Covert lessons for corporations


Spy Satellite

Spy Satellite

Emma Shaw is uncomfortable. She does not like talking about her work. With a background in the military police, working on covert investigations before switching to the secret services, she is used to being tight-lipped about her day-to-day activities. Now working as a counter-espionage consultant offering advice to FTSE 100 companies and high-profile individuals on their security matters, she remains vigilant, considering every word in case she betrays confidences.

Socially, she has become used to closing down the conversation politely. “I talk generically. I say things like: ‘It’s just part and parcel of my everyday life’.” Personal relationships have tended to be with people from similar backgrounds. “Work is not discussed much at home”, she reflects. In fact, the 46-year-old has a frustrating habit of excitedly describing a situation without revealing any information at all. To get any details requires constant nudging, probing and toing and froing.

Yet as chairman of the Security Institute, a body representing professionals working in the industry, she has no choice but to lift the lid on her trade. Normally she talks to businesses about possible threats, both internal and external. Esoteric, the consultancy she set up 16 years ago, provides advice to businesses on protecting information and assets. It employs 12 operatives with backgrounds ranging from telecommunications to military work, whose tasks include sweeping offices, looking for surveillance devices. At the same time she keeps abreast of new threats by talking to government agencies as well as her peers. Smartwatches, for example, have emerged as a new threat – cleaners, catering staff and visiting executives could discreetly record information using them, she says.

“Security issues affect everyone, from those providing haircare products to sporting associations, from small organisations to very large organisations with a global presence,” she says. The mention of haircare is a reference to Procter & Gamble, which in 2001 agreed to settle out of court with Anglo-Dutch rival Unilever over allegations of corporate spying. P&G admitted breaking its own rules on corporate espionage to obtain information on Unilever’s haircare business.

The recession has proved a spur to Ms Shaw’s business as disgruntled employees become easy prey for those hoping to steal secrets.

“People hit on hard times; there is a vulnerability for the business [in that] someone might be paid to do something that they wouldn’t ordinarily do,” she says. “Potential redundancies create uncertainty.”

Researching people’s backgrounds is all too often something that is restricted to hiring, Ms Shaw says. “It’s a snapshot at that moment in time; what does the organisation do over a longer period of time?” Instead of just delving into someone’s background when recruiting, employers should remain vigilant to their employees’ behaviour. Unexplained extravagances and a lifestyle that appears to be well beyond an employee’s salary are tell-tale signs that a line manager should be able to spot, Ms Shaw suggests. Demotivated employees can also be a risk, she adds.

Edward Snowden, the former contractor who revealed the National Security Agency’s cyber surveillance programme, has made businesses more alert to the threat of electronic spying and attacks, she says. “Now someone can gain information through the internet, phone-hacking, cyber attacks, rather than trying to get in through the front door.”

The problem, according to Ms Shaw – who does not have a background in technology – is that companies take their eye off traditional dangers such as honey traps and bugs being placed in boardrooms by competitors hoping to obtain information that might provide a commercial advantage.

Typically, she will test a business’s security arrangements through a procedure known as “penetration testing”. She cites an example of one company that was confident it had all the necessary provisions in place – that is, until she gained access to the premises and placed a number of dummy bugs around the offices.

Part of her remit is to advise executives not to compromise themselves. “The problem is that people don’t want to admit to it. We can’t tell people not to take anyone to their hotel room but we try to tell people not to be put in a difficult position.”

Born in Dewsbury, Yorkshire, the birthplace of writer David Peace whose dark violent novels have been labelled “Dewsbury noir”, she had ambitions to join the local police force. At her school career fair, deterred by the long queue at their stand, she was persuaded to have a look at the army one instead. Liking what she saw, she decided to join the military police in 1986. Expecting to travel the world, she was disappointed to be posted back to Yorkshire. But there she worked on several covert drugs cases, giving evidence at a number of courts martial.

Working in male-dominated en­vironments has been a feature of her life. Women, she says, learn to use their wits in place of physical force. “If you’re out and you’re dealing with a bunch of squaddies late at night [who]have had lots to drink, women use their skills to reason.”

After a stint in Northern Ireland, where one of her closest friends was wounded (with typical understatement, she observes “that does create a certain amount of nervousness when you’re going out”) she decided to buy herself out of the army for £300. She joined the intelligence service MI5, working in operations, looking into the threats to the UK from external sources: Northern Irish terrorism, the threat from the Middle East and the developing al-Qaeda network.

It was while working at MI5 that she became convinced she could apply her investigation and security skills to business. So she went to work for the Asprey Group, the luxury goods company, as a security analyst to gain commercial knowledge, particularly in the areas of counterfeiting and theft, before branching out on her own to set upEsoteric.

One luxury goods company that hired her was concerned information was leaking about a joint venture it was working on with a Russian business. It was alerted to this by the mobile phone belonging to a board member who travelled to Moscow frequently. When he made calls from his mobile a Russian number came up as his call-line identification, leading his fellow executives to conclude that his phone had been tapped. “This person was so busy doing business [that security] wasn’t at the forefront of his mind.”

After delving into the background of the Russian executives, it emerged that many had former careers in intelligence. Aside from conducting background checks on potential partners, the lesson for that company was to keep laptops and smartphones that contained sensitive information at home. Business travellers, she says, need to be more cognisant of security issues. When working away from the office, she advises taking a “clean” mobile phone and laptop free of any sensitive data.

Such gadgets, she says, have brought about new methods of interception: “It’s like an open door into an organisation.”

Copyright The Financial Times Limited 2014

Leave a Comment