Are hi-tech spies stealing all your firm's secrets?
- Published
Last weekend's reports about the New Zealand rugby team's discovery of a listening device sewn in to a hotel meeting room chair, have illustrated just how much spying technology has advanced in recent years.
These days, you don't need to sit outside in a van with your headphones on, listening to static for an hour before the battery runs out and the tape recorder gives a tell-tale clunk.
Tiny matchbox-sized gadgets are now capable of transmitting audio and video for hours on end to the other side of the world.
Not only that, but we are all constantly connected to the internet via mobile phones and computers, and happily share details of our work and home life on social media - all valuable information for spies.
For experts like Alex Bomberg, whose company International Intelligence provides counter espionage services to large organisations, the result is that the threats to company security are now almost too many to count.
He is casting his eye over one corporate head office to demonstrate the kind of things he "sweeps" for when giving security advice.
The organisation doesn't want to be named - no-one is keen to have their security weaknesses pointed out publicly. Despite having identity passes and security guards, the company is still vulnerable, he says.
Traditional vulnerabilities, such as sensitive documents casually thrown into the bin or poorly paid cleaning and security staff being bribed to steal secrets, are now being amplified by technology.
Almost every meeting room is furnished with a conference phone that could be hacked. Anyone with a portable memory stick and a few minutes at a work station could download vast amounts of data or upload a virus. If you chuck out an old photocopier these days, the hard drive can hold years of stored data.
And corporate spies are continually developing new tech-based tricks.
"You pre-load a USB [memory] stick [with malware], and leave it where someone will find it," says Mr Bomberg. "It's human nature to wonder whose it is... especially if it says Accounts or HR on it."
And then there's the smartphone.
"They are very, very dangerous things," he says. "You are bringing basically a transmitting device into a building."
We are all effectively carrying the perfect James Bond gadget in our pockets.
"A lot of the larger companies now are creating sterile areas in which to hold a meeting. You can't even take your mobile phone in, which is very good practice, because what have we got on our phones? A microphone."
When it comes to business travel, executives are routinely advised nowadays to check a hotel suite thoroughly for listening devices, not to leave their laptop unattended, and to shun public wi-fi networks.
Alex adds that executives - like criminals - would be wise to take a "burner" phone with them - a basic phone that can be binned at the end of the trip.
'They're investigating you'
But the most effective corporate espionage attacks of recent times have relied as much on human frailty as technology.
Former FBI agent Eric O'Neill is National Security Strategist at the Washington-based cybersecurity company, Carbon Black.
He says the race between virus and antivirus software has reached a stalemate - the new battleground is personal.
"Today, attackers are using sophisticated, 'spear-phishing' attacks," says Mr O'Neill.
These are emails that have been carefully tailored to chime in with your own interests and experiences, using personal details gleaned about you from social media and elsewhere.
"They're investigating you," he says. "They're learning about an individual and putting together emails that people will click on."
The email might suggest your local golf shop is having a sale, for example, or that the renovation work on your office building is near completion. The aim is usually to entice you to click on a link containing malware.
In 2014, the US accused five Chinese military officers of spying on US industrial giants - including Alcoa, Solarworld, US Steel and Westinghouse - by sending emails that appeared to come from executives within the company, the US indictment said.
Reconnaissance
Owen Wright of cybersecurity firm Context Information Security explains how hackers and spies target employees.
"The first thing you do is perform lots of reconnaissance, where they sit, who they work with, look them up on social media," he says.
"The more you know, the more you can build up an attack."
Tapping into employees' natural curiosity - about salary details, for example - is a good way to get them to click on email attachments, he says.
"It's highly likely that the people who receive that email will open it and if that document was booby trapped it could allow the attacker to take over those people's computers," he says.
"In some cases you can spoof the email address, so even though it is coming from the attacker it looks like it is coming from inside the organisation, in which case it creates a much more realistic scenario."
Emails purporting to come from the boss have proven very successful at convincing junior managers to release cash to fraudsters.
Insider threat
While security companies do their best to keep pace with criminals' latest techniques, the biggest - and oldest - threat remains the mole: the enemy within.
"One of the biggest threats is your people and your employees," says Dan McGahn, chief executive of wind turbine maker American Superconductor (AMSC).
It's a lesson he learned the hard way.
The company had carefully encrypted its intellectual property, but in 2011 the firm was nearly destroyed after the code was leaked to a rival in China.
"If you motivate someone the right way with the right amount of money - I think he was offered women, he was offered a new life in China - if you motivate them properly to steal, any company is susceptible to that."
Follow Technology of Business editor @matthew_wall on Twitter