Securing Your Work Place From Industrial Espionage

Industrial Espionage, Data theft, Stealing of ideas etc are something not out of a James Bond movie anymore, these are few hard facts in today's fast moving world and we should take them seriously. Have you ever moved in your conference room to find the white board with diagrams and figures from a high profile meeting which just ended? I won't be surprised if you have experience such thing in your proffesional careare. The simple fact is that we just don't respect the value of "data" and the fact that a simple figure/value/chart which may be garbage to us can be useful for our competition.

There are few things one can do to minimize the probability of such events happening, One will have to enforce few hard policies in order to make sure risk is at minimum and we have to make sure there is SOMEONE or SOME GROUP (better if you have more people at stake in my opinion) accountable for any such unforseeable events.

1. Meetings

Meetings are a norm in our office life, Reminds me of a joke "Society: a group of people collectively deciding that nothing can be done.", Anyways there should be general rules for meetings.

• The person who called the meeting should be the last person to leave the conference room or the area of the meeting.
• He/She shall be responsible to see that the area is clear of any notes, papers, company asset. 
• He/She should be responsible to ensure that any unneccessary lights,fans,A/C are turned off. (Nothing to do with context of this scenario but never hurts to include this in your SOP).

2. Phone Cameras

Phone Camera's can be pain in behind for security personal, Almost everyone carry a cell phone now days and even the cheapest ones are coming with a measly excuse for a camera may it be VGA resolution. But even a low resolution 640x480 VGA picture taken of your data center layout or anything else critical can set you back a lot. People have already started giving policy not allowing people to bring phone camera's, If you ask me I would go one step ahead and take the following extra steps,

• Identify the mission critical area.
• Identiy the people with access to such areas.
• Issue all of these people a company issued cell phone without camera and make it mandotory for them to use it.
• Any personal cell phone other than the company issued / with camera should be deposited at a help desk / reception before entering a mission critical area.
  

Having a company issue cell phone might sound like an expensive proposition but there are many dirt cheap Nokia, SE, Samsung and even LG's alternatives out there to keep the budet low.

• Everyone regardless of the designation carries the same phone so that creates harmony.
• They get a company issued free phone (Hey at the end of the day its FREE). 
• It's upto company if they want to give them company SIM (as per job designation) or they can use their existing SIM card to continue their connection. 
• Those Blackberry carrying snobs who claim to get email every second of their life can might as well be kept outside such mission critical places. (With all due respect to BB users but i have found more than 75% users to be snobs who pretends to be Mr Important than using the BB for being in touch with business/work.) 

3. Segregation Of Work

Distribution of work is always an good idea, It's makes it hard for any ill intentioned employee to pull something off. Lets assume there is one person with access to everything that means that person can provide your competition mission critical information due to any reasons.

Even expanding the segregation of work to access level can provide extra level of security of your assets. For example there is a Data Center with a Server inside (What Else?) a locked rack.

1. You have a person who have access to data center.
2. You have another person who have access to the rack.
3. You have a third person who knows the password to the server.
4. You have fourth person who knows password to the applicaiton / is responsible to do the work on the machine.

Now this may sound tedious to you but hey security is never achieved without pain, In fact if you have not heard before than there is a popular saying in the information security industry that "Security Is A PAIN". I will be covering this in a upcoming post soon.