Spies in the boardroom

Public Security Magazine ❘ Autumn 2004

Public Security Magazine

Not a week goes by without our offices receiving one or more telephone calls from around the world asking if something is technically possible.

Almost anything is technically possible in espionage when you are dealing with multi- billion-pound litigation cases, mergers and accusations or intellectual property rights. A budget of £100k will buy a package of email interception and telephone tapping for a month; while this amount sounds quite high when involved in a hostile takeover or litigation worth hundreds of Millions of pounds, it makes good financial sense to some when they are involved in takeover or litigation worth hundreds of millions of pounds.

Many working within the public security sector or defence industry understand little about espionage or the little that they know is well out of date. Espionage is a very fast-moving sector. Each innovation in communications leads to another way of interception; every time microprocessors get smaller and faster, covert eavesdropping devices get smaller and smarter.

Almost every day, we at International Intelligence Limited asked how people can communicate safely, and our answer always remains the same - “you are far safer talking over your fence to your neighbour than you are making a telephone call, sending an email or fax. All forms of electronic communication can be intercepted at some level or another”.

This may sound a little over the top or scaremongering. Still, the fact is that a low-cost covert transmitter placed within a company’s boardroom can cost the target company millions in lost deals, legal cases or intellectual property theft.

Understanding the basic principles of espionage and human nature is a good start for secure working practices and a basis of an organisation's housekeeping policy.

Many organisations and companies fall at the first hurdle and lack basic internal and external security. For example, can you be certain how many members of your staff would challenge a stranger walking around the office with a clipboard underarm or wearing a hard hat and workman’s vest?

It is a good start therefore, to have a basic policy of staff identity cards worn at all times is a good start; it is the duty of all staff to make this policy work. What’s the use of having a security policy that is costly, difficult to implement and impractical?

One firm that we recently visited had a sound security policy, CCTV and static security guards checking everyone at the reception. Great, you may think, yet we gained access to the offices and boardroom via the fire escape that was propped open by a chair that gave workers access to a place to have a quick smoke.

“At the end of the day, a security policy is only as good as the staff within the building - it is everyone’s responsibility, from Cleaner and Typist to the CEO

Espionage is on the increase in the UK and is on the increase; over the past five years, there have been a number of public cases that have involved accusations of bugging, email interception, telephone tapping or waste theft.

In the UK, there are no specific laws that cover espionage and therefore any prosecutions have to be carried out under other laws. For example if you were caught tapping a telephone line you could be arrested under a number of acts, you could be arrested under Article 8 of the Convention on Human Rights, Interception of Communication Act 1995/ Regulation of Investigatory Powers Act 2000 or the Protection from Harassment Act 1997. You might be prosecuted for theft of electricity from the telephone provider and trespass.

Company’s which employ investigators in support of litigation cases may run into problems over how intelligence gained is going to be used in court. As all evidence has to be disclosed to the opposition in the case, any which has been obtained unlawfully may be discounted by a judge and action taken against the party submitting it. This happened in the Dubai Aluminium case, when an investigator was employed to obtain bank details in breach of the Data Protection Act 1984, which was then in force.

A recent case where telephone tapping/interception took place was St Merryn Meats Ltd and others vs. Hawkins and Others (2001 ALL ER (D) 355) where evidence was gained by bugging a person’s home telephone. The court held that this was unlawful, as it constituted an offence under the Interception of Communications Act 1995 which has been replaced by the Investigatory Powers Act 2000.

It is, therefore, probably more sensible and less stressful to avoid the need for litigation in the first place and there are ten basic steps that any organisation can take to secure its operations. These are easy to follow and, far more importantly, easy to implement.

The first step is to identify the strengths and weaknesses within your organisation or company in order to help develop a sound security policy based on findings.

All departments should have cross-shredding type shredders because the waste from strip shredders can be placed back together with a little work.

All documents should be locked away in secure cabinets prior to the end of each day.

Programmes for email encryption and files to government standards can be downloaded free from the Internet.

Documentation concerning sensitive issues, mergers or takeovers should never leave the workplace unless signed out and secured.

A CCTV system giving internal and external coverage will put off any illegal activities and deter the opportunist.

Never open email attachments from unknown sources as these may contain Trojan viruses that can be used to attach your computer from within. Always update your anti-virus software and ensure all staff are aware of this risk as viruses can spread on networked systems at speed.

Changing from analogue to digital or normal copper pair to fibre-optic telecommunications will foil attempts to intercept telephone or fax lines.

The wearing of Staff and Visitor ID will enable all workers to identify persons that do not belong in a given sector or are unaccompanied.

A Technical Surveillance Countermeasures )TSCM( Sweep of offices should always form part of a good housekeeping policy as it is designed to find any devices placed within communications systems or offices.

During the course of a year, we hear the same excuses from people who are convinced that their companies’ security policies are adequate and that they need to take no action to update their systems. These include the old myths such as their company not being a target, phone tapping being too expensive to worry about and the belief that they are safe because they work from home.

They ignore the fact that no organisation is too large or too small to be targeted. The very nature of business competitiveness means that people will want to know your secrets, what your new product is, who your clients are and what you charge them.

They ignore the fact that directors who work from home are softer targets for telephone and email interception.

What they should be doing is working out what their last contract was worth and what it would mean to them if they lost it to Joe Bloggs up the road.

For up-to-date information on the risk and security situation, see our United Kingdom | London Risk Report.