18
Topics of Concern
KEY TERMS
• workplace violence prevention program
• conflict resolution and nonviolent response
• executive protection (or personnel protection) program
• anti-substance abuse program for the workplace
• patent
• Economic Espionage Act of 1996
• “Four Faces of Business Espionage”
• information security program
• TEMPEST
After studying this chapter, the reader will be able to:
1. Discuss the problem of violence in the workplace and what can be done about it.
2. List strategies of personnel protection.
3. Describe the problems and remedies associated with substance abuse in the workplace.
4. List the methods by which an adversary might obtain information assets and list strategies of information security.
Workplace Violence
Two important questions on workplace violence are (1) how should it be defined, and (2) how should it be measured? The definition of workplace violence affects not only how it is measured but also its cost. As the definition expanded from “one employee attacks another” to “any violence that occurs on the job” so, too, did the cost.
ASIS International (2005: 8) published the Workplace Violence Prevention and Response Guideline. It states: “Any definition of workplace violence must be broad enough to encompass the full range of behaviors that can cause injury, damage property, impede the normal course of work, or make workers, managers, and customers fear for their safety.” The Guideline defines workplace violence as follows: “Workplace violence refers to a broad range of behaviors falling along a spectrum that, due to their nature and/or severity, significantly affect the workplace, generate a concern for personal safety, or result in physical injury or death.” At the low end of the spectrum is disruptive and emotionally abusive behavior that creates anxiety and adversely affects the working environment. Next along the spectrum are words or actions that are intimidating, frightening, or threatening and create a concern for personal safety. At the high end of the spectrum is violent behavior.
Kenny (2005a: 45–56) emphasizes that while threats may not result in physical injury, they can leave victims traumatized and fearful. In addition, threats can harm productivity and “serve as the catalyst for progressively more dangerous behaviors.” Kenny adds, “Those who ignore, misunderstand or fail to take threats seriously miss an opportunity to identify, diffuse or resolve workplace problems.” Research by Kenny (2005b: 55–66) found that women were more likely to be victimized.
The University of Iowa (2001), in a report entitled “Workplace Violence: A Report to the Nation,” found that 2 million Americans are victims of workplace violence each year. The report divided workplace violence into four categories: criminal intent (e.g., robbery), customer/client (e.g., health care environment), worker-on-worker, and personal relationship (e.g., domestic violence).
The U.S. Department of Labor (2006) reported 480 homicides in private industry in 2005, with 489 in 2004, and 561 in 2003. In 2005, nearly 5% of the 7.1 million private industry business establishments in the United States had an incident of workplace violence. About a third of these establishments reported that the incident had a negative impact on their workforce. Service providing industries reported much higher percentages of criminal, customer, and domestic violence than goods-producing industries. State government reported higher percentages of all types of workplace violence than did local government or private industry. Thirty-two percent of all state government workplaces reported some form of workplace violence. The higher reported incidence of violence in state and local government workplaces may be attributed to their work environments. These workplaces reported much higher percentages of working directly with the public, having a mobile workplace, working with unstable or violent persons, working in high crime areas, guarding valuable goods or property, and working in community based settings than did private industry.
Workplace violence is costly to businesses. Losses reach into the billions of dollars each year and include medical and psychological care, lost wages, property damage, lost company goodwill, and impact on employee turnover and hiring (Hughes, 2001: 69).
Obviously, incidents of workplace violence (e.g., homicides, assaults, rapes) occurred before increased attention focused on the problem in the early 1990s. What we have witnessed is a change in the way the problem is perceived and counted. This is beneficial for gauging increases and decreases in the problem and as a foundation for planning protection with scarce resources. The United States has been known to maintain good statistics on a number of problems and freely publicize trends. From an international perspective, others may view the United States as the most violent society, when we may simply be the best at gathering data.
Do you think the United States is a violent society, or do we just maintain good data-gathering systems? Explain your viewpoint.
Legal Guidelines
There is no national law addressing violence in the workplace. OSHA has published voluntary guidelines for workers in late-night retail, healthcare, and taxicab businesses, but these guidelines are not legal requirements. Various states have enacted laws to curb violent crime at work, especially for retail establishments and healthcare settings.
ASIS, International (2005: 12) notes: “Under the federal Occupational Safety and Health Act and corresponding state statutes, each employer owes a ‘general duty’ to protect employees against ‘recognized hazards’ that are likely to cause serious injury or death. Workplace violence has been identified as one of those hazards, and both federal and state OSHA agencies have issued citations to employers under OSHA’s general duty clause for failure to protect employees against workplace violence.”
Employers not only have a legal responsibility to prevent harm to people on the premises, they must ensure that subjects under investigation are afforded legal rights. Employers who do not take measures to prevent violence in the workplace face exposure to lawsuits. Legal theories at the foundation of such lawsuits include premises liability, negligence, harassment (sexual and other forms), and respondeat superior (see Chapters 4 and 6). Workers’ compensation may cover injured employees, but the exposure of employers is much greater.
Contradictions in the law make protection difficult: OSHA requires a safe working environment for employees, but the Americans with Disabilities Act (ADA) can create difficulties for an employer seeking to control an employee with a mental instability. Employees have successfully sued employers for defamation because instability was mentioned. The ADA restricts “profiling” of employees through the observation of traits thought to be potentially violent (Jaeger, 2001: 74).
Protection Methods
What follows is a list of strategies for a workplace violence prevention program.
1. Establish a committee to assess risks, plan violence prevention, and to respond to such incidents. Include specialists in security, human resources, psychology, and law.
2. Consider OSHA and ASIS International guidelines to curb workplace violence.
3. Establish policies (Figure 18-1) and procedures and communicate the problems of threats and violence to all employees. Include reporting requirements and procedures.
4. Avoid a strict zero tolerance policy that does not consider mitigating circumstances. Legal problems with zero tolerance may arise with cases involving harassment, labor contracts, disability, and discriminatory practices (Hershkowitz, 2004: 83–88).
5. Although human behavior cannot be accurately predicted, screen employment applicants. The ADA limits certain questions; however, these can be asked: “What was the most stressful situation you faced and how did you deal with it?” “What was the most serious incident you encountered in your work and how did you respond?”
6. Consider substance abuse testing as a strategy to prevent workplace violence. For years, Bureau of Justice Statistics data has shown a relationship between violent crime and substance abuse.
7. A history of threatening or violent behavior can help to predict its reoccurrence. The worker who becomes violent is usually a white male, between 25 and 50 years old, and has a history of interpersonal conflict and pathological blaming. He tends to be a loner and may have a mental health history of paranoia and depression. He also may have a fascination with weapons (Meadows, 2007: 121).
8. Managers and supervisors should be sensitive to disruptions in the workplace, such as terminations. Substance abuse and domestic and financial problems also can affect the workplace; and EAP is especially helpful for such problems.
9. Train managers and supervisors to recognize employees with problems and report them to the human resources department. Include training in conflict resolution and nonviolent response. Train in active listening skills, such as repeating to the subject the message he/she is trying to communicate and asking open-ended questions to encourage the subject to talk about his/her problems. Listen and show that you are interested in helping to resolve the problem. Do not be pulled into a verbal confrontation; do not argue. Acknowledge and validate the anger by showing empathy, not sympathy. Speak softly and slowly. Ensure that a witness is present. Maintain a safe distance, without being obvious, to provide an extra margin of safety. If a threat is made or if a weapon is shown, call the police. Consistently enforce policies.
10. Remember that outsiders (e.g., visitor, estranged spouse, and robber) may be a source of violence and protection programs must be comprehensive.
11. Ensure that a thorough and impartial investigation is conducted following a reported incident. Follow legal requirements, such as those pertaining to due process, privacy, and labor agreements.
12. If a violent incident occurs, a previously prepared crisis management plan becomes invaluable. Otherwise, a committee should be formed immediately after emergency first responders (i.e., police, EMS) complete their duties on the premises and affected employees and their families are assisted. At one major corporation, management was unprepared when the corporate security manager was shot. A committee was quickly formed to improve security and survey corporate plants. In addition to expenditures for physical security and training, an emphasis was placed on awareness, access controls, and alerts (Purpura, 1993: 150–157).
FIGURE 18-1 Policies are an essential component of a workplace violence prevention program.
The following account of workplace violence is from a news article in The Clarion-Ledger, Jackson, Mississippi (Hudson, 2004: 1A). Forty-seven employees and relatives of employees filed a federal lawsuit against Lockheed Martin claiming emotional distress following the shooting of 14 people when employees were allegedly forced back inside the plant for a “live head count.” The shooting was the state’s deadliest act of workplace violence when plant employee Doug Williams, 48, shot and killed six co-workers and wounded eight others prior to committing suicide. Lockheed Martin allegedly ordered employees to the canteen for a count and that is when employees supposedly walked near victim bodies. The lawsuit also claimed that Lockheed Martin failed to protect employees who complained that Williams threatened to shoot black co-workers, and that the company denied employee requests for security officers prior to the shooting. A Lockheed Martin spokesperson stated: “Lockheed Martin has been cleared of responsibility for this incident by state and federal authorities and is confident that the same conclusion will be reached by the court.”
One plaintiff, Henry Odom, a 35-year employee, stated in a court affidavit that he had complained to management about fights and auto thefts at the plant and asked for security officers for the premises. The affidavit stated that Williams shot him in his left arm twice and the second shot also entered his back and punctured a lung. The affidavit noted that the plant now has armed security officers on duty.
The lawsuit claimed that three weeks prior to the shooting, Williams placed a work-issued “bootie” on his head that appeared, according to some, to resemble a Ku Klux Klan hood. Management allegedly confronted him and he supposedly left the plant angry and did not return for about a week. According to the court papers, he was permitted to return to work, but required to attend an ethics course with black co-workers. He allegedly left a meeting and told workers he was angry and going to “take care of this.” He allegedly returned to the meeting, fired on some in the room, and then went to the plant floor to shoot others. The lawsuit claimed that Lockheed Martin had sufficient time to stop him and warn employees of the imminent danger he posed.
Workers’ Comp Insider (Ryan, 2005) reported that a federal appeals court upheld workers compensation as the exclusive remedy for the nine surviving victims and the families of the six workers who were killed in the Lockheed Martin shooting in Meridien. Ryan noted that this would limit damages to about $150,000. Ryan reported the following: “Exclusive remedy is a strong concept that holds up under repeated legal challenges. Workers comp is no fault by its very nature, a quid pro quo arrangement in which employers agree to provide medical and wage replacement to injured workers, and in turn, this becomes the sole remedy. In all but the most unusual circumstances, employees lose the right to sue their employer for work-related injuries. Sometimes this seems unfair to a worker because benefits are paltry when stacked side by side with enormous awards from civil litigation. But when legal challenges succeed, they weaken the system’s underpinnings. Workers comp is essentially a safety net, a system designed to provide the best for the most, not to provide individual redress for every wrong. When litigation is successful at piercing the exclusive remedy shield, it often involves employer misconduct that is highly egregious.”…“Many states require proof of willful intent. It must be demonstrated that the employer had substantial certainty that an injury would occur. In this case, the shooting victims and their surviving families sued the company on the basis of having been deprived of civil rights, alleging that management knew of the threat and ‘… knew employee Doug Williams’ racist views had created a volatile work environment but did too little to defuse the situation.’”
Personnel Protection
At home and abroad, businesses have become the target for kidnappings, extortion, assassinations, bombings, and sabotage. Terrorists use these methods to obtain money for their cause, to alter business or government policies, or to change public opinion. Organized crime groups also are participants in such criminal acts, but in contrast to terrorists, their objective usually is money. It appears that successful criminal techniques employed in one country spread to other countries. This is likely to be one reason why companies are reluctant to release details of an incident or even to acknowledge it. Coca-Cola, Chase Manhattan, B. F. Goodrich, and other companies have been victimized in the past.
Personnel protection is a broad term that focuses on security methods to protect all employees and those linked to them. These links include family; customers, visitors, and contractors; and others depending on the business. Executive protection concentrates on security methods to protect key management personnel who are high-value targets because of their position of power and authority and their value to the business. The following paragraphs begin with an emphasis on executive protection methods that are applicable to personnel protection.
Planning
A key beginning for an executive protection (or personnel protection) program is to develop a crisis management plan and team. The goals are to reduce vulnerabilities and surprises and develop contingencies. The crisis management plan can consist of threat assessments, countermeasures, policies, procedures, and lines of authority and responsibility in the event of an attack. An interdisciplinary group, if cost effective, can greatly aid the program. The group could consist of top executives, the loss prevention manager, former federal agents, counterterrorism experts, political analysts, insurance specialists, and an attorney–negotiator.
The early stages of the plan, if not the preplanning stages, would be devoted to convincing senior management that executive protection is necessary. This objective can be supported through a quality research report that focuses on risks, seeks to anticipate (not predict) events, and answers the following questions: Which executives are possible targets? Where? When? Which individuals or groups may attack? What are their methods? What are the social and political conditions in the particular country? What role has the specific government played in past incidents? Were the police or military of the foreign country involved in past incidents? Such questions require research and intelligence gathering as well as cooperative ties to government agencies of the United States and other countries. (Sources of assistance are found in the Chapter 10 box, “International Perspective: Overseas Investigations.”)
Country risk ratings offered by private firms that conduct research have been used by international corporations for many years. These ratings help businesses gauge risk, decide on travel plans, educate travelers, and for insurers, set premiums. There is inconsistency in how these firms reach their conclusions. Consumers should inquire on the methodology used to prepare these ratings. Firms often acquire information from analysts located globally and from open sources (Elliott, 2006: 36–38).
The U.S. Secret Service completed a study of assassinations of public figures in the United States during the second half of the 20th century. The findings showed that threateners do not typically make good on their threats by attacking, and attackers do not usually issue threats to the target before striking. Although threats should not be ignored, this research showed that the most serious threats are unlikely to come from those who communicate threats. So if threats are not a major signal of an attack, what are the indicators? The research found that attackers planned the attack, spoke with others about the attack, followed the target, approached the target in a controlled and secure setting, and attempted repeatedly to contact the target and visit the target’s home and a location regularly visited by the target. These latter behaviors signal a probing activity to test protection and attack strategies (Bowron, 2001: 93–97).
Education and Training
Depending on the extent of the executive protection program, many people can be brought into the education and training phase. Executives, their families, and loss prevention personnel (i.e., management, bodyguards, and uniformed officers) are top priorities. However, chauffeurs, servants, gardeners, and office workers also should be knowledgeable about terrorist and other criminal techniques, and countermeasures that include awareness, prevention strategies, personal security, recognizing and reporting suspicious occurrences, the proper response to bomb threats or postal bombs, and skills such as defensive driving. Most in-house loss prevention personnel are not experts in dealing with executive protection. Therefore, a consultant may have to be recruited.
General Protection Strategies
Gips (2007: 52–60) writes that there are three essential components of executive protection. Threat assessments investigate potential harm to a principal and the likelihood of attack. Advance procedures focus on visiting the locations where the principal is expected to visit to coordinate comprehensive security. Operations involve protecting the principal in the field and this entails countersurveillance (i.e., watching if anyone is observing the principal), assisting the principal with basic tasks to reduce exposure, defense, and rescue.
Principals should maintain a low profile and not broadcast their identity, affiliations, position, address, telephone number, e-mail address, net worth, or any information useful to enemies. Avoidance of publicity about future travel plans or social activities is wise. Those at risk should exercise care when communicating with others on the telephone, via e-mail or postal service, or in restaurants, and should dispose of sensitive information carefully.
Avoidance of Predictable Patterns
The famous Italian politician Aldo Moro, murdered in 1978, is a classic case of a creature of habit. Moro was extremely predictable. He would leave his home in the morning to attend mass at a nearby church. Shortly after 9:00 A.M., he was en route to his office. The route was the same each morning, even though plans existed for alternatives. Although five armed men guarded Moro, he met an unfortunate fate. An attack characterized by military precision enabled terrorists to block Moro’s vehicle and a following police car. Then, on the narrow street, four gunmen hiding behind a hedge opened fire. Eighty rounds hit the police car. Three police officers, Moro’s driver, and a bodyguard were killed. Moro was dragged by his feet from the car. Almost two months later Moro was found dead in a car in Rome.
Recognition of Tricks
A terrorist group or a criminal may attempt to gain entry to an executive’s residence or office under the pretext of repairing something or checking a utility meter. Repair people and government employees can be checked, before being admitted, by telephoning the employer. School authorities should be cautioned not to release an executive’s child unless they telephone the executive’s family to verify the caller.
Hiring bodyguards is a growth industry for the private sector. Bodyguards should be carefully screened and trained. Other employees (e.g., servants or gardeners) surrounding an executive likewise should be screened to hinder employment of those with evil motives.
An executive personnel file should be stored in a secure location at the company’s headquarters. If a kidnapping occurs, this data can be valuable to prevent deception by offenders, to aid the investigation, and to resolve the situation. Appropriate for the file are vitae for the executive, family members, and associated employees; full names, past and present addresses and telephone numbers; photographs, fingerprints, voice tapes, and handwriting samples; and copies of passports and other important documents.
Protection at Home
A survey of the executive’s home will uncover physical security weaknesses. Deficiencies are corrected through investing in access controls, proper illumination, intrusion alarms, CCTV, protective dogs, and uniformed officers. Burglary-resistant locks, doors, and windows hinder offenders. Consideration should be given to the response time of reinforcements. For a high-risk family, a safe room is an asset. This is a fortified room in the house that contains a strong door and other difficult-to-penetrate features. A first-aid kit, rations, and a bathroom are useful amenities. A telephone, two-way radio, and panic button connected to an external monitoring station will assist those seeking help. If weapons are stored in the room, proper training for their use is necessary.
As with security in general, it is best when methods and expenditures for personnel protection remain secret to avoid providing information to an adversary. However, this may not always be possible. The public may have access to protection information. For example, the Associated Press (2006) reported that The Charles Schwab Corporation’s proxy filing with the Securities and Exchange Commission revealed that $2.68 million was spent over three years to protect the CEO, Charles R. Schwab, as part of business operations. The news report stated that the firm paid for both a security system at the CEO’s residence (based on recommendations of a consultant) and security prior to the installation of the system. The proxy also stated that, in 2005, Schwab earned $4.25 million in salary, bonus, and perquisites.
The following list provides some protection pointers for home and family:
1. Do not put a name on the mailbox or door of the home.
2. Have an unlisted telephone number.
3. Exercise caution when receiving unexpected packages.
4. Do not provide information to strangers.
5. Beware of unknown visitors or individuals loitering outside. Call for assistance.
6. Check windows for possible observation from outside by persons with or without binoculars. Install thick curtains.
7. Make sure windows and doors are secure at all times.
8. Educate children and adults about protection.
9. Instruct children not to let strangers in the home or to supply information to outsiders.
10. When children leave the house, be sure to ascertain where they are going and who will be with them.
11. Keep a record of the names and addresses of children’s playmates.
12. Tell children to refuse rides from strangers even if the stranger says that the parents know about the pickup.
Protection at the Office
As with the residential setting, physical security is important at the executive’s office. A survey may reveal that modifications will strengthen executive protection. The following list offers additional ideas:
1. Office windows should be curtained and contain bullet-resistant materials.
2. Equip the desk in the office with a hidden alarm button.
3. Establish policies and procedures for incoming mail and packages.
4. Beware of access by trickery.
5. Monitor access to the office by several controls.
7. Access during nonworking hours, by cleaning crew or maintenance people, should be monitored by uniformed officers and CCTV.
Attacks While Traveling
History has shown that terrorists have a tendency to strike when executives (and politicians) are traveling. Loss prevention practitioners should consider the following countermeasures:
1. Avoid using conspicuous limousines.
2. Maintain regular maintenance for vehicles.
3. Keep the gas tank at least half full at all times.
4. Use an armored vehicle and bullet-resistant clothing and vests.
5. Install an alarm that foils intrusion or tampering.
6. A telephone or two-way radio will facilitate communications, especially in an emergency.
7. A remote-controlled electronic car starter will enable starting the car from a distance. This will help to activate a bomb, if one has been planted, before the driver and the executive come into range.
8. Consider installing a bomb-scan device inside the auto.
9. Headlight delay devices automatically turn headlights off one minute after ignition is stopped.
10. High-intensity lights, mounted on the rear of the vehicle, will inhibit pursuers.
11. GPS can be used to track the executive’s vehicle and the executive in case of kidnapping.
12. Protect auto parking areas with physical security.
13. Avoid using assigned parking spaces.
14. Keep doors, gas cap, hood, and trunk locked.
15. Practice vehicle key control.
16. Avoid a personalized license plate or company logo on vehicle.
17. Inspect outside and inside of vehicle before entering.
18. The chauffeur should have a duress signal if needed when picking up an executive.
19. Do not stop for hitchhikers, stranded motorists, accidents, or perhaps “police.” It could be a trap. Use a telephone to summon aid, but keep on moving.
20. Screen and train the chauffeur and bodyguards. Include the executive and the family in training.
21. Evasive driver training is vital.
22. Have weapons in auto ready for use.
23. Maintain the secrecy of travel itineraries.
25. Know routes thoroughly as well as alternative routes.
27. If being followed, use the telephone for assistance, continuously sound the horn or alarm, and do not stop.
28. For air travel, use commercial airlines instead of company aircraft. Unless the company institutes numerous security safeguards, the commercial means of air transportation may be safer. Use carry-on luggage to avoid lost luggage or having to wait for workers to locate luggage.
29. Request the second or third floor at a hotel to improve chances of escape in case of fire or other emergency.
Several executive protection strategies are applicable to salespeople, employees attending conferences, and others. A company should take steps to protect all employees to prevent injuries and death. Otherwise, a lawsuit or workers’ compensation claim may result. Many risk managers are unaware that their workers’ compensation policies do not cover employees in foreign countries (Atkinson, 2001: 19–22).
Avon Products, Inc., provides a superb illustration of an organization seeking to meet the protection needs of its employees. Initiating a global “Women and Security” program, Avon conducted extensive research on vulnerabilities of its female employees as they traveled the globe and faced greater risks than their male coworkers face. The Avon security team found that South Africa, the Philippines, Russia, and Latin America were high-risk areas for women. South Africa, for example, has one of the highest levels of sexual assault in the world. Latin America is noted for abductions at ATMs. The Avon program focused on brochures, self-defense training, and one-on-one evaluations. Brochures are country-specific and include tips such as not wearing expensive-looking jewelry because street robbers do not know a genuine from fake and avoiding public restrooms, if possible, because rapists sometimes disguise themselves as females. Employees expressed a need for self-defense training, which was provided. It aims to help women avoid and deter attack. The one-on-one evaluations consist of a security staff member who observes the daily routine of the employee working overseas to offer suggestions for improved protection. The “Women and Security” program has resulted in increased safety, less anxiety, and higher productivity (Shyman, 2000: 58–62).
Kidnap Insurance
As businesses increasingly become globalized, the risk of kidnapping also increases. Corporations obtain kidnap-ransom insurance policies for protection against the huge ransoms that they might be forced to pay in exchange for a kidnapped executive. Each year millions of dollars in premiums are paid to insurance companies for these policies. Of course, the insurance company requires certain protection standards to reduce the premium. Insurance companies are reluctant to admit writing these policies because terrorists may be attracted to the insured company executive. Moreover, these policies often contain a cancellation clause if the insured company discloses the existence of the policy. Insurance should be considered one of the last strategies in a long line of defenses. Insurance acts as the “backup” loss prevention strategy.
According to the Insurance Information Institute (2007), incidents of kidnapping for ransom money are rising. Kidnap and ransom insurance is sold as part of a comprehensive business insurance package, as a stand-alone policy for individuals, and from a few insurers as part of their homeowners insurance policy. Corporate policies generally cover most kidnapping-related expenses including hostage negotiation fees, lost wages, and the ransom amount. Policies for individuals pay for the expenses of dealing with a kidnapping but do not reimburse for ransom payments.
Statistics on global kidnapping are difficult to ascertain, especially since ransom payments are kept confidential and disclosure of a payment can increase the risk of subsequent kidnappings. In addition, many cases are not reported. One insurer’s brochure, containing statistics from Control Risks Group, a consulting firm, offers the following: the problem is increasing; more that 14 countries recorded cases of $25 million or more in recent years; and kidnappers usually settle for between 10% and 20% of the demand. The outcomes were listed as follows: 2% escaped; 7% were rescued; 9% resulted in death; 15% were released without payment; and 67% involved payment. Killings usually occur during abduction rather then during negotiation (Petersen International Underwriters, 2003).
In early 2007, Apuzzo (2007) reported that Chiquita Brands International revealed that it had agreed to a $25 million fine after admitting it paid terrorists to protect its workers in a dangerous region of Colombia. The fine was part of a plea-bargaining agreement with the U.S. Department of Justice that investigated the company’s payments to right-wing paramilitaries and leftist rebels the U.S. government classifies as terrorist groups. Federal prosecutors said company executives paid about $1.7 million between 1997 and 2004 to the United Self-Defense Forces of Colombia, the National Liberation Army, and the Revolutionary Armed Forces of Colombia. Prosecutors said that Chiquita disguised the payments in company accounting records. Colombia maintains one of the highest kidnapping rates among countries of the world. Companies are known to pay protection money; however, the amount paid is impossible to ascertain. Although companies supposedly have extensive security to protect employees, terrorist groups have fought intensely in Colombia’s banana growing region.
What is your opinion of Chiquita Brands International paying money to terrorists to protect its workers in Colombia?
If Abduction Occurs
After abduction takes place, the value of planning and training becomes increasingly evident. Whoever receives the kidnapper’s telephone call should express a willingness to cooperate. The recipient should ask to speak to the victim; this could provide an opportunity to detect a ruse. Asking questions about the hostage (e.g., birth date, mother’s maiden name) to either the hostage or the kidnapper improves the chances of discovering a trick. Prearranged codes are effective. The recipient should notify appropriate authorities after the call. If a package or letter is received, the recipient should exercise caution, limit those who touch it, and contact authorities.
People who attempt to handle the kidnapping themselves can intensify the already dangerous situation. Loss prevention personnel and public law enforcement authorities (i.e., the FBI) are skilled in investigation, intelligence gathering, and negotiating. These professionals consider the safety of the hostage first and the capture of the offenders second, although the reverse is frequently true in many foreign countries.
After abduction, the company’s policies for action should be instituted. These policies ordinarily answer such questions as who is to be notified, who is to inform the victim’s family, what are the criteria for payment of the ransom, who will assemble the cash, and who will deliver it and how. Policies would further specify not disturbing the kidnapping site, whether or not to tap and record future calls, how to ensure absolute secrecy to outsiders, and use of a code word with the kidnappers to impede any person or group who might enter the picture for profit.
The crisis management team should be authorized to coordinate the company’s response to the kidnapping. Because a terrorist act can take place at any time, the team members will have to be on call at all times.
Guidelines for the behavior of the hostage are as follows:
1. Do not struggle or become argumentative.
3. Occupy your mind with all the incidents taking place.
4. Note direction of travel, length of time, speed, landmarks, noises, and odors.
5. Memorize the characteristics of the abductors (e.g., physical appearance, speech, or names).
6. Leave fingerprints, especially on glass.
7. Remember that an effort is being made to rescue you.
8. Do not escape unless the chances of success are in your favor.
Here we cover a sample of technologies that assist in the protection of people (Simovich, 2004: 73–80; Besse and Whitehead, 2000: 66–72). The Web offers input for threat assessments, planning personnel protection, and in helping to convince senior management that protection is necessary. It contains a wealth of government information that is free. Private sources are also available for a fee. Companies that provide information on political violence, terrorism, and so forth, often make the information available through telecommunication devices such as GPS systems and satellite phones; however, some countries prohibit foreigners from entering with such equipment. The Web offers opportunities to check people, businesses, trip routes, and many other subjects of inquiry. The Web also contains information of a negative nature from terrorists, activists, and hate groups. “Sucks.com” sites, such as walmartsucks.com and aolsucks.com, are used to vent at companies. A variety of intelligence can be gathered from such sites. (See Chapter 10 for government and private sector resources and Web sites.)
For advance planning, digital cameras can document travel routes, buildings, airports, etc., and images can be transmitted to headquarters for analysis. Portable, wirelessalarm and CCTV systems offer protection for hotel rooms, vehicles, airplanes, and other locations. Pinhole lens cameras, built into almost anything, serve as a witness to an attack and aid in identifying and prosecuting offenders. Thermal imagers, which detect heat rather than light, can be used in total darkness to detect intruders or for search and rescue. Another portable system is the automatic external defibrillator (AED) that delivers electrical shocks to restore normal heart rate for those in cardiac arrest. The GPS system found in vehicles uses a network of satellites that transmit data to ground receivers to navigate and map routes. In addition, it can track the executive’s vehicle and monitor speed, direction, and alarms transmitted from the vehicle. Cellular technology can be added to permit audio monitoring and remote start or kill of the engine. Remote systems are vulnerable to hacking, so defenses should include encryption. Although air bags in vehicles offer safety, if protection specialists ram their way out of an attack, or if an attacker backs into the protected vehicle, the activation of an air bag can hinder escape. One option for careful consideration is to disconnect the air bag on the driver’s side.
Who has the advantage when a principal is targeted for attack, the principal and the protection team or the adversary? Explain your answer.
Substance Abuse in the Workplace
Substance abuse refers to human abuse of any substance that can cause harm to oneself, others, and organizations. This problem is pervasive. Millions of people abuse substances. An employee substance abuser can cause harm in several ways. Examples are abusing legal and illegal drugs or other substances (Figure 18-2) and causing production problems or an accident; selling drugs to others in the workplace; and stealing products or information assets to support a drug habit. In addition, drug and alcohol abuse is linked to tardiness, absenteeism, turnover, and violence.
FIGURE 18-2 Abuse of legal and illegal drugs and other substances is a problem in the workplace.
Research has shown that 12% of the workforce reported being heavy drinkers and that 47% of industrial injuries and 40% of deaths in the workplace was linked to alcohol. About 14 million Americans use illegal drugs. As workers, they are 3.6 times more likely to be involved in a workplace accident and five times more likely to file a claim for workers’ compensation than nonusers (Elliott and Shelley, 2005). It is estimated that substance abuse by employees costs businesses in the United States more than $250 billion annually in increased medical costs, lost productivity, and workplace accidents (DeCenzo and Robbins, 2005: 94).
No occupation is immune to substance abuse. Those afflicted are from the ranks of blue-collar workers, white-collar workers, supervisors, managers, and professionals.
Countermeasures
Unenlightened managers ordinarily ignore substance abuse in the workplace. As with so many areas of loss prevention, when an unfortunate event occurs (e.g., drug-related crime, production decline, or accident due to substance abuse), these managers panic and react emotionally. Experienced people may be fired unnecessarily, arrests threatened, and litigation becomes a possibility. In contrast, action should begin before the first sign of abuse.
Here is a list of action for an anti-substance abuse program for the workplace:
1. Form a committee of specialists to pool ideas and resources.
2. Seek legal assistance from an employment law specialist.
3. Large corporations can afford to hire a substance abuse specialist. Outsourcing is another option. Also, contact the local government-supported alcohol and substance abuse agency.
4. Prepare policies that include input from a variety of employees. Policies should focus on the company’s position on abuse of substances, including alcohol; job performance and safety as it relates to substance abuse; drug deterrence such as urinalysis; the consequences of testing positive; the responsibility of employees to seek treatment for abuse problems; available assistance; and the importance of confidentiality.
5. Education and prevention programs can assist employees in understanding substance abuse, policies, and making informed decisions on life choices, health, and happiness. Use signs in the workplace and at entrances, and periodically distribute relevant educational materials.
6. Ensure that supervisors are properly trained to recognize and report substance abuse.
7. Consider an undercover investigation to ascertain drug usage in the workplace.
Employee Assistance Programs (EAPs)
Employee assistance can be traced to the origin of Alcoholics Anonymous (AA), founded in 1935. AA views alcoholism as a disease requiring long-term treatment. Employee assistance programs (EAPs) were first introduced in the 1940s, in U.S. corporations. Thousands of these programs exist today in the public and private sectors, where they incorporate a broad-based approach to such problems as substance abuse, depression, and marital and financial problems. These programs are characterized by voluntary participation by employees, referrals for serious cases, and confidentiality. The goal of EAPs is to help the employee so he or she can be retained, saving hiring and training costs. An organization may establish its own EAP or outsource the program. Initial EAP programs were characterized by “constructive confrontation” (i.e., correct the problem or leave). Today, the philosophy is that a company has no right to interfere in private matters, but it does have a right to impose rules of behavior and performance at work (Elliott and Shelley, 2005; Ivancevich, 2001: 464).
Research is needed on the effectiveness of EAPs, what problems it ameliorates, what problems it shows limited, if any, success, and how it can be enhanced. For instance, research by Elliott and Shelley (2005) found that there were no differences in the accident rates of employees prior to and following EAP interventions.
Legal Guidelines
The federal Anti-Drug Abuse Act of 1988 is an attempt to create a drug-free workplace. The law requires federal contractors and grantees to prepare and communicate policies banning illegal substances in the workplace and to create drug awareness programs and sanctions or rehabilitation for employees abusing substances. Federal contracts and grants are subject to suspension for noncompliance or excessive workplace drug convictions. Another form of regulation includes industries regulated by the U.S. Department of Transportation, such as airline, motor carrier, and rail, which are required to institute substance abuse programs, including drug testing. Additional mandates that affect substance abuse programs in the workplace include Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act of 1990, U.S. Department of Defense regulations, state drug testing laws, and state workers’ compensation laws (U.S. Drug Enforcement Administration, 2003).
Drug Testing
Risk managers have seen a dramatic decrease in health insurance and workers’ compensation claims following drug testing. In addition, insurance companies are encouraging companies to implement drug testing programs to reduce premiums. Furthermore, those companies that do not test become a magnet for those who are abusers (Myshko, 2001: 44–46).
Here is a list of items to assist in planning a drug-testing program (Gips, 2006: 50–58; Smith, 2004):
• Drug testing must be well planned. Questions include the following: What type of test? Who will do the testing? Cost? Who will be tested? What circumstances will necessitate a test? What controls will prevent cheating and ensure accuracy? Do the laboratory and its personnel comply with state or federal licensing and certification requirements? Are all legal issues considered?
• Drug testing focuses on urine, hair, and blood. Of the approximately 55 million drug tests performed in the United States annually, 90% are urine tests. Hair analysis is more expensive. Blood testing is used rarely, such as when an employee is unconscious from an accident and in an emergency room; for a person on dialysis; under a court order; or for a deceased person.
• Following legal research, especially of state law on drug testing and privacy, employers should consider an offer of employment to applicants contingent upon passing a drug test. Include this requirement in employment ads.
• Ensure drug testing is fair and applied equally.
• Randomly drug test, test when an employee shows behavioral or physical indications of substance abuse, and test following an accident.
• Because of an industry of products on the Web to adulterate or substitute for urine specimens, some companies are using multiple drug tests.
• Drug testing of hair is less likely to be tampered with when compared to urinalysis. Hair testing shows evidence of drugs much farther back in time than urinalysis.
• Specimen validity testing is gaining momentum from the federal government to ensure specimens are not adulterated or substituted.
• Saliva testing and pupillometry (i.e., measurement of pupils’ reaction to light) are in the early stages of development.
• If a company shows that the percentage of drug tests that turn up positive is decreasing, caution is advised because employees may be getting better at subverting drug tests.
Trace detection should be used with caution. It consists of gathering minute particles of drugs in the workplace (e.g., at workstations or rest rooms) by using cloth swabs and then analyzing the swabs with a desktop instrument to detect a variety of drugs. This technique can possibly gauge the types of drugs in the workplace and serve as an aid to drug education and prevention. It presents difficulties if used for investigative and prosecutorial purposes.
What do you think are the most successful countermeasures against substance abuse in society and in the workplace?
Alcoholism
An alcoholic is defined as someone who cannot function on a daily basis without consuming an alcoholic beverage. Alcohol is the most abused drug in America. In the United States, there are about 15 million adults who have alcohol-related problems (Elliott and Shelley, 2005). These figures do not include the millions who are on the fringe of alcoholism. It is often a hidden disease, whereby the alcoholic hides the problem from family, friends, physicians, and himself or herself. Some major indicators are heartburn, nausea, insomnia, tremor, high blood pressure, morning cough, and liver enlargement. The alcoholic often blames factors other than alcohol for these conditions.
Today, many businesses are no longer hiding the problem and rely on an EAP. In addition, Alcoholics Anonymous (AA), an organization for alcoholics and recovered alcoholics, run by people who have had a drinking problem, has had more success than most organizations.
An employee with a drinking problem affecting the workplace is advised of “helping agencies,” in addition to internal and external policies and procedures and what is expected of him or her by the employer regarding steps for recovery. Health insurance benefits and company disability income usually are applicable. Unless the employee takes heed in seeking assistance, dismissal may occur because of poor job performance. The threat of job loss jolts many alcoholics into recognizing their serious situation and accepting treatment.
Types of Substances and Abuse
The explanation of four terms can assist the reader in understanding the human impact of various substance abuse categories.
• Psychological dependence: Users depend so much on the feeling of well-being from a substance that they feel compelled toward continued use. People can become psychologically dependent on a host of substances. Restlessness and irritability may result from deprivation of the desired substance.
• Addiction: Certain substances lead to physiological (or physical) addiction. This happens when the body has become so accustomed to a substance that the drugged state becomes “normal” to the body. Extreme physical discomfort results if the substance is not in the body.
• Tolerance: After repeated use of certain drugs, the body becomes so accustomed to the drug that increasing dosages are needed to reach the feeling of well-being afforded by earlier doses.
• Withdrawal: A person goes through physical and psychological upset as the body becomes used to the absence of the drug. Addicts ordinarily consume drugs to avoid pain, and possible death, from withdrawal. Symptoms vary from person to person and from substance to substance. An addict’s life often revolves around obtaining the substance, by whatever means, to avoid withdrawal.
Five types of substances—narcotics, depressants, stimulants, hallucinogens, and inhalants—are discussed here. According to Gips (2006), marijuana was found most frequently (more than half) in positive drug tests from employees. Cocaine (15%) and amphetamines (11%) followed it. Amphetamines include methamphetamine.
Narcotics
Narcotics include opium, its derivatives, and their synthetic equivalents. Drugs in this category are heroin, morphine, codeine, and methadone, among others. Such drugs are used to relieve pain and induce sleep. The method of consumption is injection, oral, or inhalation. Both psychological and physiological dependence is typical, as well as a tolerance potential.
Depressants
Depressants fall into several categories: barbiturates include phenobarbital and secobarbital (Seconal); tranquilizers include Valium and Librium; nonbarbiturate hypnotics include methaqualone (Quaalude); and miscellaneous depressant drugs include alcohol and chloroform. A depressant affects the central nervous system. Barbiturates ordinarily are prescribed for insomnia, whereas tranquilizers calm anxiety. Other depressants are used prior to surgery. Abuse of these drugs can lead to psychological and physiological dependence. Withdrawal is painful and can be fatal. Depressants have a tolerance potential. These drugs are taken orally or injected. They are obtained by a doctor’s prescription or through illegal channels. Symptoms of depressant use are similar to that of alcohol use: drowsiness, slurred speech, disorientation, constricted pupils, irritability, and slow reflexes.
Stimulants
There are several types of stimulants; caffeine, amphetamine, methamphetamine, and cocaine are the most common. These drugs affect the central nervous system and generally cause increased alertness soon after consumption, but restlessness and irritability are characteristic of long-term usage. There is a tolerance potential plus a susceptibility to dependence.
Caffeine is found in coffee, tea, cola drinks, and No-Doz. Increased alertness may be followed by insomnia, gastric irritation, and restlessness.
Amphetamines are widely used stimulants that are swallowed or injected. They are prescribed for narcolepsy (chronic sleepiness). Illegal amphetamines typically originate from legitimate sources. Abuse is characterized by anxiety, talkativeness, irritability, and dilated pupils.
Methamphetamine is chemically related to amphetamine but much more potent, longer lasting, and more harmful to the central nervous system. It can be made in small, illegal laboratories, where its production is dangerous to the people in the labs, neighbors, and the environment. It is referred to by many names, such as “speed,” “meth,” and “chalk.” Methamphetamine hydrochloride, clear chunky crystals resembling ice, which can be inhaled by smoking, is referred to as “ice,” “crystal,” “glass,” and “tina.” The intoxicating effects of the drug, whether it is injected or taken in other ways, can alter judgment and inhibition and lead people to engage in unsafe behaviors. Most major metropolitan areas in the United States reported increases in the amounts and purity of methamphetamine smuggled into the United States from Mexico (National Institute on Drug Abuse, 2006).
Legally, cocaine is a narcotic, but physiologically it is a stimulant. It is expensive and the “high” is short-lived. The history of cocaine is interesting. It used to be an ingredient in Coca-Cola. Sigmund Freud experimented with it. The user inhales cocaine into the nose or injects it. Symptoms of abuse are similar to those of amphetamines plus damage to nasal membranes and the potential for hallucinations and hostile behavior.
Crack is a stimulant drug processed from cocaine hydrochloride by using baking soda and water and then heat to remove the hydrochloride. The pebble-sized crystal remaining, called crack, is smoked in a variety of devices. Crack is popular because it is less expensive than cocaine and when smoked it is more rapidly absorbed than snorted cocaine.
Hallucinogens
Hallucinogens can produce a trance, fright, and irrational behavior. Examples are LSD, PCP, mescaline, and psilocybin.
Marijuana is categorized by itself. It is sometimes categorized as a hallucinogen, but its actions are different from that of LSD. Both marijuana and its derivative, hashish, are widely used. Because of widespread cultivation of hemp to produce rope prior to the Civil War, marijuana grows wild in almost every state. Because of so many users today, marijuana use is controversial. Many states have decriminalized (i.e., reduced the penalty for) the offense. The effects of usage depend on the individual and the potency. It may distort perceptions of time and space and reduce concentration, learning, and memory. There is no physiological dependence. Psychological dependence is possible. Research on tolerance is inconclusive. Millions of people smoke marijuana occasionally to feel relaxed and carefree.
LSD was popularized in the 1960s by the youth “counterculture.” Use was touted as a consciousness-expanding experience. The effects vary greatly. There is no physiological dependence. Bizarre hallucinations, which can be either beautiful or terrifying, result from usage.
Inhalants
Inhaling volatile chemicals can produce intoxication. This can occur by one’s own volition or by accident due to poor ventilation. All employees should understand both causative factors.
Two types of volatile chemicals are volatile solvents and anesthetics. Volatile solvents include a variety of glues or liquid cements, cleaning fluid, paint thinner, and paint remover. Anesthetics are found in medical facilities for surgical purposes. Nitrous oxide (laughing gas) and ether are among the anesthetics.
Those who seek an altered state or “high” gather the substance or gas in a plastic bag and place it over the mouth and nose before breathing. Direct breathing from the container holding the substance is another method. Physiological dependence is nil, but a tolerance and psychological dependence may result. The effects are numerous and varied: intoxication, chemical odor on the person, drowsiness, stupor, and hallucinations.
Information Security
Information security protects an organization’s information assets through a broad based, well-planned, and creative program of strategies that consider the widest possible risks from humans, technology, accidents, disasters, or any combination of factors. A balanced information security program avoids overemphasizing perimeter security (Figure 18-3) since the greatest threat is from within. Information security is an extremely challenging undertaking because an organization can expend an enormous amount of resources on the protection of information assets and, as examples, one leak by one employee (e.g., on a telephone, in an e-mail, through another type of electronic device, or at a conference) or one intrusion by an outsider (e.g., electronic surveillance or cyber threat), can result in economic loss.
FIGURE 18-3 A balanced information security program avoids overemphasizing perimeter security since the greatest threat is from within.
Curtis and McBride (2005: 107–108) write that information security applies numerous strategies to ensure the availability, accuracy, authenticity, and confidentiality of information. Availability ensures that users can access information and not be blocked by, for example, a denial-of-service attack. Accuracy addresses issues of errors (e.g., by an employee) and the integrity of information (e.g., a hacker remotely accesses an IT system to manipulate data). Authenticity means that information and its sender are genuine. Phishing, for instance, can lead to identity theft and loss of sensitive information. Confidentially ensures that only authorized individuals access information.
Information assets contain a combination of economic value, property right, specialized knowledge, and competitive advantage that may be written, verbal, electronic, or in another form. The information often is extremely valuable (e.g., a secret formula) and may represent the lifeblood of an organization. Depending on the source, information assets may be termed “sensitive information” or “proprietary information.” ASIS International (2007: 7–8) prepared an Information Asset Protection Guideline that offered the following terms and definitions:
Proprietary Information: As defined by the Federal Acquisition Regulation (48 CFR 27.402 Policy): A property right or other valid economic interest in data resulting from private investment. Protection of such data from unauthorized use and disclosure is necessary in order to prevent the compromise of such property right or economic interest.
Sensitive Information: Information or knowledge that might result in loss of an advantage or level of security if disclosed to others.
For simplicity, the term “information assets” is emphasized here. Subsequent pages explain corporate intelligence gathering, espionage, and countermeasures. Espionage is the act of spying which is a criminal offense. Business espionage seeks a competitor’s information assets through illegal means. Government espionage seeks not only a competitor’s information assets, but also military and political secrets. Previous sections of this book elaborate on security, fire protection, and emergency management for assets, besides people. In addition, we must not forget that information pertaining to the privacy of individuals requires protection. This would include credit, medical, educational, and other records protected under various laws as covered earlier.
Common types of information assets that might be sought by a spy are the following: product design, financial reports, engineering data, tax records, secret formulas, marketing strategies, cost reduction methods, research data, client or customer information, trade secrets, human resources records, patent information, computer programs, oil or mineral exploration maps, mergers, and contract information.
A trade secret, supposedly known only to certain individuals, is a secret process used to produce a salable product. It may involve a series of steps or special ingredients. A famous trade secret is the formula for Coca-Cola. The holder of a trade secret must take steps to maintain secrecy from competitors. If an employee were to reveal a trade secret to a competitor, the courts could issue an injunction, prohibiting the competitor from using the secret. Money damages might be awarded.
ASIS International (2007: 8) defines trade secret as follows: “All forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processed, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if (a) the owner thereof has taken reasonable measures to keep such information secret; and (b) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.”
A patent provides protection for an invention or design. If a competitor duplicates the device, patent laws are likely to be violated and litigation would follow. Competitors often engineer around patents.
ASIS International (2007:7) defines patent as follows: “Information that has the government grant of a right, privilege, or authority to exclude others from making, using, marketing, selling, offering for sale, or importing an invention for a specified period (20 years from the date of filing) granted to the inventor if the device or process is novel, useful, and nonobvious.”
A trademark includes words, symbols, logos, designs, or slogans that identify products or services as coming from a common source. McDonald’s golden arches serve as an example.
A copyright provides protection for original works in any medium of expression by giving the creator or publisher exclusive rights to the work. This type of protection covers books, magazines, musical scores, movies, art, and computer software programs.
Corporate Intelligence Gathering: Putting It in Perspective
Corporate intelligence involves gathering information about competitors. It ranges from the illegal activity of business espionage to the acceptable, universally applied practice of utilizing salespeople to monitor public business practices of other companies. Corporate intelligence gathering, when done legally, makes good business sense, and this is why companies such as General Electric, Digital Equipment, and Gillette have established formal intelligence programs. Because of unethical and illegal behavior by certain people and firms when gathering intelligence, the whole specialization has earned a bad reputation. However, many avenues for gathering intelligence are legal. Let us first list the reasons for corporate intelligence gathering (Laczniak and Murphy, 1993: 1–4):
• Executives should take advantage of information that is publicly available to fulfill their fiduciary duty to shareholders. Because the Cordis Corporation, a pacemaker manufacturer, for example, was unsure of why its new line did not show improved sales, it asked its salespeople to check the tactics of the competition. The salespeople found that physicians were being offered cars and boats to stay with the competition. When Cordis increased educational support for doctors, added more salespeople, and matched the giveaways, sales increased.
• Competitive intelligence is a basis for strategic planning. One intelligence seminar director found a competitor using a “dirty trick” by enrolling in his course under an assumed name.
• It is necessary, in order to be successful against global competitors. The Japanese have “deployed armies of engineers and marketing specialists” to other countries. Likewise, U.S.-based firms have set up offices abroad to gather information.
• It can be useful for the introduction of a new product. Coors did extensive chemical analysis on Gallo’s wine coolers and found that it could not compete on price.
The Society of Competitive Intelligence Professionals (2007) views its vocation as an honorable profession with a code of ethics. The group defines competitive intelligence as “the legal and ethical collection and analysis of information regarding the capabilities, vulnerabilities, and intentions of business competitors.” Furthermore, the group states
While some decision makers may attempt to sail blindly through the global marketplace, it is the duty of the trained CI professional to show them alternative courses that will avoid potential dangers, and to take advantage of the tactics and strategies that lead to bottom-line success.
CI is not spying. It is not necessary to use illegal or unethical methods in CI. In fact, doing so is a failure of CI, because almost everything decision makers need to know about the competitive environment can be discovered using legal, ethical means. The information that can’t be found with research can be deduced with good analysis, which is just one of the ways CI adds value to an organization.
The following lists provide guidelines for information gathering. Ethical sources include
• Published material and public documents from government
• Purchasing access to business information databases (e.g., LexisNexis; Dun and Bradstreet).
• Disclosures made by competitors
• Market surveys and consultants’ reports
• Financial reports and brokers’ research reports
• Trade fairs, exhibits, and competitors’ brochures
• Analysis of a competitor’s products
• Legitimate employment interviews with people who worked for a competitor
A company wishing to detail prohibited activities in its policy should include the following (Horowitz, 2005; Ehrlich, 2002: 11–14):
• Electronic eavesdropping or wiretapping
• Misrepresenting your identity or that of your company
• Inducing another to violate his duty of confidentiality to his current or former employer
• Accepting trade secret or proprietary information through a confidential relationship which you then violate
• Accepting trade secret or proprietary information from another knowing it was obtained through a violation of law
Because intellectual property assets are often more valuable to businesses than tangible assets, Congress passed the Economic Espionage Act of 1996. This act makes it a federal crime for any person to convert a trade secret to his or her own benefit or the benefit of others with the intent or knowledge that the conversion will injure the owner of the trade secret. The penalties for any person are up to 10 years of imprisonment and a fine up to $250,000. Corporations can be fined up to $5 million. If a foreign government benefits from such a crime, the penalties are even greater. The act defines trade secret broadly as information that the owner has taken “reasonable measures” to keep secret because of the economic value from it. Case law has further defined the act; the greater the protection and value of the information and the fewer people who know about the information, the more likely the courts will recognize its status as a protectable trade secret (Halligan, 2001: 53–58).
The act raises two major concerns for management:
• Protecting trade secrets: This would include a comprehensive information security program.
• Hiring employees from competitors: Employers may violate the act if they hire employees from other firms who may bring with them trade secrets.
Prevention includes a thorough interview of applicants, ascertaining whether the applicant signed contracts or agreements with others for the protection of sensitive information, and use of a company form that signifies that the new employee understands the act’s legal requirements.
The act also links the economic well-being of the nation to national security interests. In addition, it allows the FBI to investigate foreign intelligence services bent on acquiring sensitive information of U.S. companies.
At some point, a company may have to decide whether to report a violation of the act to law enforcement authorities. The disadvantages are lost time and money, unwanted publicity, and the fact that the defendant’s attorney may request secrets that could then be revealed in court. Although the act offers some protection for information assets, this protection may depend on how a judge or attorneys in the case interpret the act. Discovery proceedings may result in information loss greater than the original loss. Also, the case may be lost in criminal and civil courts. Therefore, management must carefully weigh decisions on legal action. Another point to consider is that the act requires businesses to protect themselves from losses, which presents liability issues relevant to due diligence (Nolan, 1997: 54–57). Prevention is seen here, as with many other vulnerabilities, as the key avenue for protection.
Horowitz (1998: 6) wrote of the confusion and uneasiness for competitive intelligence professionals following the passage of the Economic Espionage Act of 1996. These specialists, and related contract firms and proprietary departments, were unsure of how they should conduct their business of gathering information. Horowitz wrote
Herein lies the confusion. While the EEA makes trade secret law a federal criminal matter—this for the first time in U.S. history—the activities it criminalizes were prohibited under state law and/or unacceptable under SCIP’s Code of Ethics. In other words, the rules are fundamentally the same, but the consequences of violating them are different. An activity that had always been a violation of state trade secret law can now result in not only state civil liability but federal criminal liability as well.
Espionage Techniques and the Vulnerabilities of Technology
The techniques used by adversaries to acquire information assets are so varied that defenders must not fall into the trap of emphasizing certain countermeasures while “leaving the back door open.” For example, a company may spend hundreds of thousands of dollars defending against electronic surveillance and wiretapping while not realizing that most of the losses of information assets are from a few employees who are really spies for competitors.
Three patterns of illegally acquiring information assets are internal, external, and a conspiracy that combines the two. An internal attack can be perpetrated by an employee who sells a secret formula to a competitor, for example. An external attack occurs when an outsider gains unauthorized access to the premises and steals product design data. The combined conspiracy is seen when an employee “just happens” to leave a secret mailing list on a desk and unlocks a rear door to aid an intruder. Furthermore, information assets are lost through legal means applied by competitors.
Spies use numerous techniques. A spy might assemble trash from a company and an executive’s home to “piece together” information. Spies may claim they are a student conducting a survey, as a “pretext” to acquire information. Several spies may each ask certain questions only, and then later, assemble the “big picture.” Another method is tricking a key employee into being discovered in a compromising position (e.g., in bed with a prostitute), photographing the incident, and then blackmailing the employee to acquire information. A spy might attempt to gain employment at a target company. Sometimes, proposals for a merger, acquisition, or joint venture are used as a cover to obtain information.
Companies with inadequate information security programs can lose information assets in several easy ways, such as through company speeches, publications, trade meetings, disgruntled employees, consultants, and contractors. Information loss can occur at any location from conversations or phone calls. A spy might frequent a tavern or conference populated by engineers to listen to conversations. Another way in which businesses can lose information assets is when an overly eager salesperson supplies excessive information in an attempt to impress a customer.
Reverse engineering is a legal avenue to obtain a look at a competitor’s product. The competitor simply purchases the product and dismantles it to understand the components. Patent applications, which are available to the public, can reveal valuable information. Some companies deliberately patent their failures to lead competitors astray.
Various devices are available to the spy. Wiretapping, electronic listening devices, and pinhole lens cameras are examples. A handheld document scanner, the size of a large pen, can capture numerous pages of text and graphics. A competitor could plant RFID readers to report on the movement of products to collect business data.
In our age of technological marvels, numerous devices we use daily can compromise information security. Ashley (2006: 84–85) describes such vulnerabilities and offers countermeasures. In order to attract customers, communications companies offer a variety of features beyond basic service. For instance, a ringtone is a sound file that is downloaded to a cell phone. If a virus has been loaded into the file, it infects the phone, so use only the ringtones that are with your phone. Bluetooth permits wireless communications over short distances (i.e., 30 feet or less), which facilitates the use of a cordless headset with a cell phone. Victimization may occur if the security feature of Bluetooth is turned off. An offender may be nearby, use a Bluetooth probe, transfer files into the victim’s phone, and receive information from the phone. Bluetooth usage with other devices (e.g., laptop or PDA) creates additional vulnerabilities. Cell phones can also be compromised through instant and text messages, so avoid such messages from unknown sources. PDA’s are subject to similar attacks.
Piazza (2005: 78–87) further explains the vulnerabilities of Bluetooth technology. This trade name is from a 10th century Danish king. It refers to a short-range wireless radio chip created in the 1990s that is in numerous devices. Bluetooth enables wireless communications in what is called a personal-area network (PAN). Attackers are developing technology that can access PANs from greater distances similar to traditional wireless networks. Several types of attacks can be applied to Bluetooth technology. One type can make an unauthorized connection to a cell phone and copy its contents, including the unique numerical identifier that an offender needs to clone a phone. In one scenario, Piazza describes how a tech-savvy individual was able to access the cell phone of a manager of a chain of coffee shops and retrieved door PIN codes, alarm codes, and safe combinations without the manager’s knowledge. Other vulnerabilities include taking control of a victim’s cell phone, making calls, sending and reading text messages, and performing other tasks. In another scenario, a tech-savvy individual focused on a group talking at a table in a bar with the cell phone of the victim sitting on the table. A connection was made to the targeted phone, it was signaled to dial the tech-savvy individual’s voicemail, and it recorded the conversation without the knowledge of the victims.
Piazza (2007: 48) reports on the threats from USB flash drives. (USB are the initials for Universal Serial Bus, a standard that supports data transfer.) These storage devices can hold an enormous amount of data that can leave the workplace. In addition, if a certain program infects a computer, the program will retrieve data from USB drives or other portable devices connected to the compromised computer. Another program takes the data from the USB drive and sends it out via an e-mail. Flash drives are capable of running software programs and one version allows an employee to circumvent security and visit prohibited Web sites via anonymous proxies.
Miller (2007: 22–30) asks us to think about all the ways we move and store data on mobile devices. She refers to USB ports that support a variety of portable storage devices, such as flash drives, portable hard drives, music and video players, and printers. Miller also refers to data storage on CDs and DVDs and the threat from unprotected WiFi and Bluetooth. WiFi means wireless fidelity. A WiFi enabled device (e.g., laptop, cell phone, or PDA) can access the internet when near an access point called a hotspot. WiFi allows networks to be deployed without cabling; however, WiFi networks can be vulnerable to monitoring and copying data, unless high-quality encryption is employed.
Although an adversary can travel to a targeted company to conduct surveillance, take photographs and video the location, the use of satellite images is increasing. These Internet services are free for basic services. More sophisticated services permit zoom, rotation, and 3D views of facilities and terrain. This vulnerability is challenging to counter. However, consideration should be given to facility design, landscape architecture, and transportation modes that disguise operations.
Mallery (2006: 76) writes of Internet-based methods of removing information assets from organizations. An employee can import their client information into a variety of free e-mail programs. Another Internet-based tool is online data storage that permits users to upload data to a secure site. The data is accessible from anywhere, and when an employee leaves for another employer, or selects to share or sell the data, it is readily available. Countermeasures include a policy, firewall, and periodic checks of Internet activity.
Mallery (2006: 78) also writes of keystroke capturing hardware. This device is installed between a keyboard and a computer; no additional software or power is required for its operation. In addition, keyboards are available that contain an embedded keystroke chip. The potential loss of information assets through this technology is enormous. It is extremely difficult to detect. Although restricted access and CCTV can reduce this threat, installation time is not lengthy and a cleaning crew or service technician can be a risk, as with the installation of other unauthorized devices. At the same time, monitoring software can be installed remotely and discreetly e-mail data to a specified address.
A major point from these descriptions of vulnerabilities is that technology is a “blessing and a burden.” Technology makes our lives easier; however, we face a never-ending “cat and mouse” cycle of new technology confronted by offenders seeking to exploit and profit from it as defenses follow.
Furthermore, a good spy does not get caught, and quite often, the victimized firm does not discover that it has been subjected to espionage. If the discovery is made, the company typically keeps it secret to avoid adverse publicity.
The Business Espionage Controls and Countermeasures Association (2007) states
The purpose of the association is to research and exchange information about business espionage controls and countermeasures; to establish and encourage a code of ethics within the profession, and to promote our professional image within the business community through a Certified Confidentiality Officer (CCO) program.
We identified four primary areas of risk as one of our first BECCA research projects. We called them the “Four Faces of Business Espionage,” a term now widely used by controls and countermeasures experts. These risk factors are Pretext Attacks [interviews], Computer Abuse, Technical Surveillance, and Undercover Attacks.
Pretext interviews are disguised interviews or “surveys” that can take place in a variety of locations (e.g., over the telephone, at trade shows, in chat rooms, in bed). The people gathering information may not know the real reason behind the questions, and the victims may not know the identity of the interviewer. Technical surveillance includes planting a listening device (e.g., a bug).
BECCA stopped charging annual membership dues as of September 11, 2001 as part of their contribution to homeland security. Membership is free to qualified applicants.
Countermeasures
The first step in keeping information assets secure is to identify and classify it according to its value. Top-level executives in a business should perform this subjective job. If a company has a DOD contract, then strict DOD criteria would apply. Each classification has rules for marking, handling, transmitting, storing, and access. The higher the classification the greater are the controls. Table 18-1 shows DOD and corporate classifications, explanations, and illustrations. ASIS International (2007: 37–39) offers the following classification system: unrestricted, internal use, restricted, and highly restricted.
Table 18-1. Classification Systems
| If Unauthorized Disclosure | Illustrations | |
| Government Classification * | ||
| Top Secret | “Exceptionally grave damage” to national security |
Vital national defense plans, new weapons,sensitive intelligence operations |
| Secret | “Serious damage”to national security |
Significant military plans orintelligence operations |
| Confidential | “Identifiable damage”to national security |
Strength of forces, munitionsperformance characteristics |
| Corporation Classification Special Controls |
Survival at stake |
New process or product; secret formula or recipe |
| Company Confidential | Serious damage | Process, customer lists;depends on value to business |
| Private Confidential | Identifiable damage, orcould cause problems |
Personnel data, price quote |
* Classified by the U.S. Department of Defense in National Industrial Security Program Operating Manual, reissued February 28, 2006 (http://www.fas.org/sgp/library/nispom.htm; retrieved July 28, 2007).
Here is a list of strategies for an information security program:
1. Prevention is a key strategy to protect information assets, which can be stolen without anything being physically missing, and information assets often are not covered by insurance.
2. Establish formal policies and procedures for such activities as identifying and classifying information assets, handling, use, distribution, release of information on a “need-to-know” basis, storage, and disposal. Other examples are security over passwords and maintaining a “clean desk” policy so important items are not left in the open when they should be in a locked container.
3. Provide training and awareness programs for employees on all aspects of information security, including methods used by spies, reporting incidents, investigations, and auditing of the program.
4. Reinforce countermeasures through new employee orientation, the employee handbook, and performance evaluations.
5. Carefully screen employment applicants.
6. Use employee nondisclosure agreements and employee noncompete agreements.
7. Implement physical security and access controls for people and property entering, leaving, and circulating within a facility (Figure 18-4).
9. Review works written by employees prior to publication and their speeches, ensure protection during trade shows, and control media relations.
10. Control destruction of information assets.
11. Maintain state-of-the-art IT security.
12. Be cautious when logging online in a wireless area. Ensure that your computer is not automatically connected to wireless access points that are unsecured.
13. Mark laptops with company name and telephone number to increase the chances of recovery in case of theft.
14. Protect all forms of electronic communication—e-mail, network, fax, telephone, etc.
15. Establish controls over devices that contain a hard drive (e.g., PDAs, iPods, and MP3 players), electronic storage capacity, or embedded camera. Data are being stored in smaller spaces and so many ordinary items (e.g., pen, knife, watch) can contain a data storage device.
16. Control the variety of office machines (e.g., the combination copy machine, fax, scanner, and printer) that contain hard drives.
17. CDs and DVDs, rather than paper, are increasingly being used to store information. If a duplicator makes a copy of a master CD to its hard drive and then burns multiple copies, the information is available to people who can access the duplicator, unless the data is purged.
18. Ensure that important data has a backup copy in case data are stolen, a disaster strikes, or a hard drive fails.
19. Use technical surveillance countermeasures (TSCM).
20. Use internal and independent security audits to strengthen protection.
FIGURE 18-4 Sen Trac ID uses radio-frequency identification technology to provide hands-free access control and asset management to track people and products within a facility.Courtesy: Sensormatic.
Operations Security
Operations Security (OPSEC) is defined by Isaacs (2004: 104) as follows: “OPSEC is a formal process for looking at the protection of critical information from the viewpoint of an adversary and then denying that adversary the information it needs.” It is a government-developed approach to information security that began during the Vietnam War when it was discovered that lives were being lost, not only from espionage, but also from unclassified information that was being analyzed by the enemy. OPSEC is a way of thinking, rather than a series of steps. The components of OPSEC are analyze the threat, identify critical information, examine vulnerabilities, assess risk, and apply countermeasures.
Destruction of Information Assets
Records, documents, computers, hard drives, and other items that contain information assets should not simply be thrown into trash bins or discarded when no longer needed, because spies and other adversaries may retrieve the information. Total destruction affords better information security. Before pollution restrictions against burning, many firms placed unwanted records in incinerators. Today, strip-cut shredders (producing long strips of paper 1/4-inch wide) are used by many organizations. However, security is limited. This became painfully evident in 1979, when Iranian militants stormed the U.S. Embassy in Tehran and pieced together top-secret documents that had been shredded by a strip-cut shredder. For increased security, particle-cut shredders (smaller pieces of paper) are the alternative (Figure 18-5). Cross-cut shredders offer even higher security. The highest level of security is offered by disintegrators. These devices produce confetti particles through the action of a rotor and stationary knives. Since the Iranian disaster, the U.S. government requires classified data to be destroyed with either a cross-cut shredder or a disintegrator.
FIGURE 18-5 A determined adversary might take the time to put small pieces of paper together for information.
Vendors that sell high-security shredders seek to meet government national security standards. One vendor sells a shredder that delivers a 1 mm × 4 mm particle. An 8 1/2² × 11² piece of paper can be reduced to 15,500 particles (Dahle North America, 2007).
Many companies outsource shredding to service firms that send a mobile shredding truck to the client to shred a variety of items, besides paper. Examples are CDs, DVDs, hard drives, credit cards, and uniforms. Security practitioners should exercise due diligence with shredding service firms and investigate the chain of custody of the shredded product. The National Association of Information Destruction, Inc., promotes professionalism and ethics of its member companies.
Unshredding is a growing specialization. Although unshredding can be done manually, computer technology speeds the process by scanning pieces on both sides and then the computer determines how the strips should be joined. In the Enron accounting case, many documents were fed through a shredder incorrectly, which made the pieces easier to put together. In reference to forensic identification, shredders contain device-specific characteristics that can be used to determine the specific device that shredded an item.
Shredding has increased in popularity because of privacy laws (e.g., FACTA and HIPPA), the problem of identity theft, and the U.S. Supreme Court case, California v. Greenwood, which permits police warrantless search and seizure of garbage left on the street for collection (Wikipedia, 2007).
Defenders against espionage must not fall into the trap of emphasizing certain countermeasures while “leaving the back door open.”
Communications Security
Communications security involves defenses against interception. The National Security Agency (2000: 10) defines communications security (COMSEC) as follows:
Measures and controls taken to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. Communications security includes cryptosecurity [i.e., encryption or decryption], transmission security, emission security [i.e., intercept and analysis of emanations from equipment], and physical security of COMSEC material.
In providing a comprehensive approach to protecting information assets, subfields of communications security are listed here (Carroll, 1996: 177–277).
• Line security protects communications lines of IT systems, such as a central computer and remote terminals. Line security is effective over lines an organization controls; a wiretap can occur in many locations of a line. Cryptographic security defeats wiretapping.
• Transmission security involves communications procedures that afford minimal advantage to an adversary bent on intercepting data communications from IT systems, telephones, radio, and other systems.
• Emanation security prevents undesired signal data emanations (e.g., from computer equipment) transmitted without wires (e.g., electromagnetic or acoustic) that could be intercepted by an adversary. TEMPEST is the code word used by the National Security Agency for the science of eliminating undesired signal data emanations. “Shielding,” discussed soon, is one strategy to reduce data emanations.
• Technical security, also called technical surveillance countermeasures, provides defenses against the interception of data communications from microphones, transmitters, or wiretaps.
The above methods of attack can be used together, which is one reason why communications security is a highly complex field. What follows here primarily is technical security; however, we must not lose sight of the importance of a comprehensive approach to protecting information assets.
Electronic Surveillance and Wiretapping
Electronic surveillance utilizes electronic devices to covertly listen to conversations, whereas wiretapping pertains to the interception of telephone communications. The prevalence of these often-illegal activities probably is greater than one would expect. (The legality of such acts is supported by court orders.) Because detection is so difficult, the exact extent of electronic surveillance and wiretapping and what this theft of information costs businesses is impossible to gauge.
Electronic eavesdropping technology is highly developed to the point where countermeasures (debugging) have not kept up with the art of bugging. Consequently, only the most expertly trained and experienced specialist can counter this threat.
Surveillance equipment is easy to obtain. Transmitters are contained in toys and other items found in many homes. Retailers sell FM transmitters or microphones that transmit sound, without wires, to an ordinary FM radio after tuning to the correct frequency. These FM transmitters are advertised to be used by public speakers who favor wireless microphones so they can walk around as they talk without being hindered by wires; the voice is transmitted and then broadcast over large speakers. They are also advertised to listen in on a baby from another room. An electronically inclined person can simply enter a local electronics store or shop on-line and buy all the materials necessary to make a sophisticated bug. Pre-built models are available by mail, or certain retailers will sell them if the buyer signs a statement that they will not be used for audio surveillance.
Miniaturization has greatly aided spying. With the advance of the microchip, transmitters are apt to be so small that these devices can be enmeshed in thick paper, as in a calendar, under a stamp, or within a nail in a wall. Bugs may be planted as a building is under construction, or a person may receive one hidden in a present or other item. Transmitters are capable of being operated by solar power (i.e., daylight) or local radio broadcast.
Bugging techniques are varied. Information from a microphone can be transmitted via a “wire run” or a radio transmitter. Bugs are concealed in a variety of objects or carried on a person. Transmitting devices can be remotely controlled with a radio signal for turning them on and off. This makes detection difficult. A device known as a carrier current transmitter is placed in wall plugs, light switches, or other electrically operated components. It obtains its power from the AC wire to which it is attached. Sound systems with speakers serve as microphones that help spies.
Many spies use multiple systems. Multiple bugs are placed so they will be found, which in many instances satisfies security and management. Other bugs are more cleverly concealed.
Gruber (2006: 280–283) notes that gun microphones are very effective. He writes that they can be aimed at a target from a significant distance and they are used with a headset and amplifier. Gun microphones can be seen at football games. He illustrates the creativity of spies by describing how electrical signals from a microphone can be carried by a clear metallic paint.
Telephones are especially vulnerable. A “tap” occurs when a telephone conversation is intercepted. Telephone lines are available in so many places that taps are difficult to detect. A tap can be direct or wireless. With a direct tap, a pair of wires is spliced to the telephone line and then connected to a recorder. An FM transmitter, similar to a room bug, is employed for a wireless tap. The transmitter is connected to the line and then a receiver and recorder are concealed nearby. Wireless taps (and room bugs) are spotted by using special equipment. Direct taps are difficult to locate. A check of the entire line is necessary.
Because telephone traffic travels over space radio in several modes—for example, cellular, microwave, and satellite—the spy’s job is made much easier and safer since no on-premises tap is required. What is required is the proper equipment for each mode. In one case a Mossad agent in Berne, Switzerland, was arrested after he tried to tap the telephone of a Hezbollah target. His technical system was a cellular telephone device that would be activated when the target telephone was put in use. The device would automatically call a second cellular telephone where the target’s telephone would be monitored (Business Espionage Controls and Countermeasures Association, 2007).
Another technique transforms the telephone into a listening device whether it is in use or not. Variations of the following technique depend on the technology and design of the telephone. “Hookswitch bypass” short circuits (by changing wires) the telephone hookswitch (the switch that disconnects the microphone in the mouthpiece to the outside when a person hangs up) and transforms the ordinary telephone into a bug. This is easy to detect by hanging up the telephone, placing a radio nearby (for noise), tapping into the telephone line, and listening for the radio.
When guarding against losses of information assets, consideration must be given to a host of methods that may be used by a spy. These include infrared transmitters that use light frequencies below the visible frequency spectrum to transmit information. This can be defeated through physical shielding (e.g., closing the drapes). Another method, a laser listening device, “bounces” laser off a window to receive audio from the room. Inexpensive noise masking systems can defeat this technique (Jones, 2000: 1–17). Kaiser and Stokes (2006: 65) write: “Newer laser microphones are created by feeding two hair-thin strands of fiber-optic cable into the room being monitored. The microphone operates when a laser beam is sent down one of the fibers, where it bumps into a thin aluminum diaphragm and returns on the other fiber with the room conversation.” A careful search is required to find this and other devices. Computer, e-mail, facsimile, and other transmissions are also subject to access by spies. A spy may conceal a recorder or pinhole-lens camera on the premises, or wear a camera concealed in a jacket or tie. If drawings or designs are on walls or in sight through windows, a spy, stationed in another skyscraper a few blocks away might use a telescope to obtain secret data, and a lip reader can enhance the information gathering. Or, a window washer might appear at a window for surveillance. Another method is a spy disguised as a janitor to be assigned to the particular site. All of these methods by no means exhaust the skills of spies as covered earlier under “espionage techniques.”
Technical Surveillance Countermeasures
ASIS International (2007: 17) states the following:
Technical Surveillance Countermeasures (TSCM) refers to the use of services, equipment, and techniques designed to locate, identify, and neutralize the effectiveness of technical surveillance activities (electronic eavesdropping, wiretapping, bugging, etc.). Technical surveillance countermeasures should be a part of the overall protection strategy. Individuals within the organization responsible for physical security, facility security, information asset protection, telecommunications, meeting planning and information technology all have a stake in addressing these concerns.
The physical characteristics of a building have a bearing on opportunities for surveillance. Some of these factors are poor access control designs, inadequate soundproofing, common or shared ducts, and space above false ceilings enabling access. Comprehensive security methods will hinder spies. The in-house security team can begin countermeasures by conducting a physical search for planted devices. If a decision is made to contact a specialist, only the most expertly trained and experienced consultant should be recruited.
The Countermeasures Consultant
Organizations often recruit a countermeasures consultant to perform contract work. As a consumer, ask for copies of certificates of TSCM courses completed and a copy of the insurance policy for errors and omissions for TSCM services. What equipment is used? What techniques are employed for the cost? Are sweeps and meticulous physical inspections conducted for the quoted price? Watch for scare tactics. Is the consultant really a vendor trying to sell surveillance detection devices, or a PI claiming to be a TSCM specialist? Will the consultant protect confidentiality? The interviewer should request a review of past reports to clients. Were names deleted to protect confidentiality? These questions help to avoid hiring an unqualified “expert.” One practitioner offered clients debugging services and used an expensive piece of equipment to conduct sweeps. After hundreds of sweeps, he decided to have the equipment serviced. A service person discovered that the device was not working properly because it had no battery for one of its components. The surprised “expert” never realized a battery was required.
For a comprehensive countermeasures program, the competent consultant will be interested in sensitive information flow, storage, and retrieval. Extra cost will result from such an analysis, but it is often cost effective.
The employer should use a public telephone off the premises to contact the consultant in order not to alert a spy to impending countermeasures. An alerted spy may remove or turn off a bug or tap and the TSCM may be less effective.
Techniques and Equipment
Detection equipment is expensive and certain equipment is subject to puffing, but useless. A company should purchase its own equipment only if it retains a well-qualified TSCM technician, many sweeps are conducted, and the in-house TSCM program is cost-effective.
Equipment includes the nonlinear junction detector (NLJD), costing about $15,000 and capable of detecting radio transmitters, microphones, infrared and ultrasonic transmitters, recorders, video cameras, cell phones, and other hidden electronic devices, even when they are not working. Gruber (2006: 284–285) offers the following on the NLJD. It transmits a microwave signal through its antenna and an internal receiver listens for a RF response that may mean a device is present. NLJDs are available in various power outputs to the restricted government version. The effectiveness of this equipment is poor in an area containing several electronic devices; in this case, a physical search is best.
The telephone analyzer is another tool designed for testing a variety of single and multiline telephones, answering machines, fax machines, intercom systems. The spectrum analyzer is another tool. Basically, it is a radio receiver with a visual display to detect airborne radio signals. Other types of specialized equipment are on the market. Buyer beware: the quality and cost of equipment varies widely.
Some security personnel or executives plant a bug for the sole purpose of determining if the equipment of the detection specialist is effective. This “test” can be construed as a criminal offense. An alternative is specially designed test transmitters, commercially available, that has no microphone pickup and therefore can be used without liability. Another technique is to place a tape recorder with a microphone in a drawer.
A tool kit and standard forms are two additional aids for the countermeasures specialist. The tool kit consists of the common tools (e.g., screwdrivers, pliers, electrical tape) used by an electrician. Standard forms facilitate good recordkeeping and serve as a checklist. What was checked? What tests were performed? What were the readings? Where? When? Who performed the tests? Why were the tests conducted? Over a period, records can be used to make comparisons while helping to answer questions.
The following list offers topics of consideration for TSCM (Gruber, 2006: 277–304; Kaiser and Stokes, 2006: 60–68):
• The first step in TSCM is a physical search for devices beginning from outside the building. The physical search, both outside and inside, is very important and time-consuming. On the outside, focus on items such as utilities, wires, ductwork, and openings (e.g., windows). A spy can tap into lines outside the building without needing to ever enter the building. A top executive should establish a cover story to avoid alerting anyone to the TSCM.
• Inside the building, the TSCM technician should check cabling, inside individual office equipment (e.g., telephones, faxes, and computers), and openings. Is there anything in the office equipment that appears odd?
• The technician should be knowledgeable about IT systems, computers, internal network or Local Area Network (LAN), and a connection to the outside or Wide Area Network (WAN). These systems can be bugged or tapped like telephone systems. For example, a LAN analyzer connected to a line can read all e-mail that travels through the line. The technician should have equipment to check what is attached to lines.
• Besides traditional cable, fiber optic cable can also be tapped. A tap on a fiber optic cable can be detected through an Optical Time Domain Reflectometer.
• Since devices may be hidden in walls, the technician can use an ultraviolet light to detect plaster repairs to walls. A NLJD or a portable x-ray machine can be used to detect devices in walls.
• Items in walls that should be checked are power outlets, phone jacks, and network jacks. Tools to check these items and inside walls are a flashlight, dental mirror, and a fiber optic camera.
• Plates at light switches, wall outlets, and HVAC vent covers should all be removed for the search and prior to the sweep.
• If a bug or tap is found, it should be documented and photographed. The device could be booby-trapped. Although police should be contacted for assistance, their response and expertise will vary widely. A difficult question surfaces as to whether the device should remain and fed false information.
• The TSCM technician often finds nothing unusual. Such results afford protection against bugs and taps. However, 100% protection is not possible, because information assets can be lost in so many ways, mostly from humans. Security practitioners should be creative, think like a spy, and not forget about the inexpensive, easy, and obvious methods to steal information assets.
Another strategy to thwart listening devices is “shielding,” also called electronic soundproofing. Basically, copper foil or screening and carbon filament are applied throughout a room to prevent acoustical or electromagnetic emanations from leaving. Although this method is very expensive (costing more than $100,000), several organizations employ it to have at least one secure room or to protect information in computers.
Equipment is available on the market that may frustrate telephone taps and listening devices. Scramblers, attached to telephones, alter the voice as it travels through the line. However, no device or system is foolproof. Often, simple countermeasures are useful. For instance, an executive can wait until everybody is present for an important meeting, and then relocate it to a previously undisclosed location. Conversants can operate a radio at high volume during sensitive conversations, and exercise caution during telephone and other conversations.
Many businesses and commercial telephony service providers are moving to Voice over Internet Protocol (VoIP) technology because of lower costs and efficiency. Such services may not even make contact with the traditional telephone network. One concern of VoIP technology relates to its inability to provide traditional location identification (i.e., Enhanced 911) for 911 emergency calls made to public safety agencies. Of particular interest for our discussion here is that traditional wiretaps are more difficult to intercept with VoIP infrastructure and end-to-end encryption compounds the challenges for those seeking to wiretap (National Institute of Justice, 2006).
It must be remembered that information assets can be collected in many different ways besides with physical devices. Losses can occur through speeches and publications by employees, in company trash, and by unknowingly hiring a spy. Comprehensive, broad-based information security is necessary.
Who do you think has “the edge,” those who seek information assets or those who protect it?
Here are Web sites relevant to this chapter:
ASIS, International: www.asisonline.org
Business Espionage Controls and Countermeasures Association: www.becca-online.org/
Institute for a Drug-Free Workplace: www.drugfreeworkplace.org/
National Association of Information Destruction, Inc.: www.naidonline.org/
National Clearinghouse for Alcohol and Drug Information: http://ncadi.samhsa.gov/
National Institute for Occupational Safety and Health (NIOSH): www.cdc.gov/niosh/homepage.html
Occupational Safety and Health Administration (OSHA): www.osha.gov
OSHA: www.dol.gov/asp/programs/drugs/workingpartners/dfworkplace/dfwp.asp
Society of Competitive Intelligence Professionals: www.scip.org/
U.S. Department of Labor: www.dol.gov/elaws/drugfree.htm
U.S. Department of State: www.state.gov/travelandbusiness/
Case Problems
18A. As a security manager, you just received an internal telephone call from a supervisor who complains about a subordinate who became angered by a work assignment and told the supervisor that he knows where he lives and where his kids go to school. What do you do?
18B. You are a security manager at a plant. One day, a former employee shows up at the front gate and demands to see his estranged wife. In addition, he wants to talk with the human resources director about benefits. How do you handle this situation?
18C. John Smith, an employee who has just lost his job because of corporate downsizing, is in the office of the Director of Human Resources holding a pistol in the direction of the Director. As the security manager, you were summoned to the office earlier, not knowing that the pistol had been drawn. You enter the office and you stop upon seeing the pistol. John Smith states: “I’ve given 10 years of my life to this place.” “They had no right doing this to me.” “If I can’t work, I can’t support my family.” “It’s management’s fault and they are going to pay.” As the security manager, what do you say and do? (This case problem was prepared with the assistance of Hasselt and Romano, 2004: 12–17).
18D. As the chief security officer for a corporation with plants in the United States and Europe, prepare a list of questions to answer as you plan a personnel protection program.18E. As a security manager you hear through the grapevine that several employees smoke marijuana during lunch when they go to their vehicles. What do you do?
18F. As the new chief security officer for a corporation, you are reviewing the methods of information collection of the in-house competitive intelligence unit. The list includes using the Internet, public documents, public documents from government, private investigators, subscriptions to news services, purchasing securities to receive annual financial reports of competitors, collecting garbage from competitors, attending seminars and speeches of competitors, and purchasing competitor products for study. Do any of these methods necessitate closer attention? Explain and justify your answer.
18G. As the security director for a corporation engaged in research, you see the need for an information security consultant to improve protection. What criteria would you list to select such a specialist? What questions would you ask applicants during the selection process?
18H. Of the major topics in this chapter, which one would you select as a specialization and career? Why? How would you develop such a specialization and career?
REFERENCES
ASIS International , (2007). Information Asset Protection Draft Guideline. www.asisonline.org . [retrieved February 9, 2007.]
ASIS International , (2005). Workplace Violence Prevention and Response Guideline. www.asisonline.org . [retrieved March 8, 2007.]
Apuzzo M, (2007). “Chiquita to Pay $25M in Terror Case.” Associated Press (March 14). http://biz.yahoo.com/ap/070314/terrorism_bananas.html?.v=5 . [retrieved March 16, 2007.]
Ashley S, (2006). “Cell Phone Vulnerabilities”. Law Officer Magazine.2.
Associated Press , (2006). “Schwab: $2M for CEO Security”. Security Director News.3.
Atkinson W, (2001). “Safe Travel”. Risk & Insurance.12.
Besse W, Whitehead C, (2000). “New Tools of an Old Trade”. Security Management.44.
Bowron E, (2001). “All the World’s a Staging Ground”. Security Management.45.
Business Espionage Controls and Countermeasures Association , (2007). “About BECCA”. http://www.becca-online.org/ . [retrieved March 18, 2007.]
Business Espionage Controls and Countermeasures Association , (2001). “News of Hostile Activity”. http://www.espionbusiness.com . [retrieved June 6, 2001.]
Carroll J, (1996). Computer Security. 3rd ed. Boston: Butterworth-Heinemann;.
Curtis G, McBride R, (2005). Proactive Security Administration. Upper Saddle River, NJ: Pearson Prentice Hall;.
Dahle North America , (2007). http://www.dahle.com/high_security.htm . [retrieved March 19, 2007.]
DeCenzo D, Robbins S, (2005). Fundamentals of Human Resource Management. 8th ed. Hoboken, NJ: John Wiley & Sons Pub;.
Ehrlich C, (2002). “Liar, Liar: The Legal Perils of Misrepresentation”. Competitive Intelligence Magazine.5.
Elliott R, (2006). “What’s Behind Country Risk Ratings?”. Security Management.50.
Elliott K, Shelley K, (2005). “Impact of employee assistance programs on substance abusers and workplace safety”. Journal of Employment Counseling.42.
Gips M, (2006). “High on the Job”. Security Management.50.
Gips M, (2007). “My Short Life as an EP Specialist”. Security Management.51.
Gruber R, (2006). Physical and Technical Security: An Introduction. Clifton Park, NY: Thomson Delmar Learning;.
Halligan R, (2001). “Do Your Secrets Pass the Test?”. Security Management.45.
Hasselt V, Romano S, (2004). “Role-Playing: A Vital Tool in Crisis Negotiation Skills Training”. FBI Law Enforcement Bulletin.73.
Hershkowitz R, (2004). “Zero Tolerance Equals Trouble”. Security Management.48 [].
Horowitz R, (2005). “A Comment on Drafting Corporate Competitive Intelligence Policies”. http://www.rhesq.com/CI/Comment%20on%20CI%20Policies.html . [retrieved March 18, 2007.]
Horowitz R, (1998). “The Economic Espionage Act: The Rules Have Not Changed”. Competitive Intelligence Review.9 http://www.scip.org/pdf/9(3)horowitz.pdf . [retrieved March 22, 2007.]
Hudson J, (2004). “Dozens Sue over Lockheed Shootings”. The Clarion-Ledger..
Hughes S, (2001). “Violence in the Workplace: Identifying Costs and Preventive Solutions”. Security Journal.14.
Insurance Information Institute , (2007). “What does kidnap and ransom insurance cover?”. http://www.iii.org/individuals/business/optional/kidnapandransom/ . [retrieved March 11, 2007.]
Isaacs R, (2004). “How Not to Tell all”. Security Management.48.
Ivancevich J, (2001). Human Resource Management. 8th ed. Boston: McGraw-Hill Irwin;.
Jaeger S, (2001). “The Age of Rage”. Security Industry & Design.11.
Jones T, (2000). Surveillance Countermeasures in the Business World. Cookeville, TN: Research Electronics International;.
Kaiser M, Stokes R, (2006). “Who’s Listening?”. Security Management.50.
Kenny J, (2005a). “Threats in the Workplace: The Thunder before the Storm?”. Security Journal.18.
Kenny J, (2005b). “Workplace Violence and the Hidden Land Mines: A Comparison of Gender Victimization”. Security Journal.18.
Laczniak G, Murphy P, (1993). “The Ethics of Corporate Spying”. Ethics Journal..
Mallery J, (2006). “The Hidden Data Thieves”. Security Technology & Design.16.
Meadows R, (2007). Understanding Violence and Victimization. 4th ed. Upper Saddle River, NJ: Pearson Prentice Hall;.
Miller S, (2007). “Gone in a Flash”. Information Security.10.
Myshko D, (2001). “Just Say Yes to Drug Testing”. Risk and Insurance.12.
National Institute of Justice , (2006). “Telephony Implications of Voice over Internet Protocol”. www.ncjrs.gov/pdffiles1/nij/212976.pdf . [retrieved June 18, 2007.]
National Institute on Drug Abuse , (2006). “NIDA InfoFacts: Methamphetamine”. http://www.nida.nih.gov/Infofacts/methamphetamine.html . [retrieved March 9, 2007.]
National Security Agency , (2000). “National Information Systems Security (INFOSEC) Glossary.” (UNCLASSIFIED). http://security.isu.edu/pdf/4009.pdf . [retrieved March 22, 2007.]
Nolan J, (1997). “Economic Espionage, Proprietary Information Protection: Difficult Times Ahead”. Security Technology and Design..
Petersen International Underwriters , (2003). “A Kidnap and Ransom Insurance Plan” (Brochure). http://www.eglobalhealth.com/files/Epic.pdf . [retrieved March 12, 2007.]
Piazza P, (2005). “From Bluetooth to RedFang”. Security Management.49.
Piazza P, (2007). “The ABCs of USB”. Security Management.51.
Purpura P, (1993). “When the Security Manager Gets Shot: A Corporate Response”. Security Journal..
Ryan L, (2005). “Exclusive remedy upheld in Lockheed Martin shooting case.” Workers’ Comp Insider (July 21). http://www.workerscompinsider.com/archives/2005_07.html . [retrieved March 10, 2007.]
Shyman R, (2000). “Women at Work”. Security Management.44.
Simovich C, (2004). “To Serve and Protect”. Security Management.48.
Smith S, (2004). “What every employer should know about drug testing in the workplace”. Occupational Hazards.66.
Society of Competitive Intelligence Professionals , (2007). “About SCIP”. http://www.scip.org/2_overview.php . [retrieved March 18, 2007.]
U.S. Department of Labor , (2006). “Injuries, Illnesses, and Fatalities”. http://www.bls.gov/iif/home.htm . [retrieved March 8, 2007.]
U.S. Drug Enforcement Administration , (2003). “Guidelines for a Drug-Free Workforce”. http://www.usdoj.gov/dea/demand/dfmanual/09df.htm . [retrieved March 14, 2007.]
University of Iowa , (2001). “Workplace Violence: A Report to the Nation”. http://www.public-health.uiowa.edu/IPRC/NATION.PDF . [retrieved March 8, 2007.]
Wikipedia , (2007). “Paper Shredder”. http://en.wikipedia.org/wiki/Paper_shredder . [retrieved March 19, 2007.]