Electronic eavesdropping threat underestimated by risk managers

Bugging and wiretapping conjures up images of the Cold War and intelligence agencies to many. Or else it is associated with private investigators employed in a divorce case. Few risk managers see it as a prominent corporate risk.

For example, many risk managers would identify USB keys fitted with Trojan horse devices as more effective espionage tools than concealed listening devices, not least because they can be used to access IT networks and take data from the systems rather than taping a conversation in a room.

Similarly, said Mr Hollis, many risk managers recognise the threat posed to information security by employees’ personal devices but few appreciate that these smartphones and tablets can also be unwittingly activated as bugs.

hide

Mr Hollis said that risk managers should recognise the value of verbal data and ensure that it is included as part of an information security programme. “There is the information that is on the network but there is the information that comes from the men’s room or the board room that never makes it onto the system,” says Mr Hollis. “And if you talk to any director, they will say that the most sensitive information is what is not written down.”

To underline the point he points out that in recent cases of corporate malfeasance (from the phone hacking scandal at News International to the Libor fixing case at Barclays Bank), it is what was said between executives that was incriminating. “It is about the verbal content between two directors that they would never commit to writing down. It has become the risk that dare not speak its name and it is so sensitive and valuable that risk managers do not know what to do with it.”

The case for raising awareness of electronic eavesdropping is not helped by the lack of statistics in this area. “No one keeps a record of these attacks,” said Mr Hollis. “There is no common methodology, no typical attacks, no typical victims and no typical perpetrators but the tools are available to anyone. So it is hard to quantify the problem.”

What few statistics are available relate to the estimated value of the tools purchased and suggest that activity is rife. The US Homeland Security department estimates that more than $900m of illegal bugging equipment is brought into the US every year, while more than $500m is invested in legal bugging equipment.

Nor are the few risk managers that appreciate the risk helped by the typical attitude of directors who are content to confine the discussions over risk management of audio data to the boardroom, said Mr Hollis. “Risk managers say they are not being allowed in to cover this risk. When we get a call to perform a security sweep, the order comes from the very top. It is not run through the procurement department or the risk manager. So in many cases, it is a recognised threat but it is taken to the sidelines and dealt with separately.”

Despite the numerous challenges, Mr Hollis anticipates that the situation will change in the next ten years. There will be a high profile breach involving audio data or a corruption case that hinges on verbal evidence and this will attract the attention of legislators and regulators. “Law-makers will push for this evidence to be more admissible in court and Sarbanes Oxley could call for board meetings to be recorded. The corporate conversation is the last frontier in information security but we have to address it.”

Back to top button