This page contains a Flash digital edition of a book.
some corporate espionage experts stress that people, not tech- nology, remain the most vulnerable parts of a company’s defences. Indeed, old-fashioned incursions — dubbed “social engineering” — continue to account for key breaches, large and small. With the proliferation of trade shows, professional network-


ing associations and booze-fuelled meetups hosted by young tech entrepreneurs, security managers point out that corporate spies can extract important details by insinuating themselves into such settings and engaging key people. Inside a corporate office with seemingly secure perimeters, meanwhile, it’s hardly uncommon for employees and managers to leave documents around or computer windows open when they go home, thus creating potential breach risks that can be exploited if a corpo- rate espionage ring infiltrates a company’s overnight cleaning contractor or otherwise gains after-hours access. Indeed, Jonathan Calof, a professor at the Telfer School of Management at the University of Ottawa and an expert in competitive intelli- gence, points out that he’s dealt with companies whose security officials discovered hidden digital microphones in key locations in their offices. Carelessness extends in other directions as well. Employees


conduct meetings, in person or by phone, in public settings, such as coffee shops, where their conversations can be over- heard. As Martinez says, “People underestimate what physical security is.” A client recently asked Juneau-Katsuya’s firm to do a security


workup. Aſter a cursory review, he discovered a report by a co-op student who had performed so well that she was promoted to a new product development team. At the end of her placement, the student had to write a summary, which her professor posted on the course website. It contained sensitive information about the company’s clients. No one, says Juneau-Katsuya, had both-


ered to check the document before it was made public. Lo points out that he’s seen cases where on some large,


interdepartmental corporate projects, senior managers might not even have a complete list of all the employees involved, a dynamic that opens the door for strategic or sensitive files to go astray. “The human being is still the weak link in all of this.” Not long ago, Telus and the Rotman School of Management at


the University of Toronto conducted a survey of about 600 com- panies asking about the security vulnerabilities linked to both the company-issued and personal mobile devices their employ- ees use for work-related tasks. The increasing use of mobile devices has forced companies to try to extend their security perimeters to include phones, tablets and personal laptops, often using the various mobile device management software packages now available. But as security experts point out, mobile and bring-your-own-device policies also rely on employ- ees taking key steps, such as updating soſtware regularly and not using open hot spots. When the survey came back, recalls Juneau-Katsuya, it


revealed that the largest number of security breaches could be traced to senior executives, particularly those who travelled fre- quently and routinely broke corporate security protocols by logging on through dodgy Wi-Fi networks. “They were the ones creating the vulnerabilities. The people who will eventually target you understand that.” While everyone hates the relentless dance of the password,


such findings underscore the difficulty that security officials, even those working in obviously vulnerable sectors, face in pro- moting an awareness of the risks of corporate espionage and data theft. Experts such as Masse say executives need to shift their focus from defence to resilience, which means developing responses to attacks and testing them (see “Ousting a Cyber


HOW TO DETECT/PREVENT CORPORATE ESPIONAGE


Hacking happens. As cybersecurity experts point out, if the US National Security Agency’s networks are vulnera- ble, there are no safe spaces. But apart from investing in firewalls, there are still some basic measures companies can take to detect corporate espionage. 1. Have key office locations swept for bugs from time to time. 2. Establish explicit parameters for employee and manager conduct at trade shows, meetups and other professional networking events. Specifically, firms should be clear with their delegates that company spies use such events to gather information, particularly through seemingly casual conversations.


3. Read employees the riot act about the use of unauthor- ized flash drives. 4. Question strange coincidences. If a competitor is winning tenders with quotes that consistently undercut your bid by the same amount, you might be dealing with a rival with insider knowledge. 5. Conduct exercises with employees and senior manag- ers, asking them to spot the differences between genuine emails and phishing emails disguised to look like the real thing. 6. Have tests done by qualified firms, and train personnel on how to recognize signs of corporate espionage and how to properly classify and protect information. — JL


MARCH 2017 | CPA MAGAZINE | 41


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72