Q. How often do you find a bug?
A.
It depends on the type of sweep. We
conduct Technical Information Security Surveys (enhanced TSCM) sweeps for bugs and
surveillance devices in businesses and government (and occasionally residential
or matrimonial type sweeps).
Business and Government TSCM Sweeps
Regularly scheduled, due-diligence, technical information security
surveys rarely turn up devices. No surprise there. Typically, organizations
using our services already have a high overall security profile. They are “hardened
targets”. For those clients, the bug sweep bonus is... having a known window-of-opportunity when
something is found.
Often, what we do find are other information vulnerabilities like: decayed
security hardware; security policies no longer being followed; and other unseen security issues (scroll down).
Discovery statistics on our "emergency sweeps" (sweeps where illegal electronic surveillance is suspected) varies from year to year, about 2%-5%.
However, the rate of determining what happened and resolving
the client's concerns is extremely high. (Isn't that the real point of the
exercise?) More often than not, these info-loss cases can be traced back to the
human element, or the poor security practices, which allowed the leak to occur
some other way.
With
organizations, the opposition's focus is on getting the information, in all its
forms. Corporate espionage, industrial espionage, call it what you will. There
is no one spy tool of choice here. It's electronic surveillance plus hundreds
of other tradecraft techniques which may be employed. Solving these organizational
emergency cases requires more than a simple TSCM bug sweep. Required add-on
skills and experience include: corporate investigations, alarm system design,
computer forensics, and information management to name a few.
Residential Bug Sweeps
When
it comes to residential and matrimonial bug sweeps, the find rate for locating
bugs and surveillance devices is quite high. This makes sense. The opposition's
focus is narrow; they want to intercept communications and/or determine the
location of a specific person. Electronic surveillance is the
tool of choice. Personal privacy is the biggest loss.
Solving
these cases is relatively easy for a number reasons:
· The spy is usually a do-it-yourselfer, an amateur, or someone
with limited tradecraft skills.
· The victim has a good idea who is doing the spying.
· Resources rarely permit the purchase of advanced bugging or
tracking devices.
· Surveillance devices adequate to accomplish the goal are
inexpensive and easy to obtain.
· Locations for placement of bugs, taps, spy cameras and trackers
are limited.
· Having a personal stake in this type of surveillance, spies
often tip their hand to show power.
The Security Director’s Dilemma
Justifying
cost to the bean counters.
Private
investigators and people who handle residential and matrimonial bug sweep cases
don’t charge very much for their services. Mainly because private individuals
have limited budgets. But, also because their overhead is low. Their detection
gadgets are often basic and inexpensive, insurance costs (if any) are not up to
corporate standards, for example.
Professional
security consultants who specialize in business and government-level TSCM are
not a dime-a-dozen. They invest heavily, and continually in: sophisticated
instrumentation, professional certifications, and advanced (and continuous)
training. Their overhead includes: an office staff, trained Technical
Investigators, licensing, insurance, instrument calibration, and an annual
Carnet so they can travel Internationally for their clients.
Security
directors know, it’s not all about the money. It’s all about the protection you get for your money. A cheap sweep is a mental band-aid, and a CYA
move.
They
are charged with protecting corporate assets. This type of information security
requires a security consultant with a depth of experience and knowledge of:
information management, corporate investigations, complex security systems, and
yes… Technical Surveillance Countermeasures.
Benefits
of Quality TSCM
Second to 'getting the goods', the goal
of espionage and voyeurism is 'never be discovered'. Obviously, if you don't
check, you won't know you’re under attack. Organizations don’t have a choice. They
don’t want their pockets picked, so TSCM is an important element of their
security.
·
Increased profitability.
·
Intellectual property protection.
·
A working environment secure from electronic surveillance
invasions.
·
Advance warning of intelligence collection activities
(spying).
·
Checks the effectiveness of current security measures
and practices.
·
Document compliance with many privacy law
requirements.
·
Discovery of new information security loopholes, before they can be used against them.
·
Help fulfill legal the requirement for "Business
Secret" status in court.
·
Enhanced personal privacy and security.
·
Improved employee morale.
·
Reduction of consequential losses, e.g. information
leak can spark a stockholder's lawsuit, activist wiretaps, and damage to “good
will” and sales.
The
benefit list is really longer, but you get the idea.
There
are some excellent corporate-level TSCM consultants out there. Now that you
know about the different levels of service, track one down to help solve your
information security concerns. You will
look like a hero to all your colleagues, except perhaps, the near-sighted bean
counters.
Contact me here if you would like to know more. Kevin D. Murray, CPP, CISM, CFE