Why do I need a Proactive TSCM Strategy?
Information is probably your organisation’s most valuable asset. We would all like information about our competitors’ products, pricing structures, unique selling points, in fact any information which would give us that commercial edge. Imaging if sensitive information relating to your organisation’s financial or strategic position be revealed to your competitors or the media, what effect could that have on your reputation, financial position or client confidence?
There are no official UK statistics (evidence of surveillance is often suppressed to avoid publicity), however according to estimates included in “The Cost of Cyber Crime” 2012 report by the Office of Cyber Security and Information Assurance (OCSIA) in partnership with Detica, UK businesses are estimated to be losing £16.8bn each year from intellectual property theft and industrial espionage alone and the US security services have assessed espionage as one of the four main threats to the UK today. The threat is world-wide. Germany companies are reporting to be losing around £43bn and 30,000 jobs to industrial espionage every year and PwC reports that globally, espionage costs the top 1000 companies $45billion per annum.
“Intellectual property theft and espionage is estimated to cost UK business £16bn per annum.”
Detica Report – The Cost of Cyber Crime, Feb 2011
The U.S. State Department estimates that at least 800 million dollars of illegal bugging and eavesdropping equipment is imported and installed into corporations in the United States each year and that over six million dollars-worth of surveillance devices are sold to the public each day. In the UK, bugging devices can be readily bought over the counter and through the internet. Spymaster, one of the UK’s leading spy shops, has stores in both Harrods and Selfridges.
The threat of corporate espionage is real. Take the recent Snowdon case where the former NSA contractor said the agency would spy on German companies that competed with US firms and also advised that they had bugged Angela Merkel’s phone. Mr Snowden said: “If there is information at Siemens that they [NSA] think would be beneficial to the national interests, not the national security, of the United States, they will go after that information and they’ll take it.”
Some of the most common instances of corporate espionage and hostile surveillance occur when organisations embark on merger and acquisition strategies. Proctor and Gamble came a cropper to illegal intelligence gathering in 2001 when they confessed to rifling through the trash to gain information on rival Unilever’s hair-care business. Both companies were competing to acquire Clairol at the time. It cost P & G $10m in compensation to Unilever but they did ultimately acquire Clairol!
Other common instances include cases of litigation and human resources. Between 2001 and 2007, Deutsch Bank admitted to episodes of spying on several people including employees and the Munich law firm of Bub Gauweiler & Partner which represented Leo Kirch, an individual who had criticised the bank.
Malicious activities have been perpetrated by disgruntled current or former employees as well as by competitors, criminals and foreign states and it is therefore fundamental that precautions are taken to protect current and future sensitive and confidential conversations and information, at a time when information relating to an organisations activities and plans are likely to be extremely valuable to competitors and others connected or affected by the plans.
Whilst it can be difficult to quantify the impact that espionage may cause, what is clear is that when an organisation loses control of its proprietary information, there can be serious implications. However, many organisations are still failing to grasp the enormity of the problem and decisions on how to respond to attacks are often made retrospectively.
It is important to remember that information comes in many forms: paper, conversational as well as digital and it is therefore imperative that any information security program incorporates more than the traditional physical security measures and IT network system tests and considers the threat to information from other threats including GSM bugs, audio bugs, hidden cameras, laser attacks and the insider threat. Admittedly, some of these methodologies are difficult to detect and this is the province of the TSCM professional.
Managing Espionage Risk with an Appropriate TSCM Strategy
When suspicion arises that information has leaked from an organisation, many companies will quickly look at employing the services of a specialist Technical Surveillance Countermeasures (TSCM) or “bug sweeping” company, to detect, identify and locate any illicit eavesdropping devices. Whilst this may seem a logical reaction, this “closing the stable door after the horse has bolted” approach does not demonstrate best practice and to simply ignore the risk and allow information to potentially haemorrhage from an organisation could be seen as negligent, particularly in light of the introduction of personal liability for directors in connection with Corporate Governance issues and compliance.
In order to manage the risk of corporate espionage effectively, it is important that organisations consider a cohesive strategy that supports the overall business strategy. In ideal circumstances, guidance would be to limit the areas or meeting rooms where sensitive conversations take place, and then implement sufficient appropriate and proportionate measures to protect these areas as reasonably and cost efficiently as possible, based upon the threat and risk of espionage. This might be via a programme of TSCM surveys, the installation of permanent countermeasure solutions, the training of in-house security personnel or via awareness training for key staff.
It’s also important to note that a TSCM survey involves more than just an electronic ‘sweep’. As well as locating and identifying hostile electronic surveillance devices, an effective TSCM program is designed to detect technical security hazards, physical security weaknesses or security policy and procedural inadequacies that would allow your premises to be technically or physically penetrated.
A more holistic and strategic approach to counter surveillance will consider the wider implications of hostile attacks and how they might affect the business as a whole. This will ultimately provide solutions which deliver an integrated way of thinking that combines all aspects of security with financial pragmatism. Such an approach should provide companies significant savings in relation to its security whilst increasing its effectiveness and support to the business.
Benefits of a Proactive TSCM Strategy
|Prevention:||The potential loss and reputational damage that an information breach might incur can far outweigh the cost of implementing a proactive TSCM strategy. Prevention is better than cure.|
|Best Practice: Having a proactive TSCM program in place demonstrate a best practice approach which will reassure board members, clients and stakeholders.|
|Corporate Compliance & Corporate Responsibility:||The duty to identify and manage regulatory risk is a key requirement of today’s board and a proactive TSCM program will assist organisations in achieving compliance around the protection of its information.|
|Enhanced Security:||A TSCM program will detect and report on physical security weaknesses or inadequacies that would allow your premises to be technically or physically penetrated, this enhancing the overall security of the organisation.|
|Deterrent:||Having overt counter-surveillance policies in place can act as a deterrent to thieves, competitors and errant employees.|
|Peace of Mind:||Having a proactive TSCM program in place will provide you with peace of mind that your conversations and information will remain confidential and allow you to concentrate on business as usual.|
Consideration of corporate espionage and its effects should be an integral part of risk management and the business strategy. To be in the position whereby an organisation can promote the fact that it has considered every eventuality is a pro-active move that will not only ensure corporate compliance but will assist new business acquisition from increasingly security-conscious corporate clients as well as offering an additional level of comfort to existing clients.
A more holistic and strategic approach to counter surveillance will consider the wider implications of hostile attacks and how they might affect the business as a whole which will ultimately provide solutions which deliver an integrated way of thinking that combines all aspects of security with financial pragmatism. This proactive TSCM strategy approach should also provide companies significant savings in relation to its security whilst increasing its effectiveness and support to the business.