Don’t forget the human – fighting industrial espionage and cyber crime

Human Intelligence Applications and Methods

By Mario Bekes, Director Insight Intelligence

Industrial espionage has been in the news again recently with various reports about Huwaei’s activities1. At a time when businesses are investing multiple millions of dollars in data protection systems, are they overlooking some of the most basic forms of intelligence gathering devices – humans?

One way or another, people are often responsible for a loss, often inadvertently. Military intelligence has long used activities, often termed ‘social engineering’, to capture sources of information. These activities have since been adapted by both government intelligence organisations and corporate intelligence.

Social engineering is the art of manipulating people to obtain confidential information such as gathering data about a product, the financial position of the company, future projects and its development. This can be done in person or electronically and activities range from social media engagement, networking with employees, chatting at the gym, posing as a buyer or investor, contacting relatives or friends, looking at discarded documents or recovering data from old IT equipment.

In today’s corporate world you might recognise many of these behaviours as standard networking activities. Indeed, one of the rules for intelligence operatives it is to utilise networking events as much possible in order to create their own sources of information.

This is not to say that all networking type activities are bad, but people need to be aware of the risks. This can be particularly hard to manage when it comes to ex-employees talking about sensitive information.

The weakest link in the security chain is usually the human who accepts a person or scenario at face value and unwittingly becomes the source of information from which no IT security measures will be able to protect your blue prints, ideas and products.

At Insight Intelligence, we’ve found companies rarely spend 1% of their IT security budget on policies, procedures, awareness and education to improve people security. Some of the simplest elements of what we term a ‘human firewall’ to implement are:

• Educate people about phishing and other dangerous emails
• Only allow certain people access to sensitive information
• Train employees to be aware of questions at meetings/networking events that may be suspicious
• Reinforce company polices about safeguarding company information (and having a policy in the first place)

A human firewall should be one of your first defences. Just ask Mastercard and Disney. They were lucky that Visa is a good enough corporate citizen not purchase the sensitive information offered by a catering employee about a major deal being discussed by its main competitor, Mastercard2.

No matter how many thousands of dollars are spent on your IT security, these risk management steps, aimed at people, will significantly boost the effectiveness of your human firewall. Thus, helping better protect your assets, the future of your business and the livelihoods of your employees.

1. https://www.wired.com/story/huaweis-many-troubles-bans-alleged-spies-backdoors/
2. https://www.nytimes.com/2001/03/22/business/food-worker-is-accused-of-corporate-espionage.html