The guy crawling through a dumpster in the company parking lot could be just as damaging as a malicious bot crawling through your server
By Joseph McCafferty
August 17, 2016
Mention "cyber-threat" and many of us envision an over-caffeinated twenty something in a hoodie tapping away on a keyboard as he snoops into our networks from the poorly lit back room of some run-down apartment thousands of miles away—in a country like Russia or China—stealing customer credit card details and other sensitive data.
We can be forgiven for the typecast visualization. Just type "hacker" into google and select "images" and your screen will quickly fill with hundreds of examples of that very same vision.
We're right to be terrified of that hoodied hacker from afar. Indeed, some of the largest and most damaging cyber-attacks came in that form. The attack on Target, for example, is suspected to have been led by a 17-year-old in Russia. When embarrassing e-mails from Sony executives were dumped on the Web, a group identifying themselves as "Guardians of Peace," thought to be from North Korea, claimed responsibility.
In response to such threats, our organizations have beefed up cybersecurity by adding more network security devices and firewalls, changing password policies, and using more and better encryption technology. The IT audit group has done its part to access those improved cybersecurity systems and policies and have worked hard to keep up with the latest technology and the latest cyber-threats.
Who's Listening In?
Sure, companies have a long way to go to protect against attacks over the network, but they are making progress. But what about attacks that come from inside? What about the hardware keylogger that is placed into the keyboard port and can be hard to detect? What about listening devices in the boardroom? What about secret cameras placed behind the CEO's desk that can record everything that comes up on his or her screen?
Eavesdropping and other "offline" technologies for stealing data and corporate secrets is on the rise, according to Steve Whitehead, managing member of Corporate Business Insight & Awareness, a South African competitive intelligence company.
During a session at the Audit, Risk, & Governance Africa conference held earlier this month by MISTI in Ghana, Whitehead warned audit and risk managers not to forget about corporate eavesdropping and physical security. "We have witnessed the rise of the corporate spy, where not everyone plays by the rules," said Whitehead. "There is so much focus on computer systems that we may forget old style forms of corporate espionage, like the use of listening devices and the theft of hard-copy documents."
Some of the information that corporate spies are pursuing, says Whitehead are:
- Trade secrets and proprietary information
- Damaging or embarrassing information on senior executives
- Expansion of takeover plans
- Customer database and marketing plans
Ford's Illegal Explorer
Whitehead highlighted the case of Sharon Leach, who was fired from Ford Motor Co., after she admitted to placing eight listening devices in meeting and conference rooms around the office. According to court records, the FBI seized eight listening devices from Ford headquarters in July 2014, and more than two dozen items from Leach's home weeks earlier. She claimed, says Whitehead, that she placed the devices around the office to aid in her notetaking during meetings she was involved in, and only recorded other conversations inadvertently. Leach worked as an engineer in the highly competitive and innovation-oriented green technology division at Ford. Whitehead suspects that she may have been working with a competitor to steal new technology ideas.
The case highlights a reality that secret recording devices and covert cameras that can be just as damaging as a network attack. "The threat is real," says Whitehead. "It's much cheaper to obtain secrets through spying that to do the research, build, and innovate yourself."
Smaller and Smarter
Similar to network attacks and modern hacking tools, new technology is driving better eavesdropping equipment. Whitehead says that cameras and recorders are becoming smaller and smarter. Many can automatically connect to a local WiFi network and transmit illegally gained information back to the perpetrator. "These things are small enough to conceal in everyday objects, such as a computer mouse, remote control, and wearable devices," says Whitehead.
While the threat of a competitor or disgruntled employee using eavesdropping technology to spy on senior management could be a "low probability event," says Whitehead, the impact could be very high. He suggests that companies that are concerned about the threat of eavesdropping should call in professional teams to do periodic sweeps. He says companies should also be careful about third parties that have access to the office space, such as cleaning services and maintenance crew members.
"You need to make sure you are in a controlled environment," says Whitehead. He says the threat increases at off-site meeting areas, such as hotel conference rooms. If you are planning a big merger or a new product launch, advises whitehead, it's worth taking the extra effort to ensure that no one else is listening in.
Joseph McCafferty is director of audit content for MIS Training Institute. He can be reached at email@example.com.