If you are speaking on the telephone to your opposite number at the head of another company and he or she starts to talk infantile nonsense, do not assume you are dealing with another victim of business stress. These days it is just as likely that the boss in question is trying to prevent some sensitive piece of commercial information being picked up by electronic eavesdroppers.
‘Bugging’, in all its rapidly developing forms, is one branch of corporate espionage, an activity which has become an all-pervasive feature in modern commercial life. Finding out other people’s valuable secrets and building defences against others finding out your secrets is big business, as technological advances increasingly blur the dividing line between legitimate and illegitimate methods of intelligence gathering.
The wish to know what is going on at another company can become desperate at times, especially during battles for crucial contracts or contested takeover bids. It is universally assumed that a tycoon such as, say Phillip Green, would have used the legitimate services of an intelligence company like the famous Kroll group to find out as much as possible about Marks & Spencer and its top people before launching his hostile takeover bid.
At such times, it is common for companies and their advisers to ‘sweep’ their offices, homes, even cars and taxis, for bugs. Shredding documents is one line of defence, but they must be shredded thoroughly or dustbins will be gone through and the documents reassembled.
Former military man Paddy Grayson, who launched London operations for Kroll (now owned by US insurance broking giant Marsh & McLennan) and now helps run the GPW business intelligence partnership, says dustbins remain treasure troves, even in these high-tech times. Key people often incinerate their office dustbins’ contents but fail to do so at home.
Espionage can be an internal problem and not simply a case of one company spying on another. An English intelligence consultant was recently called in by a bank which was subject to a blackmail attempt by an employee who had discovered by electronic hacking that it was providing a legally-questionable tax evasion scheme for its wealthier clients.
A thin dividing line
What is legal or illegal, let alone ethical or unethical, in the world of industrial espionage is not always as clear-cut as you might suppose. ‘Big companies think nothing about paying £20,000 or £30,000 to find out other people’s secrets,’ says Norman Bolton, head of special operations at ‘risk management specialist’ C2i International.
He argues that, in the absence of a UK privacy law, often the only crime involved in bugging itself, as opposed to using the fruits of bugging, is the theft of a tiny amount of the victim’s electricity. But people in the business usually know whether something is right or wrong — which is why, say cynics, when some larger intelligence firms are hired to handle delicate corporate issues, they prefer to ‘sub-contract’ more dubious operations to less fastidious smaller fry.
Grayson recalls a client company asking GPW to find out if a recently departed senior executive had passed key confidential information about a new manufacturing product to a rival company he had joined. To buy the product outright from the rival company would have cost more than £100,000 and so GPW instead persuaded friends in another company in the same business to approach the client’s rival, ostensibly to discuss a possible contract.
In due course, the friends were invited to look round the rival’s factory. There they spotted a nearly identical version of the vital product.
The client then sent ‘an army of lawyers’ round to the rival’s factory, who demanded to see the offending machinery. ‘That was legitimate intelligence gathering,’ recalls Grayson, ‘and we were perfectly comfortable about the subterfuge we used.
‘Our client never asked us what else we had seen in his rival’s factory, some of which could have been extremely useful. Had he done so, that would have been industrial espionage and we do not break the law.’
Whether it is new products, new inventions, client lists, information about the true condition of a potential partner, client or supplier, takeover targets or unwelcome bidders, more and more companies feel the pressure to test these boundaries, legal and ethical. Planting ‘sleepers’ on another company’s payroll, who will be in a position to spill valuable beans at a future date is by no means unknown.
Bolton claims that £10 million is spent every year in Britain on bugging devices costing an average £200 and that more sophisticated and expensive devices are readily available in places like London’s Tottenham Court Road. He maintains that C2i operates essentially in a ‘defensive’ role, helping companies guard their secrets and combat espionage.
First class gatecrashing
Other practitioners are prepared to be more versatile. Bolton points out that many forms of intelligence gathering, including surveillance and following people about, do not necessarily in themselves fall foul of the criminal law.
One household name advertising group was known to encourage staff to go first class on the train on the off-chance of overhearing ‘sensitive’ conversations and to gatecrash competitors’ office parties to pick up potentially useful private information. That is a long way from planting bugs or even planting staff, but the object is still to get hold of other companies’ secrets.
Among the most valuable assets of a business can be its key personnel – whether they be technical, financial or managerial. Advising on protecting them from kidnap and ransom has become big business. One company in particular, Control Risks, started years ago with strong links to the Lloyd’s insurance market, is one of the leaders in the field.
This is one of the most sensitive areas in the business. Insurers and others insist they do not — and are not allowed to — negotiate with criminals, but somehow contact is established with kidnappers and deals struck. Control Risks, which has a close connection with Hiscox insurance group, also gathers intelligence about companies and their key people as part of the ‘due diligence’ process carried out by potential competitors, business partners, bidders, takeover targets or investors at home or abroad.
With much business these days coming from private equity groups, Control Risks sees itself as an intelligence ‘boutique’, with special knowledge of certain sectors and places (such as the former Soviet Union). Director Peter Boyd says spying on companies, using electronic devices and/or coercing staff to divulge information, and (unlike GPW) searching dustbins are ‘beyond the pale’ but Control Risks does advise on combating espionage (by making information secure), and offering services such as electronic counter-surveillance and de-bugging.
Gadgets for spooks and counter-spooks
Technological toys abound in the commercial intelligence gathering business. Laser beams going through windows, electronic devices inserted into wall plugs or telephone junction boxes or under desks are among the standard devices for spying on someone else’s business.
Outlets, such as the Spy Shop in Leyton, north London, offer a range of useful equipment, such as cameras fitted in pens or tie clips. On the internet, Chicago-based Spysho
p.com offers ‘computer spy software to monitor and record ‘everything your employees, spouse and children do online’, as well as ‘spy gear’ ranging from ‘GPS tracking to spy glasses, video and PC surveillance equipment and anti-spyware software under the brand name ‘STOPzilla’, most at prices well below £30.
Bolton, a former police detective and ‘special operations’ expert, argues eavesdroppers can crack encryption codes on electronic communications without too much trouble. He says it is only a matter of time before digital systems, which at present indicate when someone is tapping in to them, are cracked as well.
Cunning spies, pretending to be on the staff of a target company, will often seek to use unwitting and loyal employees, such as cleaners, to install bugging devices for them, on pretexts such as repairing the phone system. Under the ‘Echelon’ inter-governmental system, the state can nowadays listen in to all mobile phone conversations and, argues Bolton, it is safe to assume that others, notably commercial spies, can do the same.
John French, chairman of AIM-quoted Croma, which develops and manufactures security and surveillance devices for the military, civil government and commercial companies, says technological advance has brought ‘a greying of the boundaries between overt and covert applications’.
One project on which Croma was recently asked to work involved a piece of kit to be covertly inserted at the back of a computer in a company’s office.
Once fitted, this enables its owner to sit outside the office running off all the
e-mails sent or received by the computer without anyone in the company knowing it is happening. Another device, fitted to a pierce of equipment such as a laptop computer, sends out an alarm signal if it is moved, undetected by the person moving it, warning that it is being tampered with by an unauthorised person.
In an example of one technical development trumping another, Croma also makes equipment which enables its user to enter a room which has been fitted with passive infra-red detectors, a common protective device, and put the detectors out of action while the intruder roots around undetected to his heart’s content. Another piece of kit detects the presence of bugs as soon as its user enters a room.
However, some attractive-seeming eavesdropping devices are less effective than they might seem. Bolton says that tiny bugs surreptitiously attached to a key person’s clothing often require such large batteries that their usefulness is severely curtailed.
The human touch
Business intelligence gathering is not always a high-tech affair. Both Boyd at Control Risks and Grayson at GPW stress the importance of getting to know key people with useful knowledge. Grayson, who insists GPW ‘knows ways of gathering information that is clever, innovative and canny but does not require spookery’, recalls being asked to check a French company which a client was on the point of acquiring.
‘We dipped into the local community, press, police, business contacts, restaurants and so on.’ This research revealed that one of the bosses of
the French company had been involved in a messy VAT case and, more importantly, that its key process depended on a widget made in Korea whose own business hinged on one customer in California. In addition, the director who had signed the contract with the French company had left the firm.
On another occasion, a client was poised to enter a major joint venture with a company in Mumbai, but was worried about potential corruption issues.
GPW unearthed a Scandinavian company which did plenty of business with the Indian group and was persuaded to provide reams of useful information on its commercial practices, including the key fact that the apparent Number Two in Mumbai was the person who really called the shots and got things done.
What you can do
If you want to minimise the risk of having your commercial secrets stolen, there are several steps you can take. These range from careful vetting of staff, ensuring desks are cleared at the end of each day to buying surveillance and de-bugging equipment of your own.
At C2i International, Bolton argues against using code, either over the telephone or the internet. ‘Code usually relies on key words and any self-respecting eavesdropper will not take long to work them out.’
More advisable, he argues, is to drown your important communication in a sea of routine trivia, so that the spy is unlikely to pick it out. In general, the advice of many specialists is that the safest form of communication is to deliver the key message or document yourself in person to the rightful recipient and, failing that, sending it by ordinary post is one of the most secure forms of delivery.
In an organisation which receives plenty of mail, it is going to be hard and time-consuming to open every letter without it being detected. Recorded or special deliveries draw attention to themselves and so are not recommended and the same applies to couriers.
Shredding documents so thoroughly that they cannot be pieced together from dustbins or even from incinerators remains an important precaution, as is ensuring key directors and executives have and use shredding facilities at their homes. Hiring specialist firms to conduct periodic electronic sweeps of your premises, to detect and remove bugs, can be worthwhile, and it is better not to have them at regular — and hence predictable — intervals, but at random.
‘Security has been on the regular lists of boardroom tasks for a long time,’ says Peter Jopling, head of security sales at IBM Software’s Tivoli arm, a leader in the field with a staff of more than a thousand. ‘Building firewalls and anti-virus software are established procedures and these days the emphasis is more on how to make the infrastructure you have put in place work better.’
Tivoli’s corporate clients, who include an increasing proportion of small to medium-sized concerns, now want it to sift out system users and check who is allowed to do what, ‘to give or withhold access, to monitor, enable and disable’. Jopling says a growing area is ensuring who is authorised to do what in a co-operation between two companies, which involves the exchange of some — but by no means all — of the partner’s key information.
He argues Tivoli scores by offering a wide range of services. Some consultants, such as gpw, specialise in intelligence gathering through personal contacts and human endeavour, with a minimum of ‘spookery’, while others focus on high-tech counter-espionage techniques.
What it costs
Combating industrial espionage costs money. How much depends on what you want done and by whom.
Small, less well-established agencies will charge £50 an hour or less. Grayson says GPW charges up to £300 an hour, ‘the same as a partner in a medium-sized law firm’, and passes on any outsourcing expenses at cost without adding a profit margin — ‘unlike some’.
Boyd says Control Risks’ charges compare favourably with those of other corporate advisers. Jopling says the cost of Tivoli’s access control kit ‘works out at below £10 per user’. The kit offered by Spyshop.com is mostly below £30.
Bolton says bugging devices cost an average of £200, with some going for much less and more sophisticated equipment running into several thousands of pounds.
C2i’s daily rate can run into ‘a few thousand pounds’ (though it is usually less than £3,000), while a full electronic office sweep can cost as much as £100,000.
In the old days, say the heads of business intelligence companies ruefully, an agency with an illustrious reputation could charge almost what they liked. Corporate clients felt they must be able to get the best service and that was demonstrated by how much they were charged. Nowadays, however, the market is more mature and competitive and clients can negotiate deals which are more keenly priced, though still not cheap.
All the same, people are still prepared to pay for good service. ‘We are, after all, the second oldest profession in the world,’ reflects a director of one business intelligence agency, ‘and we must show ourselves worthy of our hire.’