Security - It’s a steal
The Director Magazine - The Institute of Directors ❘ October 2004
Just how careless can directors get? Their computer security set-up may be regularly swept for viruses and bugging device at work. Cleaners and contractors vetted. Office photocopiers and fax machines might even get locked away each evening. But when working from home, many directors rely on unsecured Web-based email. Meanwhile, their home computers could be allowing Trojan hacker programs to interrogate the hard disk.
“We had a client whose company was worth around £5bn,” says Alex Bomberg, director of corporate security firm International Intelligence. “He had offices around the world. Yet was working from home, using a computer that his 15-year-old son was using to surf for pornography. You have to have a secure email address and computer,” he says.
Security - or the lack of it - is increasingly making bosses nervous. A new survey by security company Kroll for Director reveals that directors are more worried about intellectual property (IP) theft than any other business threat. One difficulty with British IP theft, in particular, says Jeremy Hertzog. IP partner at law firm Mishcon de Reya, is that it gets looked at by too many departments. “The most switched-on companies have a dedicated person. But less experienced companies will have everyone from the finance director to the brand manager involved.” He adds: “Most are alive to the issue, but some perceive it as throwing good money after bad,” says Hertzog.
Another threat raised in the Director/Kroll survey is that insolvency among key clients or suppliers. But directors could take more action against being dragged down by suppliers or third party crime. Although the UK is generally perceived as disclosure-friendly as far as information is concerned, vetting is worse than useless if the information itself is out-of-date. A supplier may have been around for three years but might have only filed only one year’s accounts.
Chris Morgan-Jones, head of the Central and Eastern European practice at Kroll, says you can check out your suppliers or partners without spending too much cash by using the Web. “People expect greater stringency. It is now normal business protocol (to ask more questions about new business partners),“ he says.
He also advises directors to devour all the information they can on new or potential trading partners. “Develop someone in-house who has a flair for research and have them trained on what other sources you can use to establish whether customers or suppliers are bona fide. Don’t underestimate the power of Google; use press databases; check to see if there’s any indication of precedent for bad behaviour”.
Turing your attention to the security of others can be daunting and can also reflect badly on the state of your own business. Pinpointing your own weaknesses could even make you liable for damages, points out Peter Power of corporate specialists Visor Consultants. “Often, when you have a one-to-one with a director you can get a strong sense of apathy. It’s an apathy born out of not wishing to look. Once you do you are duty-bound to record these things, and if you do, a lawyer can beat you over the head with it.”
Companies employing more than seven people are obliged to carry out full risk assessments that deal with everyday, real-world risk as opposed to terrorist attack. “Under health and safety regulation,” says Power, “if you fail to warn staff of certain security risks, they can now sue you.”
It’s startling how frequently basic IP mistakes are made, like being drawn into disclosing information without a basic confidentiality agreement, say’s Tony Bowdery, director of IP at security and risk management specialist QinetiQ. “The biggest pitfall is a brainstorming exercise conducted outside the company. You go away, find out that the other side has filed a patent application, and you’re on the back foot,” he says.
British inventor Mandy Haberman experienced IP theft first-hand in August 1998 after she had developed Anywayup™, a children’s trainer-cup with a clever non-drip valve that meant there were no spills when the cup was tipped. After an expensive patent process, Haberman’s cup hit the stores, and went on to sell close to 10 million a year worldwide. But just 18 months after the launch, another company Haberman had previously approached for a licensing agreement - launched a similar product. Haberman successfully sued, but the experience underlined the importance of IP protection.
“IP is a currency business so it’s essential to really understand it,” she says. “Innovation protected by IP is where the commercial value lies. But there’s no point having patents unless you can afford to enforce them - insurance is a must-have against infringement.”
Work is being done to reduce the cost of enforcement and there is talk of creating more affordable insurance for patents, though it is some way off, say’s Haberman. “Most fledgling businesses can’t afford it. But on the other hand, can they afford to not insure?” Start-ups are most vulnerable, she warns. “The reality is that big companies don’t look at the quality of your patents, they look at the depth of your pockets. If you don’t have the wherewithal to enforce your rights, they’ve no respect for you IP.”
Finding a good business partner is critical, and if you’re expanding overseas, the risk can rise dramatically. Are your suppliers or partners financially solid? Are you confident that they would not attempt to undermine your business? And how would you know anyway?
Financial and reputation forensics might sound an expensive exercise, but much comes down to common-sense. Kroll’s Morgan-Jones say’s business shouldn’t underestimate its own power to seek out information. “Even in Ukraine, where information is scarce, you can find out about people just about everywhere. Do due diligence; be assertive about your own rights. Verifying information about someone is a lot easier than having no information to go on at all,” he say’s.
Data mining is a relatively new concept which can help identify suspicious transactions, from duplicate payments to multiple invoicing. But few companies make use of it, say’s Andrew Durant, forensic accounting partner at accountants BDO Stoy Hayward.
As for vetting potential new staff, Wayne Anthony, director of forensic accounting at Smith & Williamson, urges directors to pick up the phone. “Job applicants might give you the name of an alleged previous employer, but a false address. If you write to them, they will simply write back saying the applicant was great. Check on the internet, ring them up directly - cut out the early stage.”
Watch out, too, for companies that charge VAT when they’re not VAT registered, warns International Intelligence’s Bomberg. “Check with a commercial information provider such as Dun and Bradstreet or Companies House”, he advises.
Software that can draw relationships between people and companies, such as i2 Analyst’s Notebook, can also help directors get a fix on people and their backgrounds, adds Durant.
“Spend enough money and you can intercept anything sent electronically”. “Spending thousands on computer hacking to electronic surveillance may seem steep, but if you’re bidding for a contract and you can have a sight of your opponent’s tender documents, the cost might seem a barging - albeit an illegal one”. “Too many people think it will never happen to them”. “The British in particular, think no one is out to shaft them” says Bomberg. One of the biggest problems, he adds, is combating mobile phone cameras, which can discreetly snap pictures of sensitive material in detail.
Norman Bolton, former Scotland Yard special operations detective who now heads the technical risk department at risk management company C2i International, warns that it is just the sort of technology that may underestimate. “The original document is still intact to allay suspicion, but a copy has been made and can get out onto the Web,” he says.
Most difficult, he continues, is that there are no business privacy laws in the UK. “There is no legislation which says, “thou shalt not bug eavesdrop”. Therefore the police are forced to tailor the 1968 Theft Act to counter industrial espionage. You commit no offence putting a Dictaphone in a boardroom and retrieving it afterwards. But if you enter the building and connect the device to the electricity supply, then you commit the theft of electricity.” A programme of de-bugging or TSCM sweeping can be initiated, he says but it needs to be kept up.
Another issue is how responsibility can unravel between departments, according to Peter Power. An IT manager may think security is down to the security director, while the security director thinks it’s an IT issue. “These are often gaps between the non-physical assets, such as brand guardianship, and the physical theft of equipment,” Power adds.
For up-to-date information on the risk and security situation, see our United Kingdom | London Risk Report.