Spies like us

How did you get into this line of work?
My 30 years in the Police service, including seven years as Head of the United Kingdom’s National Counter Terrorism Security Office, allows me to understand exactly what security issues businesses face and what they should be doing to protect themselves.

The UK has an organisation called the Centre for the Protection of the National Infrastructure. This is a brilliant font of security best practice knowledge, but its readership are Critical National Infrastructure sites such as Power-plants, oil and gas companies and big business. I try to spread that best practice wider, for the benefit of all UK business.

Is spying real?
When you mention espionage people usually think about the cold war and people in dark coats and briefcases passing secret information in a park. Well, those aspiring James Bonds amongst you will be pleased to know that spying is alive, bigger than ever and much easier to do in this technological age. The trouble is it’s not just the MI5, MI6 and GCHQ who are looking for secrets.

The threat from espionage did not end with the collapse of Soviet communism in the early 1990s. The UK remains a high-value target for a number of countries looking to obtain information and technologies to help improve their own military, technological, political and economic interests. Also, businesses see gaining market advantage as being so important that they will pay experts to obtain information for them.

So businesses are at risk?
Yes, very much so. And this is not just a big corporate thing. In today’s high-tech world interest has moved towards commercial information in the fields of communications, IT, genetics, aviation, electronics and many others Information of interest could extend from manufacturing processes and research programmes through to negotiating positions, financial transactions and longer-term strategy developments.

All of which can help provide other companies with an economic advantage or enable other companies to establish a market lead using your innovation. Imagine a business bidding for a key contract who is made aware of all the rival bids? Pretty valuable stuff. It can make the difference between wasting thousands of pounds on winning or losing contracts, often worth millions.

Espionage has been instigated by competitors, media organisations, activist groups, past employees and even existing staff. The consequences of these attacks are huge both financially and in terms of reputation for a business. Sometimes they are fatal.

What about private lives?
People don’t realise how the dramatic changes in technology in your pocket has revolutionised the world of spying. As an example I bet very few readers would realise that their innocent iPhone is actually tracking their every movement.

All these people spending thousands of pounds hiring private detectives to follow their spouses around really only need to have access to their partner’s iPhone for ten minutes! The iPhone includes a feature that displays the locations you frequently visit. It monitors your location on a day-to-day basis then saves the most frequent locations.

Great if you’re making use of travel information apps, but a nightmare for those who wouldn’t want their partner to know where they have been. (This part of the system can be found by opening up settings, privacy and location services, by the way. You’re welcome.) The telephone in your pocket is a brilliant device. It has a microphone, a dictaphone, a camera and a tracking device. All key parts of a spy’s armoury.

So tell us a bit more about what you do day to day…
We are a company that provide security advice and training. My history is in counter terrorism so much of my work is in getting businesses and communities to understand what they can do to protect themselves.

We offer penetration testing to businesses to identify how secure they are. This is where we attempt to gain entry to a business to demonstrate to them what improvements they need to make to their security. And yes, that can include dropping bugs and tapping phones.

We provide security training and we also help businesses and especially schools and colleges to understand and practice crisis management.

Tell us more about the penetration testing. That sounds fun.
You can see the eyebrows arch when you tell them that you are a penetration tester. It’s only one of a number of security roles I have but it’s certainly the one that needs some explanation. When I go on to explain that I am actually a physical penetration tester and that I have colleagues that are cyber penetration testers then it really gets interesting.

I have spent many days looking at the security of a business and then walking straight through their security, sitting at a desk and pretending to work, whilst at the same time taking photos, removing goods, placing listening devices and one occasion taking cheques out of the CEO’s private cheque book.

When on earth did we start needing penetration testers? How do you do it? Why would someone need to be tested? These are some of the questions I get asked. Well it’s a sad state of affairs but business these days need to be aware of the potential implications of a security breach. Recent examples include;

• Banks being ripped off for millions of pounds because they allowed someone to walk in and attach a device that reads every key stroke on a computer.
• Listening devices being placed in board rooms by competitors to understand a business’s plans
• Valuable items being stolen from supposedly secure business floors are actually the tip of a very large iceberg of mostly unreported crime

Security these days is about much more than just CCTV, locks and fences. Today’s criminals and terrorists are looking for vulnerabilities in a business and invariably that involves finding a way inside that business to attack it. That means getting work as an insider, or penetrating that business either through cyber attack or physical entry.

Many businesses have been brought down by a loss of reputation following an attack. The recent attack on the illicit affair dating site Ashley Madison would make anyone think twice before sending their name and contact details to them in the future. How the suspects got that data is still not clear but it will be either an insider, or a cyber or physical attack on the company.

What are the big things to look out for?
Most businesses have some form of physical security in place. The two major areas of concern are those of the insider threat and the cyber security.

Tell us a bit more about insiders…
An ‘Insider’ refers to any individual who plans to use their legitimate access to an organisation for unauthorised purposes. What better way of gaining information about your business than by getting someone to work for you?

No breaking in, no climbing fences just go to work and collect all the information you need. As an example who is walking around your business in the dead of night? Do you lock away your secret documents? Most companies now outsource cleaning contracts. That’s what I would do. Get a job with your cleaners and walk around taking pictures at midnight without anyone there to bother me.

Blimey! So what can we do about the insider threat?
There are three areas you should deal with

1. Ensure you do pre-employment screening. Make sure they have a right to work in the UK for starters, but also that they don’t have a history which is suspicious. Also actually check those references.
2. Make sure you have a culture in your business that understands the need for security. Encourage staff to question people they don’t recognise and to report suspicious behaviour.
3. Make sure that when staff leave there is a leaving process, which takes their uniform, keys, and access control. Also make sure that their access to the internal intranet is closed off. You won’t believe how often this is missed.

You mentioned crisis management, what do you mean by that?
Crises happen to someone every day. Every business at some stage will have to deal with a situation that takes them out of their comfort zone. No one could believe the tragic air crash at Shoreham this year. But some poor people had to deal with that horrific incident.

Schools, colleges and universities are not immune to these problems. We recognise that there is very little help for these organisations and felt that we should help. Ask yourself this, how would you deal with a horrific accident happening to your pupils? Or maybe a fire, or terrorist attack? What would you do? Who would be in charge? Would you evacuate? If so where would you go?

How would you communicate to your teachers, pupils? Parents? The media who will be climbing all over you for information and interviews? Who is going to be interviewed on Sky news?

We try to help to prepare the school, college, university or business for a crisis. Help them to develop their crisis and business continuity plans so that they react in the best way possible. We include media training and sometimes practical first aid training if the client wants it.

So it’s not all doom and gloom?
No. Apart from anything else, the courses I hold are brilliant fun. Seeing some people blossom under pressure. Recently we carried out a crisis exercise for a well-known London theatre. The press and media team didn’t fare too well in front of the press. But one of the secretaries was excellent. It shows that you just can’t tell who will react best in a pressurised situation.

For more information about security and crisis management www.howtostaysafe.co.uk