Implementation of the business counterintelligence branch in enterprise
2. The sample solution for an implementation process of the business counterintelligence branch
The implementation plan of new counterintelligence and counteres-pionage branch in enterprise may be divided into several stages. Some of them may be omitted depending on past and present company or-ganisational experiences. However, from the practice of counterintel-ligence consulting, it appears that there may be a strong demand from the executive authorities to lead several implementation processes at the same time for example: internal security analysis, counterintelli-gence workshops and training, personnel recruitment, company cur-rent threats analysis, and an investigation of secret information leak-age or lack of personnel loyalty. Time implementation schedule of the business counterintelligence branch consists of the sequence of organ-izational works, tasks and information flows, as it was shown in Fig. 2.
– Analysis of the state of internal and external information secu-rity with existing counterintelligence resources in the form of se-curity rapport.
The scope of work of the security report can be very wide. How-ever, it can be roughly divided into two zones: the circulation of in-formation and documentation inside and outside the company, and the area of human factor and its impact on the organization.
In the first approach, the key is the verification of circulation of electronic documents and in paper form, for information security threats statement and to determine the potential strategic and opera-tional information leakage places.
The second phase involves carrying out reconnaissance on poten-tial sources of disloyalty of employees.
The third step is to determine the locations and areas of organiza-tion activities, which may be followed by the penetraorganiza-tion of a com-petitive intelligence or by foreign governmental intelligence agencies.
Particularly intelligence services can be interested in secret informa-tion about planned market activities and changes in provision of ser-vices, or details of sensitive dual-use technologies.
The report should end with an elaboration of practical applications for counterintelligence and counterespionage security approaches for already carried out business projects and planned ventures.
– Proposition for organizational, management and financing of the internal business counterintelligence at the company structure, prepared in the form of a feasibility study.
The work begins with the determination of the inner form of the counterintelligence organization and its position in the company struc-ture. The primary issue is to establish the scope of the counterintelli-gence branch duties and its staff’s accountability. At the same time, organizational efforts should be made to create decision linking and reporting procedures binding between the counterintelligence branch and company execution board. In the next step it is necessary to ac-cept the main principles of the future intelligence employee’s selec-tion, training methods and possible career paths.
At the very beginning of the counterintelligence organization's work, it is important to adopt methods of co-operation with other de-partments, in particular with marketing, controlling, procurement, accounting, human resources and IT. It has a direct relationship with the accepted principles of access to strategic, operational and financial documents for the counterintelligence staff and their future security responsibilities.
Turning to financial issues, the executive board should accept the counterintelligence structure and its cost estimate, broken down by major periods: preparatory work, selection of employees, training, initial period of implementation, continuous counterintelligence and counterespionage activities and periodic verification of the counterin-telligence branch’s development.
Efficiency measurement requires that objective evaluation parame-ters are set to measure the counterintelligence cell, including the methods of financial analysis adequate to the specifics of the com-pany’s business strategy. The analysis should be extended to the adop-tion of methods of economic analysis, defining the effectiveness of the company counterintelligence security in the context of enterprise mar-ket position.
To organize new company structure, it is also a need to establish acceptable working counterintelligence methods due to culture organi-zations and civil and criminal law standards. In advance, it should also be decided what kind of solutions will be available for the information security verification of counterintelligence branch by itself.
Hence, it needs to be determined the appropriate forms of contacts between counterintelligence staff with outside business and public environment i.e., especially with defence and security industry, com-petitive and corporative market segments, and public authorities sphere, including governmental special services, prosecutor's office, minis-tries, courts and the self-governing administration: voivodeship, pro-vincial and local commune authorities.
Business counterintelligence cell also requires the adoption of some degree of secrecy, because of various challenges of its activities within the company structure, while maintaining the superior rule of law, which provides that it is prohibited to create private covert or-ganizations.
The executive board should also approve a key document which is the feasibility study and to allocate adequate financial and personnel resources for the counterintelligence schedule deployment in the com-pany, in the certain time.
– Recruitment process of new personnel for the counterintelligence branch, department or cell, with specific capabilities to conduct information security tasks, counterintelligence and counterespio-nage operations, and support for the future competitive intelligence company activity.
The basic principle in the recruitment process of the counterintelli-gence cell creation is to prepare a candidate personal profile, which the company is looking for and the precise assumptions of the ex-pected competence range for the counterintelligence member team.
The process should begin from a review of currently employed staff to seek out valuable candidates for transfer to the counterintelli-gence branch. The key copy is also to prepare an outstanding job offer, particularly suited to discrete search for specific candidates. Public employment offers need to be also understandable by specialists from the business security management, with regard to the relevant counter-intelligence and counterespionage intentions of an employer.
On the side of external consultants, it is an obligation to propose sufficient selection process for the cell counterintelligence recruit-ment. The selection begins with the verification of the candidates per-sonal data by a crosschecking reliability of information provided by these documents. It should also carry out the social and electronic candidates screening. This is a significant tool to assist the process of complementary personal data, collected during multilevel interviews and screening.
Many kind of tests, checking the predisposition to analytical and operational work in counterintelligence, are also a very useful re-cruitment tool. However, they cannot be considered as more signifi-cant than results of individual interviews with candidates. In fact the tests give only a seemingly objective measure of personal suitability for business intelligence and counterintelligence duties. They have never been able to replace personal interactions and bring in the reality of the situation related to planning and execution of difficult tasks, especially in conditions of high levels of stress and danger.
In the final stage of recruitment should be presented detailed coun-terintelligence position requirements to the selected candidates, finan-cial contract conditions whilst paying attention to the further possibili-ties of career opportunipossibili-ties in the company, or in related subsidiaries, or a career path throughout international corporation structure.
Finally, the executive board approves selected candidates and em-ployment conditions, proposed by outside consultant agency, together with recommendations how to match people responsibilities to the counterintelligence tasks in newly created team.
– Comprehensive training program for newly established coun-terintelligence department and specific topics of corporative
intelli-gence, counterintelligence and counterespionage theories, practical methods for owners, top execution boards and management staff.
Employees training for the future counterintelligence branch is a lengthy process. It includes not only lectures and simulation exer-cises, but above all, individual and group intensive consultations. In some ways this is similar to the coaching methods, but it also has own specific approach due to often hidden nature of the business counterin-telligence work.
The background of the multi-month training system should adopt the organizational principles for counterintelligence, counterespionage and business intelligence duties and responsibilities, as a permanent quality of the internal structure, which has to be implemented in an innovative enterprise. It is vital to know accurate knowledge and un-derstanding of the legal conditions for the business counterintelligence and intelligence activities at the democratic countries and in the other political systems, related to the markets in which the company operates.
For effective counterintelligence work the most important thing is the acquisition and verification of personal and technical information sources. Behind this is a common understanding among company’s staff for advisability of co-operation with the counterintelligence cell.
Intelligence employees should be particularly carefully trained for a smooth operation in surrounded areas as: public administration, cus-tomers, individuals, subcontractors, suppliers, members of investment groups and competitors. Only from this starting point, analytical methods and reporting of counterintelligence efforts can be proposed and established.
In the framework of continuous training, consultants should help the company with development of the counterintelligence internal tasks scheduling, establish rules of its accounting and what is mainly relevant that matter, to suggest finance measurement methods of the counterintelligence work efficiency. Subsequently, it follows break-down to counterintelligence activities and work in task forces (opera-tional groups).
Particular care should be paid to the problems associated with the management of information presenting company economic secret and legal requirements and technical safety conditions of storage, use and processing of classified information [Classified…, 2010]. From above regulations, company supposed to set the internal restrictions for the scope of business counterintelligence responsibilities, connected with
protection of entity classified and economic information [Database…, 2001].
The main task of the business counterintelligence is recognition of the situation related to the company's industrial espionage threats, as technological, financial and political (domestic or foreign), but also corruption investigation or employees disloyalty cases and illegal influence of competition and administration surrounding same. Day by day collaboration between executive and others management staff with counterintelligence branch should protect company against leak-age and interception of secret information and sensitive personal data.
The key point here is an acquisition by counterintelligence staff prac-tical skills connected with the information systems, for example, a frequent use of the company accounting and financial management systems. However, it should be taken into account administrative and related mental limitations for a direct cooperation with different de-partments of the company.
Despite the tremendous growth of information technology and electronic observation1 in XX and XXI century, still in business intel-ligence and counterintelintel-ligence environment, as in the work of the special services, the most important is ability to search, enrol, collabo-ration and effective use of personal information sources2. However, the basic canon of counterintelligence duty is to protect informants from disconspiracy, both inside and outside the company.
Among the specific methods, with which the future counterintelli-gence staff might be familiarized is, inter alia, carrying out specific implicit activities: intelligence games, inspiration, disinformation and covert operations. This has an additional and hidden objective on de-tection of places and people illegally transmitting important data and classified information to competitors or to the public administration. It should be noted that above methods must have a high degree of se-crecy, because in the most cases there is a need to an implicit control of entire company personnel, including also members of the top man-agement staff and executive board.
Among others counterintelligence tasks, but essential as fixing dis-loyalty of personnel, subcontractors and customers, it is detection of phone, Internet and intranet system bugs, electronic surveillance,
1 SIGINT – Signals Intelligence.
2 HUMINT – Human Intelligence.
fighting against industrial and informatics sabotage, terrorism preven-tion, permanent control of the entity information system, safety and integrity of the data storage systems, with a special consideration for updating access policy.
In summary, comprehensive counterintelligence and counterespio-nage training always in the first place should identify possible routes of implicit and explicit data and information transfer paths inside the company and in directions to business partners, subcontractors, cli-ents, suppliers and to competitors.
– Pre-implementation of the counterintelligence branch for op-erational duties, with outside expert support for planning, execu-tion, measurement and reporting of counterintelligence branch de-velopment.
Nearly all of the annual initial implementation of the counterintel-ligence structure typically requires operational and tactical advices to the counterintelligence team and strategic advice to the executive board of directors. This is a critical period for success of the entire project location of counterintelligence and counterespionage protec-tion in the company.
Assistance of external experts is particularly important when plan-ning and carrying out covert counterintelligence operations. Consult-ants should also assist in the preparation of monthly reports on the enterprise information security for the Board of Directors or for the entire capital group.
A special issue is a role of security advisors in verifying employees and subcontractors, suspected of working to the detriment of the com-pany’s position, as a separate form of sensitive and confidential tasks.
The process of pre-implementation should end up submitting cor-rection solutions for counterintelligence branch activity and may pre-sent a proposal for improvements in the entity information security.
This brings about the verification of counterintelligence progress and determination of present organizational needs for adapting the coun-terintelligence branch to changes in operational and strategic man-agement and the specific project requirements.
The annual report should evaluate the process of change in the company information security after implementation of the business counterintelligence branch, particularly with regard to the control of the flow of sensitive and classified information.
Figure 2. Implementation plan of the business counterintelligence branch with outsourcing consultancy support and an average time of each step development
Source: Author’s diagram.
– Strategic consultancy and evaluation reports of the counterintel-ligence branch development after the pre-implementation period.
External counterintelligence experts should be able to determine new gaps in enterprise information security, which have not been iden-tified so far by the counterespionage department. They advisory role is to focus attention of the executive officials and counterintelligence branch managers on the future project risks and espionage threats at new markets. Security consultants can also provide solutions designed to enhance the counterintelligence branch with an integrated and spe-cialized business intelligence cell. But usually external consultants take periodic orders for screening loyalty of company counterintelli-gence personnel (“intellicounterintelli-gence in counterintellicounterintelli-gence” or “double checking”).
– Foresight analyses of company the future threats and the oth-ers security cases e.g.: espionage studies, losses caused by an ille-gal competitive intelligence penetration, inspiration and disinfor-mation games and personnel defector3 incidents.