‘I’m not really in the spy business these days,’ drawls the elegant white-haired lady in the large tinted glasses. She gives a slight smile, and her upper class New England drawl lulls you into accepting that it is the most natural thing in the world that a 73-year-old woman, dressed in Vivienne Westward and sitting on the eighth floor of Tower 42 in the City of London, was ever enmeshed in trying to combat corporate espionage.
All good detective stories have a femme fatale. In the case of corporate espionage scandals, Celia Goodson, a seasoned businesswoman and once a glossily groomed blonde, has been involved in investigating more business transgressions to hit the City in the last three decades than anyone else of her years.
The former head of one of the largest financial undercover agencies in the UK, she still dabbles in exposing those who have attempted to steal intellectual property and other secrets from businesses. Now, though, she tends to live a somewhat quieter existence compared to the days when she could be found rifling through highly confidential files late at night.
Her tales of past corporate crimes she has encountered are fascinating, salutary and deeply unedifying. In a quick run-through of the seedier side of business life, Celia tells me about a case in which she became involved on her seventieth birthday.
Her target was a chief executive and chairman of a computer games company. At the time, it was rumoured that this eminent businessman was experiencing divided loyalties with his shareholders who were eager to merge the business he was in charge of, with that of a competitor.
In the final frantic weeks of negotiations, the chief executive (and founder) was offered a stash of money and lucrative share deal to call off the merger, as well as hand over the software his developers had been working on for the best part of a year.
Yet his blind faith in a rival and supposed cohort was misplaced. In reality, he had been dealing with a detective who was using the shady practice of ‘pretexting’ or masquerading as someone else to obtain information from him.
Humiliated, he made a swift exit from the company, but he was lucky to have at least escaped a prison sentence. With the whole affair hushed up, most inside and no-one outside the company, seemed any the wiser.
If you suspect there is something odd about the 35-year-old office junior – perhaps it is the camera in his tie, the micro-recorder in his man-bag, the confidential documents stuffed down the leg of his trousers – you may not be paranoid. Indeed, in itself, it is not unusual for firms to employ private detectives.
They are routinely used in a number of operations such as running background checks on persistent senior absentees or weeding out the odd internal fraud. In takeover bids, they come in handy for muckraking and finding out embarrassing facts about the opposition. The reason for this is simple: corporate espionage is becoming so endemic there is a greater call for gumshoes to root it out.
If we’re honest, who wouldn’t like to have three or four million in the bank with which to buy a country estate; have perhaps a herd of red deer grazing in parkland designed by Capability Brown? That anxious Monday morning feeling of dread would be replaced by a hazy headache caused by another hectic, but high-spirited weekend spent entertaining guests in Monte Carlo.
The problem is how do we acquire such riches without working ourselves stupid?
Working until you retire is no longer an option for many people. There are games of chance, like the national (or state) lottery, success at online poker, or even a serendipitous marriage to someone very rich The alternative to this need for good fortune for some is the relatively risk-free pursuit of helping oneself to a corporation’s intellectual riches.
Many see it as a clean and faceless crime since no one individual is harmed. Confidential information is also freely available to just about every employee. Even if you work at a low level there is always a chance of grabbing the metaphorical crown jewels and selling them to the highest bidder.
Working in Information Technology means that you may already have access to bank account details or know how to pilfer the source code for the new money-spinning gamesware. Or you might just have a useful dish-the-dirt story to sell to the media. And though the rewards for this are not exactly fantastic, a tip-off to a national newspaper about a racy business secret could net the source between Â£500 and Â£2000.
Another factor to take into consideration is how large corporations are now beginning to believe that hunting down the source of a leak can lead the business into more damage than the leak itself. This opens up a whole new landscape of possibilities for those willing to sniff out stories.
The recent all-out slugging at Hewlett-Packard is an ugly testimony to this. To tell it briefly, Patricia Dunn, HP’s chairman, had drawn up plans to place investigators dressed as cleaners inside the San Francisco offices of The Wall Street Journal and CNET, the news website. Dunn came to this decision after the company had been bedevilled by leaks from the board room. The planned placing of spies inside the two news organisations was part of the same subterfuge that included obtaining the telephone records of HP’s directors.
Since September, life inside Hewlett Packard’s boardroom has played out like a John Le Carre novel, only more alluring and easier to understand. The revelations now emerging about the company’s willingness to run cloak-and-dagger operations (spurred on by a former director), its institutional capacity for spying on colleagues and its regular invasions of privacy will certainly tarnish the reputation of Corporate America. It will also impact eventually on businesses in the UK, since most large British companies (including BT and BP, for example) have their own investigation units, while others contract the work out.
The increasingly complex scandal at HP will prompt a rash of questions about covert operations commissioned by public companies and funded by shareholders: What do these investigation units do? Who keeps them in check? Just who are these people? And is it really worth all the hassle and possible corporate fall-out?
Whilst it might be satisfying to catch whoever is leaking confidential information, would covert investigation lead to a restoration of trust in almost any situation?
Andrew Downes, a freelance IT security consultant who has advised FTSE-250 companies on shielding secrets from prying eyes, says it is best to play safe all the time.
‘I like people to believe they’re under attack from aliens who have extraordinary powers of control. In this way, the business makes itself a very secure environment. I tell them not to trust FTP or secure email, because these systems are prone to leaks and difficult to manage effectively.’
Instead, Downes advises businesses to:
1. Never expose your internal network to outsiders
2. Make sure all storage areas are secure
Encryption can be over-ridden by a systems administrator, so although encryption is acceptable for maintaining a level of confidentiality, it does not protect data from intentional deletion or over-writing.
It is vital all SMEs and larger companies have a single data access channel to where data is stored, while making doubly sure that a strict protocol, which blocks code from entering, is available for remote users.
3. Ensure that data at rest is properly protected
Make sure data at rest, not just data in motion, is encrypted. This ensures that the data is not readable. The use of advanced cryptographic protocols, such as AES 256bit for both storage and session encryption and signing, guarantees data security.
4. Protect against data deletion and data loss
The protection of data by encryption is only a part of the problem. Files can be accidentally or intentionally deleted or overwritten. Always keep older versions of files. This means you can revert to the correct file, or recover from data deletion.
5. Protection from data tampering
Data held inside protected storage must be made tamper-proof. This can be done by integrating authentication and access controls which will guarantee only authorized users can make changes to the data. Also make sure data manipulation does not go unnoticed by making use of digital signatures to detect unauthorized changes in files.
6. Regular auditing, and random and regular monitoring
Comprehensive auditing and monitoring is essential for security. It allows the company to check that its guidelines are being properly carried out. The manager has the ability to track how data is being used. Random, as well as regular monitoring acts as a deterrent for potential spies. Finally, it provides the security administrator with tools with which they can examine the security infrastructure, confirm that it is working properly and expose unauthorized usage.
However all aspiring corporate moles should be aware that however much technology protects boardroom secrets, it is no match for human fallibility as various businesses have found to their cost.
- Three men were convicted in 1988 after placing a bugging device in a biscuit tin outside the London home of an executive of Comet (then part of Woolworths) shortly after Dixons lost a takeover bid for Woolworths.
- Two Co-op executives were imprisoned after corporate private detectives from The Control Risks Agency filmed them handing over sensitive internal documents during Andrew Regan’s attempted hostile takeover of the Co-op in 1997.
- In 2001 Proctor & Gamble reached an out-of-court settlement in relation to claims that one of its contractors had been dipping into the bins of Unilever, its fiercest rival, in a brazen attempt to find out more about its hair care business.
During the takeover battle for Marks & Spencer two years ago, it was discovered that an unidentified party had been checking the mobile phone records of chief executive Stuart Rose by logging on to his online account. It was only through diligent and painstaking care that some of the people involved in these delicate missions were caught. As Celia Goodson points out, people only get away with things when the other party isn’t paying attention. Bearing in mind, corporate spying doesn’t come cheaply (HP apparently paid more than $300k to its firm of private detectives) it pays to see stopping corporate espionage as one of the most crucial tasks in anyone’s business life. It may be seen as a harmless crime, but too many innocent people suffer if good judgement is neglected.