Having said that, it is important that you do a true and complete risk assessment, not a partial one that someone might, in error, call a “risk assessment.” It sounds simple but I find people often and mistakenly interchange or misuse terms. This is especially true of the terms threat and risk, or people will use the term “risk” in some other context. In the context of this book, we will be using the term risk to mean a very specific security issue. As we have already noted, this approach to risk draws on a number of international programs and standards and we will be applying these standards to risk as it relates to business espionage.

For example, I have had a number of security directors or business leaders say to me something along the lines of: “The People’s Republic of China is a high-risk environment for business espionage and sensitive business information.” As we will learn in Chapter 3 (and we will see more examples in other chapters where there are case studies), the People’s Republic of China has been involved in, or in some way linked to, a number of business espionage situations. Therefore, it may be valid to say the People’s Republic of China is a “high threat” environment, but before we can say it is “high risk” we have to look at how effective your existing security measures are and the consequence levels for your business processes/information there. These two factors are also part of risk determination. Risk is not based entirely on threat, although threat is a factor in determining a security risk.

During discussions about their various operations within the state of Nebraska, in the United States, another security director assured me their operations in Nebraska were “low risk.” When I asked why, that security director said: “Everything in Nebraska is relatively low risk. Everybody knows everybody in Nebraska and it is pretty isolated from a lot of these traditional outside security issues.” My response was, “Maybe it is low risk in Nebraska and maybe it is not, but first we must thoroughly examine the threats in Nebraska, USA.” Then, I shared with him that we needed to see how effective their existing security was in Nebraska and, finally, how critically important the processes/information were for the company when it came to its Nebraska-based operations. Only then could we say what the true security risk was for the company’s Nebraska-based sites.

Therefore, if you have been mindful of the criticality levels for information that will be available in and to China and have implemented good, strong security measures (hence your vulnerability is low), you may find the threat is high but the vulnerability and consequence are low enough to make the risk acceptable in China.

For example, in Nebraska, the threat might be low but security efforts there might be plagued by complacency (“nothing ever happens here” attitudes) and thus are not very effective (high vulnerability), which could also be where some of the most critically important information in the company resides (high consequence/business impact). This means the threat is low but vulnerability and consequence are high.

In fact, in this hypothetical situation, the company’s business espionage security risk in Nebraska is higher than in the People’s Republic of China. Maybe the threat in China is higher than in Nebraska but the overall risk (adding the vulnerability and consequence factors) is higher in Nebraska. Unfortunately, I frequently see this kind of dichotomy in discussions about countering business espionage.

This is why it is so important to understand the differences in terminology and to be precise and consistent. Threat levels and risk levels between the two locations could be very different.

So, before you decide on a pro-active counterespionage program and what countermeasures your business should have in effect, you must have a thorough understanding of the threats, the vulnerabilities, and the consequences/business impact. Together they make up business espionage security risk. Armed with that knowledge you can determine the countermeasures that should be employed to mitigate business espionage risk at any given entity. This is risk management at its best, and this is the approach we will be working from as we examine business espionage security risks.

When risk management is applied to the process, the formula changes slightly to incorporate countermeasures, which can lower the vulnerabilities or lessen the direct consequences. That formula then looks like this:

In an environment where there are significant issues with business espionage we need to analyze threats using a threat assessment approach. This threat assessment should focus on who is targeting businesses (especially similar businesses), what businesses they are spying on (does location, size, etc. matter?), and how they are spying on businesses (determine their most likely modus operandi—or methods of operation). You can get this type of information from a variety of sources. I highly recommend joining professional security associations, such as ASIS International, and using the membership to create relationships with similar companies. If you share some information, they will likely do the same. Depending on your nationality, you can liaison with the national agencies responsible for countering espionage in your country. You can also talk with the security attaché or equivalent position in the embassy when you have business entities in a foreign country. There are other professional associations such as chambers of commerce, etc., in various countries. Once again, by building relationships you can share and ask about the issues and situations in a given country or business sector. By talking with all of these different entities you can begin to formulate a threat picture of the espionage situation in a given location. Your focus, again, should be on the methods used by business spies within your given location of concern and the likelihood of occurrence for business spying.

The next step is looking at the security standards that should be in place to protect the business from the business-spying threat as determined in the threat assessment. We will then identify any gaps that currently exist in how the company is operating versus these established/accepted standards for the overall threat they face. This is determined in the vulnerability assessment phase of the risk assessment. These gaps will be identified and labeled as “vulnerabilities.”

A good approach to determining the effectiveness (lack of effectiveness is the definition of a vulnerability) of your existing security and identifying vulnerabilities is to focus on how well your security measures fulfill four major security functions. Ask yourself, how well does existing security…

Deterrence is a difficult measure to determine and quantify, but it is important to know the threats and put yourself in the mindset of the threat vectors. For example, if I were going to try and get inside of this facility posing as a legitimate employee or someone authorized to be inside the facilities, how easily could I do this? How thorough is the access control? Can I piggyback? How should I be dressed? Who provides service here and how quickly are they given access or checked? Can I dress and pose as a delivery person, repair or maintenance person?

When there is signage and barriers, and when it is apparent that employees and security are extremely alert, the result is deterrence. A potential spy decides the opportunity for success is low and the opportunity of being detected is high. From the bad guy standpoint: time to try another place or another method. Deterrence has value.

It is also important to determine how effective your means of detection are. Typical means of detection include alarm notifications or computer penetration attempt alerts. It also includes being spotted on CCTV, or being spotted by a security officer or an alert employee. Detection includes the awareness of a possible problem but it also includes reporting it. An employee who says, “Yes, I saw that and it was suspicious to me. I wondered about it,” but does nothing and does not notify security, police, or some response element then it is not true detection. The “alertness” was only part of the process. Having a CCTV system that is not monitored but simply records does not count as true means of detection. It may help in a follow-up investigation, after-the-fact, but it is not a means of early detection. For CCTV to be a part of a detection process, it almost always has to be monitored by trained and dedicated staff or security personnel. It cannot be a part-time job. It needs to be a dedicated function.

The key to any detection is a quick, timely response that interrupts or prevents the perpetrator from completing the attack on your sensitive information. Once there is detection, and notification, there is usually a time gap before a responder can get to a site. If someone is able to break into the computer server area, for example, but a motion detector sets off an alarm in the security control that indicates someone is inside the server room, it will take a period of time (hopefully only a few minutes) for a responder to get there. The key is to have sufficient delay mechanisms in place that will allow enough time for the responder to arrive. This is the delay mechanism. Ask yourself, wh...