When it comes to the theft of critical information, being the victim of hostile intelligence gathering or being the service provider that is hired to counter those threats, the first area that all must understand is that of threat.
Very often I hear the phrase: “Our business doesn’t need TSCM services as part of our security procedures, there is no threat”, a statement of pure ignorance as all information has a value to somebody. Let’s look at it from another angle. The Company that said that to me last, protected its IT systems with a budget in the millions of pounds from Hackers and perceived Cyber Threat.
When the reality is they’ve never even had a Threat Brief let alone carried out a Threat or Vulnerability Assessment to quantify the risk to their information as a whole. The reality of that company’s current stance was that a very simple Technical Surveillance device at the cost of £600 could easily be deployed into the work area and used to access all of their data systems. And all of the IT security in the world would never detect it….Their lack of understanding or investment in protecting their critical information from technical surveillance threat has left their entire organisation at huge risk.
Technical Surveillance has moved on since the days of ‘Eavesdropping’, and accelerated in quantum bounds, in line with the advancements in communication systems. Technical Surveillance is a greater threat today in 2013 than at any time.
Even those who understand the existence of threat are sometimes ill-educated to the reality of the level of threat. A common comment I hear is; “We just need a quick check; our threat is commercial not governmental”. This is the first mistake, and a mistake that knocks on throughout any provision of service to counter any threat. A commercial threat would intimate that the level of attack against an organisation or individual would consist of amateur or semi-professional persons who only have access to commercially available hardware with which to mount an attack. This is just not the case.
The reality of today’s commercial threat is that former government trained individuals are operating in a commercial capacity, using highly sophisticated techniques and equipment. The motive and model for any attack is based on reward. Take, for example, an organisation which has as its target a competitor’s contract information for a £5m contract. If their aim is to use this information to obtain the contract itself, then an investment of ten per cent of the profit of this contract would be a worthwhile investment.
If the profit was £2m, then £200,000 would pay for the very best government standard black market devices and the services of criminal operators trained to Special Forces or government standards in disciplines such as covert method of entry and covert installation. Even in some high-profile divorce cases, I have seen highly sophisticated attacks and devices usually only seen in covert military and law enforcement operations. And let’s not forget that international espionage by foreign intelligence services does not just target other nations’ intelligence services. Foreign industry is and always will be a viable target.