Effective Risk Management Requires More Than A Strong Cybersecurity Program

With a global cost of $445 billion annually, cybercrime and espionage[1] are a significant risk to an organization’s bottom line. US businesses seeking to effectively manage their risks cannot overlook the threat they pose or their potential financial implications. According to a recent study by Allianz, cybercrime, IT failures, espionage and data breaches are ranked the third most important US business risk[2], preceded in importance only by business interruptions/supply chain risks (ranked 1st) and natural catastrophes (ranked 2nd). Regardless if the threat is foreign or domestic, perpetrated by a company insider or an outsider, a single event can result in damage to brand reputation, lead to an erosion of customer confidence and/or financially devastate the affected company. In today’s digital world, a comprehensive cybersecurity program is a necessity, but relying solely on cybersecurity to address cybercrime and corporate espionage risks simply is not sufficient. J.D. LeaSure, President/CEO of ComSec LLC and a counterespionage expert, provides valuable insight into protecting corporate information from insider threats that corporate cybersecurity programs do not address.

What is an “Insider Threat”?

An insider threat is generally defined as “a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems. Insider threats, to include sabotage, theft, espionage, fraud, and competitive advantage are often carried out through abusing access rights, theft of materials, and mishandling physical devices.”[3]

What motivates insiders?

There are a wide range of motivating factors, including, but not limited to: monetary considerations (e.g. excessive financial obligations, desire for a luxurious lifestyle), blackmail (e.g. being threatened with exposing illegal activity or extramarital affairs), the promise of a benefit (e.g. a job or a favor), anger (e.g. seeking revenge for being passed over for a promotion or seeking revenge against coworkers or the company for perceived poor treatment), addictions (e.g. drugs or alcohol) and/or a 3rd party threat to the insider and/or their family (e.g. threats of physical harm, kidnapping or death).

Will a comprehensive cybersecurity program effectively protect corporate information from all types of cybercrimes and espionage threats?

No! Cybersecurity programs are designed to safeguard information technology and computer systems from cyber attacks. Cybercrime involves using the Internet, a computer system, or computer technology to commit a crime. But, espionage is spying or using a spy to obtain information that is considered secret or confidential without the authorization of the holder or owner of the information. Cybercrimes and espionage can be perpetrated in a manner that cybersecurity programs will not detect. As well, espionage does not require the use of the Internet, a computer system or computer technology. Even a vigilant cybersecurity program cannot detect every type of cybercrime or espionage. Why? “An insider may use devices or methods that are undetectable via traditional cybersecurity programs, and/or the target information may be accessible without the use of a computer, computer technology, a network intrusion or a data breach,” says J.D. LeaSure.

Why do novice insider threats choose not to challenge corporate cybersecurity defenses? Common cyber attacks methods, such as hacking networks, implementing a denial of service attack, launching phishing email attacks and installing botnets, require technical skills that an insider threat may not have. Penetrating corporate cyber defenses is complicated enough, but add to this complexity the possibility of leaving a digital trail that can identify the spy. Often, the task may just be too complicated for an insider threat to successfully accomplish. “The goal of the spy is to capture valuable corporate information without being detected. For an insider who is not technically savvy, trying to evade corporate cyber defenses can be a challenge they simply aren’t suited for,” adds Mr. LeaSure.

Why do technically savvy insider threats choose not to challenge cyber defenses? A technically savvy insider will study corporate cybersecurity policies in an attempt to find an exploitable loophole. They will also be knowledgeable about known vulnerability in networks, devices, software and/or apps that can be exploited to penetrate corporate cyber defenses. So, even a technically savvy insider may consider a vigilant cybersecurity program too risky, and opt for an easier way to obtain the desired information, such as an eavesdropping device. Mr. LeaSure points out the obvious conclusion, “Why would an insider threat launch a complicated cyber attack when less technical, yet effective, means of stealing valuable corporate information are available?” He adds, “Sometimes keeping things simple is the chosen approach.”

How can an insider access information without penetrating cyber defenses? Insiders may choose to use, or assist others, in the use of IMSI catchers, boosting data over cellular networks, using hidden cameras, exploiting BYOD weaknesses with IoT devices, using malware on mobile devices that access corporate data and/or by using electronic eavesdropping devices (GSM bugs, digital recorders, etc.) While these devices are capable of capturing valuable corporate information, cybersecurity programs are not designed to detect these threats. Several of these attack modes fit the definition of a cybercrime, while other methods do not involve the use of the Internet, a computer system or computer technology. However, an insider may use any of these types of attacks to steal valuable corporate information. J.D. LeaSure adds, “Search engines, and the Internet as a whole, are a valuable resource for spies. Information is plentiful, and eavesdropping devices are inexpensive and relatively easy for a novice to use. Perform an Internet search for “spy bugs”, and you’ll be shocked at the search results!”

Who can detect these types of insider threats?

“Ask your IT Manager if corporate cybersecurity programs are designed to detect electronic eavesdropping devices or IMSI catchers. Chances are the answer will be a deafening NO,” comments Mr. LeaSure.

Technical Surveillance Countermeasures (TSCM) is the detection of electronic eavesdropping devices. And, cyber TSCM is the detection of eavesdropping devices that operate within or interface with cyberspace. An expert TSCM / Cyber TSCM professional is trained, equipped and qualified to detect these types of threats.

What does a TSCM / Cyber TSCM expert do?

A TSCM / Cyber TSCM expert performs a thorough electronic and physical examination in the areas of concern within your facility to detect unauthorized audio, optical and cyber eavesdropping threats (e.g. GSM, 3g & 4g cellular eavesdropping devices, wireless transmitters, wire & mic tap, telephone compromise tap, carrier current bug, micro wireless video device, laser or infrared eavesdropping device, etc.) The examination is a precise process using a number of different electronic detection devices to identify potential threats. The threats are then either confirmed (and their source detected where possible), or ruled out by scientific examination.

When should TSCM / Cyber TSCM inspections be performed?

TSCM / Cyber TSCM inspections can be performed in either a proactive or reactive manner. ComSec LLC recommend performing a TSCM / Cyber TSCM inspection as follows:

  • When opening a new location or changing locations (e.g. moving into a new construction or moving into a facility previously occupied by a foreign or domestic competitor).
  • Prior to board meetings, meetings with regulators, product development meetings, sales strategy meetings, etc. (In-conference monitoring can also be extremely important during these meetings.)
  • When there is a change of ownership, change in senior management, a key employee leaves, IT management personnel change, the company is the subject of a lawsuit or other suspect event.
  • At specified time intervals (annually, semi-annually, quarterly, monthly) as a preventive measure.
  • Anytime the company suspects there has been a suspect event.

Cybercrime and espionage are costly! Their impact can range from damage to brand reputation to devastating financial outcomes. C-suite executives have a duty and a responsibility to customers, owners and shareholders to implement and maintain systems that protect the valuable information handled and/or owned by the company. Implementation of effective mechanisms for protection of personally identifiable information (PII), healthcare information, banking details, critical technologies (defense, energy, infrastructure, etc.), trade secrets, confidential information and other sensitive information, are an expectation in the current global climate. The risks of cybercrime and espionage cannot be completely mitigated by cybersecurity programs, even when these programs are comprehensive. Corporations seeking to effectively protect and defend corporate and customer information from cybercrime and espionage can provide a more effective solution by ensuring TSCM / Cyber TSCM surveys are performed to identify threats not addressed by cybersecurity initiatives.

To learn more about ComSec LLC’s TSCM / Cyber TSCM services contact us!

About the Author:

J.D. LeaSure (CCISM) is the President/CEO of ComSec LLC, a global provider of world-class counterespionage and TSCM / Cyber TSCM services. Learn more at https://comsecllc.com



*Cyber TSCM ™ is a trade mark of ComSec LLC
© 2015 ComSec LLC. All rights reserved.

 

[1] Ellen Nakashima, Andrea Peterson, “Report: Cybercrime and espionage costs $445 billion annually” The Washington Post, June 9, 2014.

[2] “Allianz Risk Barometer 2015” Allianz Global Corporate Security, 2015.

[3] George Silowash et. al., Common Sense Guide to Mitigating Insider Threats 4th Edition, Software Engineering Institute, December, 2012.