Through the pinhole…

Not sure about you good folks who read Security Management Today, but the last thing I do before turning in at night is to check that all the windows and doors to my property are secure. I do this despite the fact that I reside in a rural village where riding a bicycle at night without benefit of lights would be enough to ensure front page news!

Coupled with the fact that I possess few valuables [-] except for my treasured Out of the Blue album by the Electric Light Orchestra, pressed on blue vinyl [-] this may make my nightly regimen seem like the actions of a person suffering from mild paranoia. Except that I know I'm far from paranoid. I know because all of us complete this nightly 'sweep', and we all do so because it's plain common sense.

Securing our homes is a relatively simple operation. It is almost certain we'd notice if our castle had been invaded as there would be tangible signs that something was amiss. The most obvious sign would be of the actual break-in, the other that something [-] or some things [-] were missing. It's not for me to belittle the domestic break-in, and nor would I. After all, people are traumatised by these events but, when compared to the more clandestine breaches of security within high-risk business environments, they are somewhat minor in scope.

That said, it's fair comment to suggest that far too many businesses happily allow access to their own 'Family Jewels', while a good lot of them will not even realise when they've been stolen.

Protecting critical, core data

Now, at this juncture I could swiftly move on to how a company's confidential information has become ever-more interesting to its business rivals, and eulogise about how hard everyone is working to protect their critical, core data. We are all aware of the threats from computer hackers, which is why everyone seems to be positioning themselves behind more secure firewalls and tighter password controls. Yes. There, the threat is well understood and robust solutions are already available.

However, there is one area of significant risk that is consistently overlooked by far too many businesses [-] spying. Maybe it's down to its association with the shenanigans of fictional characters created by Ian Fleming, John Le Carre, Graham Greene or Tom Clancy, or perhaps it's merely the case that spying is only viewed as a global threat by world Governments and their agencies? Who knows?

Fact is, though, that when the term 'spying' is broken down into what it actually entails, businesses and individuals should start to take an interest if they are serious about critical information protection.

Eavesdropping, industrial espionage, information gathering, bugging… Do these things really happen outside of Hollywood and Pinewood Studios? Yes, they do. Manchester United Football Club was forced to launch an investigation after the team's dressing room was bugged during an away Barclays Premiership victory at Chelsea's Stamford Bridge last November. The tapes contained recordings of pre-match and half-time team talks.

Meantime, England's rubgy union team members are so concerned that their game plan secrets are being stolen that they arrange for dressing rooms to be swept for listening devices prior to all matches. The English management team has even insisted that mobile phone relays in the dressing rooms be deactivated as they produce strong responses from the sophisticated detection equipment.

In January this year, there was the announcement that MI5 had been given permission to tap telephones (including those of MPs). Across the Pond, President Bush authorised the National Security Agency to eavesdrop on chosen citizens without Court approval. In February, a BBC worker spied on several stars of popular soap EastEnders by placing listening devices in their homes and vehicles.

The law relating to bugs

The security world has finally accepted the fact that Critical Information Defence must emerge from the shadows and be duly recognised as a vital component of the overall security package procured by the client

The above occurrences represent the tiniest snapshot of covert operations carried out by Governments, independent agencies and individuals intent on obtaining information from corporate businesses, celebrities, international criminals and terrorists. As things stand, eavesdroppers are listening-in on hundreds of thousands of private conversations every week because of a legal loophole [-] telephone tapping is illegal under the 1998 Wireless Telegraphy Act, but the law relating to bugs and covert cameras is far less clear.

Bugs are, in essence, listening devices that come in all shapes and sizes. They are specifically designed to gather information. The deployment of any bug in a specific location is just as crucial as the bug itself. Bugs may be deployed for a day, for ten years or even longer. Many are available in your local shops…

Typically, listening devices are used in three situations. The first is the rapid deployment of a simple recording device under a table. The second bug can be built-into existing furniture or placed within a desktop tape dispenser, a lamp, a calculator [-] the list of 'hosts' is endless. Finally, the more complex type of bug will be fitted in to the room itself, using either the ceiling or walls.

It's presently estimated that over 200,000 bugs and covert cameras are sold in Great Britain each year. Do businesses really spy on each other in this way? Is there a genuine risk that someone will bug your office, home, car and mobile phone? Is the 'source close to the managing director' [-] the usual terminology employed by the media when confidential business details are released [-] a disgruntled colleague, or could it be a listening device planted to obtain my company's critical information?

How to nullify espionage

Critical Information Defence (CID) is a growing sector of the security industry now attracting unparalleled levels of interest. The security world has finally accepted that CID must emerge from the shadows and be duly recognised as a vital component of the overall security package procured by the client.

To this end, The Security Institute is currently in the throes of producing an end user guide to technical surveillance counter-measures (with myself sitting as chair of the Technical Surveillance Counter Measures Guidelines Committee. A most interesting and challenging project, the end result of which will be a manual that'll be extremely useful for practising security managers.

Technical surveillance counter measures [-] also widely known as 'sweeping' [-] generally involve the detailed checking of an area or building by various methods to ensure that there are no foreign devices in place. A recent example of where this can pay dividends for clients occurred late last year at the offices of Sumitoma, a City-based Japanese bank. Criminals had been plotting what could have (potentially) been the theft of £220 million (which would have represented the world's largest-ever robbery haul).

Simple but nonetheless effective computer key logging spyware was being used to gather critical typed information, including both passwords and access codes. The theft was averted thanks to the deployment of technical surveillance counter measures.

Then there are social engineering counter measures, formed in response to the potential deception and manipulation of personnel within an organisation. This is a comprehensive awareness programme designed for all employers and employees. Together with precise policies, it covers all aspects of how people can avoid inadvertently placing business at risk, and how they might also become part of the overall anti-espionage and counter-surveillance solution.

Risk, compliance and audit

ORCA-X is a proprietary software solution that brings together the components of a CID strategy. In the future, it could well incorporate areas including insurance, Basel II, regulatory compliance, Sarbanes-Oxley and EHS.

It's presently estimated that over 200,000 bugs and covert cameras are sold in Great Britain each year. Do businesses really spy on each other in this way? Is there a genuine risk that someone will bug your office, home, car and mobile phone?

The first stage of ORCA-X deployment entails a thorough audit and sweep of the organisation. This will help in assessing vulnerabilies that may be present. Essentially, a complete picture is built of the host company's working environment such that a bespoke, software-driven protection plan can be specified.

The audit report will recommend to the client a dedicated range of countermeasures, from simple procedures through to more complex technical surveillance activities. ORCA-X-based technical surveillance cases provide auditable data and a set of actions for minimising risk at all times. Due diligence is ensured, while a full and thorough paper trail provides total accountability.

For its part, the Audiotel International-developed RoomGuard is a brand new concept in audio/video counter surveillance protection, offering the end user 24-hour online protection of critical spaces. Whether the client is being 'attacked' by radio listening devices, mobile phones (be they of the GSM or 3G variety), Bluetooth or WiFi, the host organisation can always be confident that meetings will be secure.

Distributed intelligence means that several rooms can be simultaneously monitored across the company network (remotely, if desired, as the software is able to make a secure connection to the Internet). Real-time protection means that, should the threat be brought into the protected meeting room, detection will be instantaneous. Alarms can be audible, graphics-based or sent using e-mail or SMS messaging services.

Bugging is a growing threat, while listening devices are increasing in their sophistication. That being the case, counter-surveillance solutions have to keep pace. These days, the end user is on the look-out for a solution that can accommodate upgrades. That is certainly true of RoomGuard, where client packages can be tailored to include annual testing, software upgrades, sweeping and the monitoring of meetings (either on site or from a remote location).

As common as CCTV

From next year, the Security Industry Authority (SIA) will be responsible for issuing licences to specialist technical surveillance counter measure security consultants. That will add genuine credibility to companies operating in this arena. It should also enable end users to understand a little more about who we are, what we do and the benefits we can bring when it comes to tightening security.

Sadly, a good many security professional still don't feel that spying is a serious threat. Thankfully, those who have opened their minds and eyes and explored the benefits of Critical Information Defence (CID) now consider it to be a central plank of their organisation's overall information security policy. For my part, I would say that CID is going to become as common as locks on front doors, CCTV and logging-in to one's desktop computer.

While the direct benefits of CID may never be tangible, we are now finding ourselves answering the question put to us by celebrities, VIPs, company directors, lawyers and politicians… "What can you do to protect us, our telephone conversations, meetings, vehicles, offices and related properties from individuals and outside agencies intent on obtaining information and using it against our personal interests and those of our clients"?

There are solutions. What we need to do now is accept that there's a problem. We do not know how much revenue is lost as a result of espionage activities. It could be millions, billions or even trillions. We do know that companies, careers and lives are put at risk because of the unscrupulous, covert activities of those intent on obtaining details and information about all aspects of our business and private lives.

OK. So the bad guys have a vast array of covert methods, tools and equipment to deploy. Devices that enable spying, industrial espionage, the interception of telephone conversations and the recording of meetings where critical information may be aired. If your business does not have a counter-surveillance policy in place then the deployment of devices against you will be simplicity itself.

Time is running on tonight as I wrap up this article. Before I retire, rest assured that I'll check all is secure in the household. Not paranoia, you understand, just plain old common sense.