co-ordinated industrial espionage attack. A determined attacker will exploit the most vulnerable access points, and will not stop trying until they get what they want or are caught. A detailed and continual awareness program is the best method to deter many attacks. If all employees know what to look for, then the chances for the attack to be successful are minimised.
The security of a company’s confidential information is one of great concern for businesses. Their information must be protected and secured. In the past there have been reports quoting issues of information and business secrets leakage within a company. Taking vital issues into consideration, an analysis of the possible threats to a company’s confidential information and the risks involved has been carried out, and listed listed in the table below. A security policy for addressing mobile phones and other communication enabled devices has been included to limit any threats to information security within the company premises. Further important measures have also been addressed to avoid industrial espionage in future as there were a few reported in the recent past.
Task 1
Following is the table listing possible threats, risks and their countermeasures:
| Threat | Risk(s) | Loss | Countermeasures |
| Fire: is the heat and light | Property, buildings, | Workstations, | Fire protection |
| energy released during a | employees and IT | networks, | engineering, fire exits, |
| chemical reaction. | infrastructure. | buildings, | fire extinguishers, |
| employees. | sandboxes. | ||
| Floods: is an overflow of | IT infrastructure, | Networks, | Flood risk assessment. |
| an expanse of water that | communications. | workstations. | |
| submerges land, a deluge. | |||
| Earth Quakes: is the | Property, buildings | Workstations, | Earthquake |
| result of a sudden release | and IT | Networks, | engineering. |
| of energy in the Earth’s | infrastructure, | buildings, | |
| crust that creates seismic | business | employees, | |
| waves. | continuity, | contractors. | |
| communications. | |||
| Landslides: is a | Property, buildings | Networks, | Geotechnical |
| geological phenomenon | and IT | workstations. | engineering. |
| which includes a wide | infrastructure, | ||
| range of ground | network systems. | ||
| movement, such as rock | |||
| falls, deep failure of | |||
| slopes and shallow debris | |||
| flows, which can occur in | |||
| offshore, coastal and | |||
| onshore environments. | |||
| Hacker: uses advanced | Computer | Confidential | Firewalls, data |
| computer skills to attack | equipment access and | information. | masking, |
| computers. | information | steganography, | |
| invading. | chaffing and | ||
| winnowing. | |||
| Cracker: violates system | Wireless networks, | Company | Copy prevention, |
| security with malicious | software systems, | secrets and | ransom ware, |
| intent. | digital distribution. | data. | surveillance. |
| Script Kiddie: break into | Data, programs, and | Equipments | Virtual systems, |
| computers to create | equipments. | and data. | honeypots, victim |
| damage. | hosts. | ||
| Spy: hired to break into a | Sensitive and | Company | Naval mine, |
| computer and steal | confidential | secrets and | steganography, |
| information. | information at | information. | Firewalls, CCT |
| specific computer. | Cameras, alarms. | ||
| Employee: largest | Employee | Company | NCIS (Naval Criminal |
| information security threat | ownership, instant | secrets and | Investigation session), |
| to business. | messaging can be | equipments. | BPO security, |
| used to | intelligence cycle, | ||
| communicate trade | ERM, CCT cameras. | ||
| secrets, industrial | |||
| espionage. | |||
| Cyber terrorist: attack | Wireless networks, | Networks, | Firewalls, Honeypots, |
| network and computer | Internet, system | Workstations. | virtual systems access, |
| infrastructure to cause | intrusions, critical | Hardware logging, | |
| panic. | infrastructure. BCP | Cyber security. | |
| Visitors: who visits an | Equipments, data. | Workstations. | CCT cameras, security |
| organisation with the | guards, alarms. | ||
| intent of queries or | |||
| lookups. | |||
| Contractors: an | Technical | Workstations, | CCT Cameras, |
| organisation or individual | intelligence, | information. | LANTRIN alarms. |
| that contracts with another | computer security, | ||
| organisation or individual | industrial espionage, | ||
| (the owner) for | equipments. | ||
| construction or some other | |||
| facilities. | |||
| Virus: is a computer | Data and running | Software | Anti Virus software, |
| program that can copy | processes, | systems and | firewalls, computer |
| itself and infect a | programs. | processes, | security centers. |
| computer without the | workstation. | ||
| permission of the user. | |||
| Spyware: is computer | Personal | Bank accounts | Anti spyware |
| software that is installed | information, | and other | programs. |
| surreptitiously on a | intercept control. | personal | |
| personal computer to | information. | ||
| intercept control over the | |||
| user’s interaction with the | |||
| computer. | |||
| Malware: is software | Grey Net, web | Workstation. | Crypto virology, MRP, |
| designed to infiltrate or | threats. | windows powershell. | |
| damage a computer | |||
| system. | |||
| Phishing: is the | PayPal, IDN | Bank | Antivirus, firewalls, |
| criminally fraudulent | homograph, Internet | accounts, | digital certificates. |
| process of attempting to | fraud, web threat. | username and | |
| acquire sensitive | passwords. | ||
| information such as | |||
| usernames, passwords and | |||
| credit card details. | |||
| Spoofing: is a situation in | Short Message | Data security. | Signals intelligence, |
| which one person or | Service, Internet | session fixation. | |
| program successfully | fraud, IP address. | ||
| masquerades as another | |||
| by falsifying data and | |||
| thereby gaining an | |||
| illegitimate advantage. | |||
| Root Kit: is malware | System processes, | Software | Antivirus, SpectorSoft. |
| which consists of a | Port knocking. | systems, | |
| program designed to take | database | ||
| fundamental control of a | transactions. | ||
| computer system. | |||
| Botnet: term for a | Web threat, bank | Bank accounts, | Hash Cash, Fast Flux |
| collection of software | fraud, and identity | sensitive | |
| robots that run | theft. | information. | |
| autonomously and | |||
| automatically. | |||
| Back Door: is a method | Authentication | Sensitive | Card readers, |
| of bypassing normal | byepass, digital | information. | biometrics. |
| authentication, securing | distribution. | ||
| remote access to a | |||
| computer, while | |||
| attempting to remain | |||
| undetected. | |||
| Trojan: is malware that | SafeDisks, Spyware | Workstation. | Cryptovirology. |
| appears to perform a | Strike. | ||
| desirable function but in | |||
| fact performs undisclosed | |||
| malicious functions | |||
| Logic Bomb: is a piece of | Software systems | Software | Antivirus programs and |
| code that intentionally | and processes. | systems. | firewalls. |
| inserted into a software | |||
| system that will set off a | |||
| malicious function when | |||
| specified conditions are | |||
| met. | |||
| Integrity: comprises | Valuation risk, | Data. | Firewalls, antivirus |
| perceived consistency of | system integrity. | software, security | |
| actions, values, methods, | centres. | ||
| measures and principles. | |||
| Confidentiality: has been | System integrity, | Information. | Information System |
| defined by the (ISO) as | information. | security controls. | |
| “ensuring that information | |||
| is accessible only to those | |||
| authorised to have access” | |||
| and is one of the | |||
| cornerstones of | |||
| information security. | |||
| Availability: degree to | Internet privacy, | Workstations | Penetration tests, |
| which a system, or | hacking, wireless. | and | steganography. |
| equipment is operable and | information. | ||
| in a committable state at | |||
| the start of a mission, | |||
| when the mission is called | |||
| for at an unknown time. | |||
| Authentication: is the act | Data transactions, | Workstation, | ATM, firewalls, |
| of establishing or | communications. | information, | cryptography. |
| confirming something as | networks. | ||
| authentic, that is, that | |||
| claims made by or about | |||
| the thing are true. | |||
| Access Controls: is the | Authentication, | Workstations, | Signals Intelligence, |
| ability to permit or deny | information, | networks, | hardware key, |
| the use of a particular | application sharing, | sensitive | loggers. |
| resource by a particular | network access | information. | |
| entity. | control. |
Task 2
Security Policy to address the use of mobile phones within the premises.
Purpose:
The purpose of this document is to ensure that there is clarity around the use of mobile phones on company premises.
Scope:
This document is applicable to all employees in every department in the company and to all visitors and contractors on company premises.
Introduction:
In the past there have been a number of incidents reported related to industrial espionage and other confidential leaks within the company, which mainly involved the use of mobile phones and other communication enabled devices. This policy is introduced following the evidence that mobile phones may lead to the communication of trade secrets and interfere with the normal working of employees ,which may affect overall operations and the security of the company and other possible industrial espionage. On review, it is decided to impose a complete ban on the use of mobile phones and communication enabled devices, due to communications and the picture taking facility on many mobile phones. The R&D department has also issued an article, which confirmed that under certain circumstances, interference from mobile phones could affect the performance of some sensitive medical devices.
The issue for consideration is not simply communication between employees, visitors and contractors, but more significantly the potential for the camera and video facility to be used inappropriately and potentially illegally. This may lead to leakage of company secrets and other sensitive information.
Another consideration is the wide range of ring tones that can disruption in the working and research area for staff. In some cases there could be confusion with medical equipment alarm signals, resulting in genuine alarms being overlooked.
Use of mobile phones and other communication devices:
After considering the range of risks presented by the use of mobile phones on company premises it has been agreed that:-
Mobile phones may be used in the following areas:-
- Lunch/Tea area.
- Riverside pub and outside company premises.
- Smoking area.
- Entrance hall.
- Staff car park.
The use of mobile phones by employees must not interfere with the work being undertaken and full attention to tasks must be observed all times.
Mobile phones may not be used in all other areas of the company including:-
- Research and Development department.
- Personnel department.
- Marketing and Business development.
- Strategic operations.
- Information technology.
- Customer Services department.
Communication:
Clear signage will be provided to identify those areas where mobile phones must not be used. Leaflets will be available explaining the company’s position on the use of mobile phones and this will be also included in information pack for visitors and contractors.
Enforcing the policy:
Departmental managers will:-
- Ensure that if their area is designated as a area where mobile phones cannot be used there are clear signs demonstrating this.
- Encourage staff in the area to advise any person using a phone within the area of the restrictions and ask them to move to suitable area.
- Ensure that all staff report any use of a mobile phone to take photographs.
All employees will:-
- Refrain from using mobile phones in areas as defined in this procedure and that are clearly signed.
- Ensure that visitors and contractors are aware of this procedure and where mobile phones may be used.
- Advise anyone using a mobile phone within a restricted area to move to a suitable area.
- Advise anyone using a mobile phone to take photographs that this is against company procedure and if they refuse to comply security must be called and the incident must be recorded.
Security:-
- Assist with any visitor, contractor or member of staff who refuses to comply with company procedure.
- Should the person refuse to cease using mobile phone then they should be escorted off site or a decision made to call the police.
Task 3
Industrial espionage refers to all the undercover activities that are performed by entrepreneurs for acquiring information on their rivals for commercial gain. As such, spying exercises are practiced by some leaders in the corporate world. Targeted victims of espionage activities range from rival business organisations to governmental agencies. Invariably, these deceived business units suffer huge monetary losses.
The real perpetuators are the executives of large companies, and they are rarely prosecuted. It is the small time offender who gets sentenced. Invariably, the transgressor gets apprehended in the very act of stealing the much sought after business information. Business competitors on the prowl seek information of all kinds. Every bit of information that is accessed is valuable and used appropriately. Strategy papers, engineering designs and details of new products help entrepreneurs supplement the information they have already gathered through reverse engineering. (Reverse engineering is the process of purchasing rival products and dismantling them to learn the secrets of the implemented technical know-how).
Information collection methods vary, agents might be recruited to work in the rival company and pass on the accessed information. Bribery of the employees of the rival organisation is also adopted. However, these traditional methods rely on engaging people to do the illicit work. The advent of computers has digitalised industrial espionage methods and has given a modern twist to white collared crime.
The most blatant of methods of industrial espionage are stealing laptops or breaking into the offices of the opponent and walking away with their desktops. A few cases of espionage activity came to light when bribed employees in the Research and Development wing of a well known organisation were caught burning sensitive information on to CDs. Usually, the avaricious employees in any organisation prove to be the weakest link of the security chain. Such unethical employees are identified and approached by contacting them online.
Other unobtrusive digital methods pertain to installing key logger software programs that are used to record the keystrokes of the PC user. With this it is easy to gain access to user activity that would also include obtaining passwords, emails, etc. Detecting such spyware activity is becoming difficult as attackers have invented ways to avoid detection. Even if spyware activity is detected, pinning key logger activity as an industrial espionage act is difficult. Only digital forensics can help in such a scenario. Business revolves in the information that they have. Business processes, marketing strategies, product designs and customer records are some information that determines how a company will fare in the market. Most of this information is housed in the company’s computer servers which can be cracked within a few minutes by an expert hacker. Hacked information may lead to lost profits, lost customers, invalid transactions and a lot more. In short, industrial espionage can destroy a business that has been built for decades. Industrial espionage maybe committed by someone from within a company, someone from the competitors end or at the level of end users.
Advancements in computer technology have paved the way for rampant espionage through hacking and spyware. The same technology can be used by companies to build a defense line in order to protect valuable information from industrial espionage.
Measures to avoid industrial espionage:
The possible security measures that a company can utilise to avoid future information disaster are given below:
- Protection of internal network: The system must be designed so that the internalnetwork is not exposed. Company partners must not have a direct or indirect access to a company’s internal network since this will make it vulnerable to spying.
- Secure intermediate storage: Information that is for retrieval must reside in a securelocation. Storing the files on the web servers, at an outsourced site, or any other insecure network may make it an easy target from the competition. A strict protocol must be implemented when accessing internal data. Encryption may provide confidentiality but the file can still be deleted or modified.
- Protect resting data: Encrypt all resting data since it will make it unreadable tohackers and will maintain high confidentiality. There are several digital measures that can help in protecting sensitive business information.
- Protect from file deletion: This can be done unintentionally or intentionally. It isbest to keep older versions of files so that one may revert back to a working system if there is an access failure due to deleted system files.
- Measures against data tampering: An authentication process must be in place toensure that access to sensitive data will only be for authorised personnel. It will be wise to use digital signatures so people can be held accountable for illegal access.
- Regular auditing and monitoring: This will provide a review of the process andensure that all security measures are being carried out. Random audits can be a major deterrent for probable abusers.
- Server protection: Transmission of data to the end users must incorporateauthentication of identity. There must be a safety measure to confirm that allowable actions are the only once taking place between server and end users.
- User access schemes: Access to data should be classified according to departmentsand who can access it.
With the right security measures in place, a company will not have to worry about his staff adding a few zeros to company account or form a design being modified by a spy. It is vital that companies understand the perils of industrial espionage. Every organisation possesses sensitive proprietary information. Training must be imparted to company employees to learn how to effectively identify early warning signs of industrial espionage. Industrial espionage is not something to be taken lightly and is big factor in today’s high stakes competitive business world.
Information security efforts must therefore address comprehensive countermeasures that are as comprehensive as the methods employed against them. There are four parts of a comprehensive security effort that enhance and support each other: Technical, Operational, Physical, and Personnel Security. It is strongly recommended that a company should follow up on the following concepts.
Technical Security: Countermeasures reduce the vulnerabilities present in electronic systems.These countermeasures ensure the confidentiality, integrity and availability of computer systems and networks. A good technical security effort also protects other electronic systems such as voice mail.
Operational Security: Addresses the business processes in use by a company that couldcompromise information through non-technical means. Likewise, policies on restricting the use of open communication lines, such as the Internet and telephone systems/mobile phones, reduces the potential for the compromise of information.
Physical Security: A large number of information compromises occur due to simple breaking and entering and theft. Physical access to facilities should be carefully regulated and controlled. This includes limiting the access of visitors and contractors, as well as employees. Nobody should have a free roam of all corporate facilities. All employees must wear access
badges that indicate their status, such as employee, temporary, visitor or contractor. This feature helps to reduce the threat of people overstating their authority. Obviously, there should be an operational security policy that encourages all people to look at badges. Another physical security issue to be addressed is the control of garbage. There have been numerous incidents of serious information compromises that have occurred solely from the content of an organisation’s garbage. Companies that have very high value information must also consider the control of their garbage.
Security programs must also stress the use of available protection mechanisms. Locks on office doors and file cabinets frequently go unused in many organisations. Clean desk policies, that require all sensitive information to be locked up, must also be enforced. There are also computer locking products available that prevent computer access if it is turned off or idle for a certain period of time. These products prevent the exploitation of computers that are not properly turned off when not in use.
Personnel Security: There must be a thorough investigation of all people with potentialaccess to sensitive information. Since most information might be sensitive to different departments within an organisation, it should probably be a blanket policy to have a background check performed on all employees. The term employee is used broadly to include anyone with physical access to facilities or information. Facilities include any computer terminal that has access to corporate information.
Conclusions:
There is a tremendous focus by information security professionals on technical security. This is probably due to the traditional background of information security professionals being from a technical background. When they receive funding for their efforts, their initial reactions are to spend the money on what they are most familiar with, which usually does not include awareness programs or the acquisition of shredders. Firewalls and other security tools are important, but unfortunately they only address a small part of the problem. All recent studies show that insiders pose the most serious threat to information, and firewalls do little to prevent the abuse.
It is time for commercial information security professionals to realise that information security is more than computer security. A comprehensive security programme that includes all security disciplines is the only effective countermeasure to a co-ordinated industrial espionage attack. A determined attacker will exploit the most vulnerable access points, and will not stop trying until they get what they want or are caught. A detailed and continual awareness program is the best method to deter many attacks. If all employees know what to look for, then the chances for the attack to be successful are minimised.