As plans for business travel resume, how do you keep safe, particularly from the threat of espionage?

Since the advent of globalisation, international business travel has been considered a necessity when conducting business across country borders. When tools such as video conferencing became more widely available during the 1990s, many believed international business travel would decline, but instead, until coronavirus hit globally in early 2020, the sector had continued to grow year on year to a peak of business tourism spending of $1.29 trillion in 2019.

Now, 18 months into a global pandemic, many are looking at plans for resuming business travel as more countries see reductions in their case numbers, more people become vaccinated and confidence grows in travel sector safety procedures. However, as well as the health and safety considerations of recommencing business travel, what are the important things to consider from a security viewpoint, and particularly from an espionage threat perspective?

International business travel: still necessary or desirable?

Within the travel sector, there has been considerable debate about the recovery of business traveller volumes and spend. For the airline industry, business travellers have historically accounted for 12% of the volume but up to 75% of profits, so the industry is keen to encourage the return of business travel to pre-pandemic levels.

However, for many organisations who have been permitted to travel under essential worker status, the complexity of international travel has posed significant challenges. Even as countries are now opening up their borders, the advice and requirements in place are complex, immensely varied and quick-changing. The rules around vaccination requirements, quarantine and self-isolation have already limited, and will continue to limit, business travel for some time to come until we emerge from this pandemic globally.

Alongside the practical considerations, many organisations are re-evaluating their business travel volumes from both environmental and Corporate Social Responsibility standpoints. Pre-2020, many companies, including PwC, Microsoft and Lloyds Banking Group, had committed to reducing or limiting their business travel emissions with the recognition that air travel contributed the most to carbon emissions. A study by O2 Business in June 2020 also showed that 48% of UK workers were concerned about the negative environmental impact of business travel , while investors are increasingly applying ESG (environmental, social and corporate governance) criteria to company investment decisions. Certainly, all of these factors point to a continued downward trend in international business travel.

But what is the desire to return to international business travel among the workforce? Changes in working practices since early 2020 including greater levels of remote working, accepted flexible working policies helping to accommodate operating across time zones, and improved dependability and functionality of video conferencing software have all helped to facilitate more effective international communication and collaboration. But many miss face-to-face interaction, and it is widely accepted that meeting with colleagues, business partners, suppliers and clients in person serves to strengthen relationships. There are also many occasions when travelling to a country is still essential; some services simply cannot be delivered remotely.

Staying secure when travelling internationally

From a security perspective, international business travel has always presented risks. The transportation of organisational assets, both tangible and intangible, poses a risk of interception and theft and from an espionage threat perspective, an adversary is aware of the vulnerabilities of an unfamiliar location or situation where the usual home country security protocols cannot be followed or maintained. With the conditions of resumed business travel as we’ve already explored, any international business requirement is likely to be more critical and involve personnel handling more sensitive assets and conducting more sensitive conversations and the adversary will be very aware of this shift.

When advising organisations on safe international business travel, we advocate three key disciplines: briefing, discretion and being environment-aware.

Briefings

Being well briefed on how to keep assets secure and location-specific risks and factors are essential for any business traveller, especially so for any employees who had not received such training or advice pre-pandemic but equally for seasoned travellers who need risk updates.

Disseminating foreign travel advice from local government and gaining insight from corporate travel partners are one level of education, but many organisations are now going further to build and share their own local threat assessments cross-company.

Discretion

The mantra for any business traveller should always be discretion. It can be easy to become exposed or overly relaxed when abroad, and time-old espionage techniques such as honeypot traps continue today as the adversary preys on these vulnerabilities. The case in 2020 of a US defence linguist charged with sharing highly sensitive national defence information with a member of Lebanese Islamist militant group Hezbollah with whom she shared a romantic interest shows evidence of this risk . As well as being discreet at in-person events, the dangers of sharing information via social media and professional networks have been highlighted of late, and the US NCSC ‘The Nevernight Connection’ video showcases this perfectly.

Environment-aware

As well as specific country or city risk factors, the business traveller should maintain a heightened level of awareness around transport hubs, hotels and third-party venues where their usual organisational security protocols are not in place. The use of hotel safes, storage and hardware are best avoided, as is leaving any device or asset in a hotel room. Measures such as providing clean IT equipment can be advisable for locations and situations considered high risk.

A shift in security service resourcing?

For many security professionals, the COVID-19 pandemic has presented some challenges in respect of maintaining key security service delivery as their preferred or contracted suppliers have been unable to travel themselves. For some organisations, this has forced them to review their sourcing models and focus on more local solution providers for protective services to avoid future travel risk and disruption. However, for certain fields and specialisms, it can be difficult to find reputable providers and apply the same best-practice sourcing criteria across countries.

TSCM, for example, is a notoriously unregulated industry. It is important to find a provider that applies industry-leading standards and uses highly trained personnel and specialist equipment to give the same level of threat assurance across all operations and projects to ensure you are protected.

Emma Shaw

MD, Esoteric

www.esotericltd.com

Click here to read more articles from Esoteric

Click here to read more articles from Emma Shaw

Click here to read more articles on personal safety

Click here to read more articles on travel safety

The post Safe International Business Travel appeared first on City Security Magazine.

Until recently, most nations and corporations around the world were living with different threat and risk profiles. This year, we are all dealing with a global pandemic which is having a wide-reaching impact and threatens life as we know it.

In the realm of security, the facets of this threat have become clearer over recent months and especially so as we’ve navigated periods of lockdown.

Here we explore some of these threats, consider whether COVID-19 has simply unveiled them or indeed created them, and examine how this specifically affects the confidentiality of our information.

China & Russia – the dual threat to national security

China’s role in the discovery of COVID-19 will be scrutinised over the months to come, but in the meantime, suspicions and conspiracy theories swell as we tot up the reports of cyberattacks, foreign agents and espionage cases across the globe. The decision by the UK government to follow the US’S decision to remove Huawei’s 5G infrastructure is seen by many as an affirmation that China-UK relations are at a crossroads as we assess China’s influence and interwoven reach into our nation.

At the same time, we’ve also gained affirmation of the threat posed by Russia. The publication of the Russia Report confirmed what we all knew – Russia poses a threat to UK national security – while also exposing the fundamental error in countering the threat: essentially, no one is doing so as they don’t feel it is their responsibility. On a strategic level, the need for a more unified, simplified and internationally connected model of national security management is the key takeaway and we can see how this would benefit when tackling other threats.

Protecting the search for a vaccine

Health terrorism is not new, but it has really come to the fore with the search for a COVID-19 vaccine. Pharmaceutical industry espionage has been well-documented, more so now as the NCSC issues reports of Russian hacking attempts.

The sharing of incident reports and the ensuing ability to leverage a holistic view of the threat will play a big role in being able to identify health terrorism and counter it effectively. It’s interesting, some say disappointing, how the race to a vaccine for the health of the world has fast become one governed by economic market factors and purchasing power.  It remains to be seen whether any cohesion will be achieved.

A rush to lockdown

In the corporate environment, the period of lockdown has proven especially challenging to information security. For those organisations who weren’t already set up for remote working or hadn’t prepared a response as part of a business continuity plan, there was a rushed shift to full remote working.

Recent reports have highlighted poor IT practices, and the need to educate home workers, resulting in reams of guidance on safe remote working practices from institutions such as the NCSC and CISA. The lockdown of offices and working environments has also created the perfect opportunity for adversaries to carry out targeted technical attacks, including the installation of eavesdropping devices.

Home office security

An increased level of remote working necessitates the need to review home offices for the level of protection they offer to confidential conversations in the same way as secure office spaces such as boardrooms do. More C-suite and senior executives are working from home than ever before so conversations on highly sensitive topics such as restructures, mergers and the like, have now moved to home offices, plus those working in industries or within roles which require confidentiality by their very nature have had to decamp from their protected working environments.

There has been an increase in residential survey requests. However, assuring confidentiality is – and always has been – a holistic affair. The detection of electronic eavesdropping threats, which many assume Technical Surveillance Counter-Measures (TSCM) constitutes, is only one element; for true protection, an evaluation of both the physical and cyber vulnerabilities and a strategy and measures to defend against these in the most effective way possible are needed.

Adapting to a new post-COVID-19 world

In order to stay competitive, we must consider how we continue to protect our information and conversational data. In security, we are intrinsically primed to understand and assess the threat to ensure we are prepared for the unpredictable, so arguably we are already well placed to support our organisations and colleagues to combat the threat posed by COVID-19.

With many companies now signalling a move to complete or increased remote working in the long term, there is now the need to consider how best to both maintain a high level of alert by employees and train them on the new threats which emerge. As the timeline of the pandemic has developed, the threat of malicious cyber activity has increased exponentially with attackers exploiting COVID-19 as a means of gaining access to information and financially scamming businesses and individuals.

Arguably then, there is a significant need to support colleagues with security training and security awareness briefings, and the market for effective virtual training and tailored awareness briefings is only set to grow.

As the economy takes a downturn, previous experience of recessions tells us that these times of increased personal and professional stress and uncertainty generate a higher level of insider threat. An incident of social engineering has already hit the headlines recently with the hack at Twitter, and there is no doubt that adversaries will be looking to prey on employees’ vulnerabilities for their own gains.

A combined programme of system and information access review, monitoring and recording, as well as education and timely employee leaver access revocation protocols will help to protect your most valuable assets.

Esoteric Ltd has a series of four content guides available on its website to help organisations to protect their confidential information during COVID-19 and beyond, featuring practical tips and guidance for security professionals.

The guides can be downloaded via https://www.esotericltd.com/register-for-covid-19-security-guides/

Emma Shaw CSyP

www.esotericltd.com

The post Information confidentiality post lockdown appeared first on City Security Magazine.

Once the stuff of sci-fi movies and futuristic dreams, drones are set to become a part of our daily lives. They are now widely available to purchase online and vary enormously from the inexpensive, pocket sized drone – controlled by a mobile phone and able to receive live video images – to the heavyweight octocopter drones which carry over 20kg.  And as the technology to build them becomes more sophisticated, so too does the capability to put them to use.

The online retail giant Amazon is an example of this advancement, with the development of a pioneering drone delivery service, Prime Air. This proposed drone delivery service is currently testing the capabilities of automatous drones with machines carrying a payload of up to 25kg for a range of 10 miles and lighter payloads reaching a maximum speed of 50mph.

Initially known to many for their military use, drones are used today to drop food packages to starving villagers whilst also providing a low-cost option to deploy and activate small arms and explosive devices.

Counter drone technology

But drones also pose a problem: some are fully capable of monitoring Wi-Fi and manipulating our phones and other technology, and in some cases, they are able to intercept mobile phones. Accounts of drones in aircraft near misses and contraband drops within the perimeter of prisons have become a regular occurrence.

Counter drone technology has been slow responding to this threat. A search on Google will throw up several “solutions”, including attack eagles specially trained in the Netherlands, laser jammers and air pressure guns which fire a large net into the path of the drone. Unfortunately, none can be relied upon against fast moving drone threat, nor can a drone differentiate between a legitimate delivery or, for example, one carrying medical supplies.

Specially designed targeted RF Jammers seem to be effective, but due to the re-classification of drones by the CAA – under the umbrella of aircraft – their use has been restricted by OFCOM.

Drones: threat to our privacy

The challenge is to develop a solution that counters these significant threats to our data, privacy and information and uses a very targeted RF approach that does not interfere with GSM, Wi-Fi or any other commercially used frequencies. This countermeasure needs to create an exclusion zone with a signal that denies the operator control, video and telemetry downlink capability: in effect, to create an electronic no fly zone over strategic areas such as government establishments, power stations, large public stadiums and airports etc.

Additionally, any such countermeasure would need to be deployed rapidly, so a lightweight, handheld, battery operated solution is crucial. In this way, you could create an invisible electronic shield impenetrable by commercial drones quickly and flexibly.

The good news is that specialist technology providers are taking up this challenge with some products in the final stages of research development and testing.

Whilst bringing multiple benefits, drones can be dangerous as well as compromising the security of our information and privacy. Fortunately, with a strategic approach to this threat supported by a technical countermeasures plan, there are solutions available to deter, intercept and divert malcontent.

Emma Shaw, Managing Director Esoteric Ltd.

The post Drones pose threats to our privacy appeared first on City Security Magazine.

Who is a professional? Can everyone be a professional, or does that mean that the term then becomes meaningless?

First, let’s look at the security profession. Are we a profession? The answer is… yes. We may not yet have a professional body in the UK which holds Chartered Status; however, we do have The Register of Chartered Security Professionals which is owned by the Worshipful Company of Security Professionals and managed by the Security Institute.

There are currently 70+ Chartered Security Professionals earning the prestigious post nominal of CSyP.

Most security professionals will agree that our industry is difficult to define. There is a huge range of business types, roles and responsibilities that come under the umbrella of “security”. The work of other “professionals” such as doctors or accountants, for example, are clearly understood, but it is not so well defined for a security professional. This is likely to be due to the fact that the security industry is diverse with many facets such as physical security, cyber security, risk, resilience and such like. Perception of what security actually is also becomes a factor, as it is perceived to be limited to physical security such as CCTV or uniformed security officers.

Academic achievement

When we look at academic achievement and career development we can make similar parallels. For an accountant and a doctor it is clear what the required level of academic achievement is. Chartered Accountant is a term that people understand and accept as being someone who has achieved a recognised level of competence in their chosen profession.

The way that business is conducted in both public and private sector organisations has changed significantly over recent years. Statistics and research have identified that procurement is generally motivated by either “pain” or “pleasure”. The “pain” they may incur if they don’t or the “pleasure” they may gain if they do procure an item, solution, product or service. Unfortunately, the motives for procuring security-related solutions and products is based upon “pain” and therefore it is the responsibility of us as security professionals to ensure that we are able to communicate effectively with key decision makers in order to advise and support them on key issues surrounding security.

Traditional or entrepreneurial

Some of the issues stem from the way that security professionals approach their own roles, which can be defined as traditional or entrepreneurial. The former view their job as being aligned to a service function and a cost to the bottom line. This lends itself to a situation where simply reducing the amount of money spent on security becomes a key objective. Conversely, those in the entrepreneurial category see security as a discrete supportive function that supports each area of a business, enabling it to conduct business effectively whilst underpinned by proportionate security practices and measures; it also requires an integrated interdepartmental approach. For example, human resources and security professionals work together to implement adequate pre-employment screening of staff and contractors. Many current security professionals view themselves and their peers within this category and businesses are now starting to recognise the benefits that the role of the security professional brings to an organisation.

All too often security is perceived as a ‘grudge’ purchase rather than an integral part of a company’s strategy. This is due to misconceptions on the part of senior business decision makers combined with the fact that too few security professionals are able to present ideas in a way that is based upon a broader understanding of the business needs. It is this broader more holistic approach to work and business that sets the true security professional apart from the practitioners. There are key business practices, disciplines and knowledge bases that differentiate professionals:

Historic Perspective gives individuals a sense of the journey that has been made to reach this point in time. Understanding and appreciating the past informs decisions and allows learning to avoid repeating mistakes and to replicate best practice. Without an appreciation of what has happened before how can we as professionals influence the future?

Horizon Scanning is useful not only for identifying emerging trends and future areas of growth but in the context of how individuals interact with one another. Twitter is a good example of something that has grown into a mainstream communication platform utilised by many businesses and industries for the dissemination of urgent operational information.

Professionals embrace complexity in the world and understand that today’s problems are not isolated. It is often necessary to work with other professionals to achieve goals and a professional will not hesitate to consult and collaborate with others to achieve those goals.

Continual Professional Development (CPD) is a much used corporate catechism but fundamentally it means a “professional” is engaged in continuously developing their skillset, whether through formal structured learning, or through self-development and mentoring. In short they are proactively ensuring their continual development. Personal effectiveness is an essential of professional leadership and effectiveness is supported by the ability to enhance, develop and improve existing skills.

Academic achievement is an important addition to an individual’s knowledge base. Coupled with practical experience relevant professional qualifications can enable individuals to move beyond being a technician or practitioner. But what of the security industry? What is our career path? How do you become a security professional?

Business is changing

The way we do business is changing; businesses are becoming much more streamlined and working methods more efficient and flexible. This is largely to enable organisations to meet their business demands as well as provide flexible working conditions, increase efficiency and realise cost savings. It is therefore logical that as security professionals our roles and the way we work will change to meet and adapt to these demands and changes. This will continue to evolve. and if we are to respond and provide professional security services to our clients, either as service providers or indeed as in- house security teams, we do need to consider our own personal development and ensure that our skills remain current and relevant. There are many ways of achieving this through either academic or vocational training and through self development supported by membership of a professional security membership organisation such as the Security Institute, which provides guidance, mentoring, knowledge centre forums and the like. This kind of forum also provides opportunities to share experiences and best practice guidance with colleagues and associates in a trusted environment.

In 2011, the Register of Chartered Security Professionals was launched. For successful registrants, the designation of being a Chartered Security Professional (CSyP) is the recognition of their skills as a professional in their field of expertise. This is an essential step if the profession of security is to take its place alongside other high-calibre disciplines in the public and private sectors. How could anyone not want to be part of this?

Emma Shaw CSyP, Chairman, The Security Institute (at time of writing)

www.security-institute.org

The post CSyP – setting the security professional apart from the practitioner? appeared first on City Security Magazine.

On December 3, 1992, British engineer Neil Papworth used his computer to send the world’s first text message “Merry Christmas” to an Orbitel 901 mobile phone via the Vodafone network.

Fast forward almost 20 years to 2011 and 150 billion text messages were sent in the UK according to Ofcom. Globally, according to Informa, during 2012 there were 18 billion text messages sent every day.

Surveillance of data

Whilst chat apps on smart phones are overtaking text messaging there is still a huge amount of data virtually circling the globe. It’s also data that is collectable. The US National Security Agency (NSA) was widely reported in January 2014 to be collecting and storing up to 200 million text messages a day. The reporting was based on leaks by ex-NSA contractor Edward Snowden. According to the report the program, called Dishfire, analyses SMS messages to extract various pieces of information including location from roaming and travel alerts. The Guardian and Channel 4 also reported that UK spy agency GCHQ had access to the database. In 2013, Snowden also leaked details of Prism, the NSA’s data mining system designed to receive data from a range of US internet firms. Turning to the more obvious surveillance offered by cameras, according to the British Security Industry Authority (BSIA) there are up to 5.9 million closed-circuit television cameras in the UK including 750,000 in sensitive locations such as schools, hospitals and care homes.

The growth and development of technology and the post 9/11 world of global terrorism has created the opportunity for governments to develop wide scale surveillance programs. The debate about how proportionate this surveillance is in the context of preventing terrorist acts is a heated one.

A surveillance society

In “Key Issues for the New Parliament 2010” the UK Government features a section on Surveillance in Society and it opens with: “Richard Thomas, the former Information Commissioner, once famously remarked that the British people were in danger of ‘sleep walking into a surveillance society’. Many civil liberty groups might argue we have now woken up in one. Others might have the view that as long as surveillance is deployed democratically and legally by people always above reproach, then there is nothing to fear, Surveillance, in its various forms, whether covert or overt is undoubtedly an important tool in the intelligence gathering process to combat terrorism and criminal activities.

Purposes of collecting data

Whilst the debate in the UK isn’t as clear cut as civil liberties versus security there will always be concern that data collected may be used for other purposes. This “mission creep” in the use of surveillance data gathered ostensibly for the prevention of terrorism is one of the main strands of the debate that counters the increase in surveillance. For example, local authorities are amongst the wide range of public authorities able to access communications data. In October 2012 the Home Office issued guidance in the form of a snappily titled booklet “The UK Government Protection of Freedoms Act 2012 – changes to provisions under the Regulation of Investigatory Powers Act 2000 (RIPA). Home Office guidance to local authorities in England and Wales on the judicial approval process for RIPA and the crime threshold for directed surveillance”. In a 2013 report, “Private Investigators – The use of private investigators by councils, public authorities and government departments in the United Kingdom” Big Brother Watch reports that their findings indicate 27 councils commissioned external organisations to undertake surveillance under the provision of RIPA.

As well as having to provide Councils with guidance on the correct use of RIPA, the UK Government’s reaction to the Snowden NSA leaks was criticised by a human rights group coalition: “We have joined together as an international coalition of free speech, media freedom and human rights organisations because we believe that the United Kingdom government’s response to the revelations of mass surveillance of digital communications is eroding fundamental human rights in the country. The government’s response has been to condemn, rather than celebrate, investigative journalism, which plays a crucial role in a healthy democratic society.”

Surveillance to prevent crime and terrorism

Clearly the extent to which an increase in surveillance and data collection has helped to prevent terrorism is extremely difficult to measure. The NSA reported in 2013 that “over 50” potential terrorist attacks had been thwarted by Dishfire and Prism. Whilst many would like to see statistics relating to this in the UK, there are obvious security reasons why this type of information is not accessible to the public.

To what extent should surveillance be gathered for the purposes of preventing crime? In the UK it seems the majority of the public are supportive of CCTV. The BSIA reports that in 2009, 95% of Scotland Yard murder cases used CCTV footage as evidence. They go on to report that the public are supportive of CCTV with 62% wanting to see more in their local area.

Finding a balance

Surveillance In Society summarises the debate between privacy and proportionality succinctly by saying: “Terrorists, serious criminals and fraudsters clearly have something to hide. Few would want few stones unturned to bring such people to justice. But what about comparatively minor infringements: the risk taker who bends the rules; the pensioner whose dog fouls the local park; the parents questionably claiming they live on the right education catchment area for their child? Where to draw the line? When to rein in the ‘dustbin stasi’?”

The balance between keeping society safe and being too intrusive in relation to surveillance is never going to be without tension. Technological developments mean that increasingly much global communication is electronic and the appetite to legally intercept this either covertly or overtly is always going to be there. How society deals with this balance is going to help inform how governments and their agencies approach this and to what extent they are able to conduct their activities. According to public sources, most of the additional safeguards suggested by President Obama for implementation in the USA are already in place in the UK. The various intelligence agencies have three layers of external authorisation and supervision in place: Ministers and two intelligence commissioners drawn from the judiciary and parliamentary oversight committee.

The conversations around surveillance and intelligence gathering practices will continue to be the subject of much debate. What is clear from many discussions is that surveillance and intelligence gathering conducted in an appropriate and proportionate way will continue to combat both terrorism and crime, and the work by the intelligence community is vital in protecting our interests and safety around the world.

If the 1992 Neil Papworth knew that in 20 years there would 18 billion text messages sent every day then his first message might have been “OMG”.

The post The growth of surveillance and intelligence gathering appeared first on City Security Magazine.