Loose lips sink ships

June 2016 Editor's Choice, Security Services & Risk Management

For years I have refused to give prospective clients the names and details of any property that I have conducted a security risk assessment on, despite their insistent requests. Additionally, it must be realised, especially those projects dealing with security risk; that parties requesting such information in lieu of a proposal may not be honest in intent and could be using false pretences to simply fish for information whether it be in person, telephonically or online.

Andre Mundell, Alwinco.
Andre Mundell, Alwinco.

The names of my clients are also not placed anywhere on my sites or in any other publication or advertising media for that matter either. Trust me, I would love to share the names of some high-profile companies and individuals that I have been honoured to work for; but alas, the reason for not sharing is that that information will indicate that the client has had a security risk assessment conducted on their property and that they may or may not have addressed or remedied all the weaknesses within their security systems; the latter in itself creating risk. It also indicates they may have had some or other security issue, otherwise they would not have been knocking on my door. As already mentioned, those giving advice about security risk or the management thereof should actually know this.

This is why confidentiality in my business is top priority and I will never deviate from that to gain a new client or contract, even if it means losing one. Furthermore, is it fair or even ethical to make use of your clients’ risk for advertising purposes in this digital age? It is like using someone else’s tragedy or loss for one’s own gain.

What they know that we don’t

I recently received information from a criminal informant that supports what I have always thought and known to be true, but which also sheds more light and a different view on the importance of confidentiality. It further explains the modus operandi of the criminal in this regard.

This informant contacts me anonymously from time to time via a private number. Sometimes he refers to an article I have published, a speech I have given, a post I have shared or to my website as he has clearly been following me for a very long time. Other times he refers to what he has seen from other security companies or he simply gives me no reason at all as to why he may divulge certain information to me. I have never met him, but I do know that he is a seasoned and very clever, prosperous criminal who has been in the crime game for a very long time.

He manages and trains various organised groups. It needs to be remembered that these types of criminals have a finger in many pies and have created a booming, thriving business where an abundance of monies are made available through the sales of stolen vehicles right though to arms trade and then some. This requires a lot of brains, street savvy, organisational skills and leadership qualities. It also means that money is not a factor and on hand for whichever endeavour he invests in.

Many misjudge the criminal and believe he is uneducated but, looking at the actual planning that goes into an attack nowadays and what this informer told me, it is clear that the ability, the will and detailed organisational skills of the criminal are still largely miscalculated. Also a lot of money is spent to turn over a good profit.

These criminals will methodically browse the web looking for companies that provide security hardware, risk management advice, security guards or even health and safety education to glean information they can use to their advantage. The reality of this is that they do not only refer to security related sites to seek the necessary knowledge, but even companies that offer different services such as cleaning, air-conditioning, IT and network related services, building maintenance, construction, catering and a myriad of other possibilities that we cannot even begin to explain in full.

Again, there are more highly intelligent criminals out there than you realise.

An example

These security companies though, which we will refer to as X, Y and Z, proudly display on their websites clients A, B and C that they have given some form of security advice or assessment (or other) to so that prospective buyers will want to make use of their services. Not only do the potential clients see this, but also so do these structured, smart gangs. They actively seek these sites out for crime opportunities and from this they can get the details of clients A, B and C.

I have actually seen one company that has foolishly posted a picture of a security official at the client’s site with the entry way and the company logo in full view in the background. And this is published on Facebook for all and sundry to see.

Usually, newcomers in these criminal groups, wanting to show that they are worthy to join the group, or those that want to get promoted in rank are delegated to target one of these security companies’ clients. They see it as a challenge and an accomplishment to hit such an establishment and prove the security world wrong.

The informer said this type of advertising literally acts like a magnet. They enjoy cleverly defeating their adversaries. The irony of this is that the criminals who list these conquests are more favourably viewed by other lawbreakers and turn a bigger profit than the security companies do by naming their client base. In fact, the security companies are not accomplishing what they aimed to achieve in the first place but are rather, unknowingly, enabling the enemy by creating a foot in the door.

Information gathering

The criminals then go back to the sites of companies X, Y and Z and gather information about the staff; from the CEO, the managers to the sales team members and about the products or services that these companies have. A quick call to a salesman from X, Y and Z as a possible new client and potential sale results in a follow-up meeting where the salesman will provide them with his / her business card and more detailed info about their products, protocol or services.

The criminals will then have t-shirts printed or button-up shirts embroidered with company logos of X, Y and Z. New business cards will be cloned with fraudulent names to match the original they have. They call or pop in at the clients A, B or C to set-up an appointment for a week or two later and tell the client that the CEO, the director, the manager, the salesman or whoever from X, Y and Z (Piet, Jan or Koos) have asked that they report on the progress and satisfaction of the client in regards to security and risk management advice received. Due to the fact that these appointments are made well in advance or in person and namedropping is used, the client hardly ever calls the actual company or first contact to confirm this.

They start chatting with the staff at the client’s company on a regular and informal basis. Drivers, security officers, cleaners, maintenance staff and others are engaged in conversation with them to gain trust. They tell these employees that as they have conducted a risk assessment or provided security management advice at their workplace that they must be careful as they will also be assessed too; and this may place their jobs in jeopardy.

Trust is created as the employees feel these guys are helping them and with this familiarity they gain more information about protocols such as opening and closing, access control or how money is handled on site. With this gentle yet lengthy approach, they are thus able to formulate a good workable plan of attack to target that company. Security companies can agree here because how many times have your clients told you after an incident that it is suspected that the criminals knew too much and were privy to inside information.

In closing, although company X, Y and Z feel they are drawing in new business, they are also attracting the criminal element. By advertising and boasting about their clients, they are actually drawing a bull’s-eye directly on their clients’ back. Where the intention was to alleviate risk or supply good risk management advice by bragging about your client base and achievements, the risk is actually being increased by creating ample opportunity for the smarter criminal. They gain far more than you can imagine.

But, then again, someone dealing with risk or who has conducted a criminal investigation would naturally know this; right?

For more information, contact Alwinco, +27 (0)62 341 3419, [email protected], www.alwinco.co.za


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

AI-enabled tools reducing time to value and enhancing application security
Editor's Choice
Next-generation AI tools are adding new layers of intelligent testing, audit, security, and assurance to the application development lifecycle, reducing risk, and improving time to value while augmenting the overall security posture.

Perspectives on personal care monitoring and smart surveillance
Leaderware Editor's Choice Surveillance Smart Home Automation IoT & Automation
Dr Craig Donald believes smart surveillance offers a range of options for monitoring loved ones, but making the right choice is not always as simple as selecting the latest technology.

AI enables security solutions to define business strategies
Regal Distributors SA Editor's Choice
While allowing technologies to do exactly what they should do with even more efficiency and precision, AI is also empowering these same technologies to break through their traditional boundaries and create an ecosystem where one interface delivers outcomes across highly segmented verticals.

Putting cyber into surveillance
Dallmeier Electronic Southern Africa Cathexis Technologies Technews Publishing Editor's Choice
Cybersecurity has become an essential part of the physical security industry. However, unlike other IoT technologies, of which security products are a part, surveillance technologies have more to protect.

2024 State of Security Report
Editor's Choice
Mobile IDs, MFA and sustainability emerge as top trends in HID Global’s 2024 State of Security Report, with artificial intelligence appearing in the conversation for the first time.

Cyberthreats facing SMBs
Editor's Choice
Data and credential theft malware were the top two threats against SMBs in 2023, accounting for nearly 50% of all malware targeting this market segment. Ransomware is still the biggest threat.

Are we our own worst enemy?
Editor's Choice
Sonja de Klerk believes the day-to-day issues we face can serve as opportunities for personal growth and empowerment, enabling us to contribute to creating a better and safer environment for ourselves and South Africa.

How to spot a cyberattack if you are not a security pro
Editor's Choice
Cybersecurity awareness is straightforward if you know what to look for; vigilance and knowledge are our most potent weapons and the good news is that anyone can grasp the basics and spot suspicious activities.

Protecting IP and secret data in the age of AI
Editor's Choice
The promise of artificial intelligence (AI) is a source of near-continuous hype for South Africans. However, for enterprises implementing AI solutions, there are some important considerations regarding their intellectual property (IP) and secret data.

Super election year increases risks of political violence
Editor's Choice
Widening polarisation is expected in many elections, with terrorism, civil unrest, and environmental activism risks intensifying in a volatile geopolitical environment. Multinational businesses show an increasing interest in political violence insurance coverage in mitigation.