Case Study: Security
The Client had a well-run business and was about to take the next step up in a phased growth plan. The business was so successful it had started to attract the attention of larger competitors. There had been suspicions of low-level corporate espionage taking place, and this warranted fears of an escalation of this type of activity. The Client wanted a confidence check regarding his security systems and engaged us to audit and test those systems.
We conducted an in-depth Threat & Vulnerability Assessment, which identified a number of threats the Client had not previously considered. Although he had not suffered any incidents or crises from those Threats at that time, neither had he considered any specific defences against them or planned for any contingencies. We subsequently assisted with this planning, and then conducted a detailed audit of the Client security protocols, with recommendations how to improve them. Company IT security systems had recently been reviewed and upgraded, so a simple Penetration Test (PENTEST) by our IT partners confirmed all was well. We then conducted a detailed review of his Personnel Security (PERSEC).
The Client was made aware of Threats to his operations that he had not previously considered, but were viable as his business grew. The expansion into other countries and markets contributed to a changing Threat landscape and he was not prepared for that. It was only a matter of time before an incident would have occurred. The Threat Assessment allowed him to recognise how much risk he was prepared to accept, what to mitigate and how best to invest his security budget. The physical security side of his business was well thought out and executed, so any adjustments were very minor.
The IT PENTEST was important to the Client as he realized the value in having an independent validation of the previous work.
Where our contribution was most valued was in assessing company PERSEC. With good standards of physical and IT security, the Threat Assessment identified the most viable threats as coming from within. By conducting social media and networking analysis, we were able to map out almost half the company hierarchy, by appointment and responsibility. We were then able to identify key company staff and subsequently highlight those most vulnerable to a subversive approach. The point of the exercise was to show how easy it was to identify key staff in the event that criminals, activists or competitors wished to subvert them. This exercise prompted the Client to tighten company social media policy and commission relevant training to raise awareness among his staff.