"PMC
Training" advertisement
""ALPHA Human
Resilience", represented in the Baltics by "PMC Training", an
expert and one of the best practitioners of information extraction instructors,
Jasper Hartmann, says that one of the biggest security mistakes today is too narrow
an approach to threats. How does economic and technological espionage really
work in Europe?
The biggest mistake
is to think that hackers will attack you
The threat of
cyberattacks dominates the public space today, but in reality, some of the most
sensitive business information leaks much more simply - through people.
"The biggest
mistake is to think that the main threat is purely technological. Although
cybersecurity remains a priority, in many cases it is easier to obtain
information during a conversation than by trying to hack into systems,"
says J. Hartmann.
According to him,
espionage today operates on the principle of fragments: small, seemingly
insignificant details about processes, technologies, partners or
decision-making are collected, which are later combined into a general picture.
No one comes to pick up a specific document, most often its contents are
collected bit by bit - from different people, in different situations.
Russia is in a
hurry, China is waiting
As the security
situation in Europe changes, more and more attention is paid not only to cyber,
but also to physical and human espionage threats. This is especially evident in
Ukraine.
“In Ukraine,
espionage prevention is given extremely high attention. Russia is actively
trying to infiltrate companies working with technologies that it seeks to
better understand,” says J. Hartmann.
According to him, a
fundamental change has occurred in recent years. If cybersecurity used to
dominate the agenda of organizations, today it is becoming only one of several
important security components. “More and more organizations are realizing that
technological protection alone does not guarantee security – it is also
necessary to assess the risks of people, partnerships and information flows.”
Asked how countries
like Russia or China operate today, Hartmann distinguishes clear differences.
“Russia operates quickly, aggressively and with a high tolerance for risk. It
relies more on insiders, pressure, opportunistic opportunities. It is very operational.”
At the same time,
China is choosing a completely different strategy.
“China’s operations
are focused on the long term. It builds relationships, goes through
partnerships, investments, academic cooperation. At first glance, everything
looks like normal business, but in the long run, such operations can provide
access to very sensitive information,” says Hartmann.
According to him, it
is this aspect of “legitimate activity” that is the most dangerous.
The most dangerous
place is not the system, but the person
One of the biggest
blind spots in organizations is HUMINT (Human Intelligent).
“Most companies
invest in IT security, but they have almost no control over the human factor.
And it is precisely this factor that is most often used to leak information,”
says Hartmann.
The problem is that
this type of activity is difficult to detect. The IT department can show how
many attacks it has stopped. But no one can say how many times a day an
employee was subtly “interrogated” in conversations. Such conversations usually
take place completely informally – at conferences, on trips, in meetings or
even in cafes.
How information is
“extracted” from you without you noticing
One of the most
effective methods used in both intelligence and the competitive environment is
the so-called information elicitation technique.
“This is not an
interrogation. It is the art of extracting information in such a way that a
person provides it himself, without even realizing that he is doing it,”
explains Hartmann.
A simple example: a
person approaches you at the airport, strikes up a conversation, notices your
computer, and says, “I guess everyone uses ThinkPads at work?” You
automatically correct them, “No, we use MacBooks.” It may seem like a small
thing, but such a detail can open up opportunities for pressure or
manipulation.
“One of the most
powerful techniques is a deliberate mistake. People simply can’t help but
correct it,” says Hartmann.
The following
methods are most often used: deliberate inaccuracy, hoping that the
interlocutor will correct it, guessing intervals, saying, for example, “your
budget is probably between X and Y?”, flattery, aiming to soften the
interlocutor with compliments or approval, innocent small talk that
consistently focuses on sensitive topics, and building trust by manipulating
apparent connections or acquaintances.
According to the
expert, it is in these areas that organizations most often lack practical
skills. As a result, more and more companies are choosing specialized training
focused on real-world situations, from identifying information-stealing
techniques to strengthening employee behavior. Such training is provided in the
Baltics by ALPHA Human Resilience, represented in the region by PMC Training.
Behavioral Analysis
and LVA: From Intuition to Data-Driven Assessment
As the scale of
these threats grows, more and more organizations are looking for ways to more
objectively assess human behavior and the reliability of information.
Intuition is being
replaced by methodology: structured interview methods, behavioral analysis, and
voice analysis technology – LVA (Layered Voice Analysis) are used. “Modern
organizations base their decisions not only on intuition, but on systematic
assessment and data analytics,” says J. Hartmann.
LVA technology
allows for real-time analysis of microstress changes in a person’s voice and
identification of moments when information may be hidden, tension, or
inconsistency occurs. “This is not about “lying” as a binary category. This is
about signals that warn of what is worth delving into, where discrepancies have
arisen, and where additional questions are needed.”
According to him, it
is precisely the combination of such technologies with structured interviews
that allows for better assessment of candidates and partners, strengthening
internal research, identifying risks before they arise, and reducing the
influence of subjectivity and “gut feeling” on decisions. “Indicators change
the mind. In the context of security, this becomes critically important.”
A culture of high
trust – both a strength and a weakness
There is another
important aspect in the Lithuanian and Northern European business environment
in general – a culture of trust.
“We tend to trust.
This is very good in business, but at the same time it creates ideal conditions
for those who know how to use trust,” says J. Hartmann.
As a result, many
organizations do not even suspect that a simple conversation can be a targeted
collection of information.
What can companies
do right now?
According to the
expert, the most important thing is not to close down, but to become more
aware: “The goal is not to suspect everyone. The goal is to understand what
information is sensitive and when it cannot be disclosed.”
He identifies
several essential steps: clearly define critical information, train employees
to recognize information deception and social engineering situations, include
HUMINT risks in the security strategy, apply structured interviews and
assessment methods, implement advanced analysis tools (including LVA), and have
a mechanism to detect recurring patterns.
CER Directive – a
test of whether the organization truly understands threats
According to J.
Hartmann, the upcoming implementation of the EU Critical Entity Resilience
(CER) Directive will become a kind of litmus test: “This is not just another
formal compliance requirement. It is the answer to the question of whether the
organization truly understands where its vulnerabilities lie.”
According to him,
companies will have to look wider – see not only IT systems, but also people,
supply chains, partnerships, decision-making: “Resilience today means the
ability to protect not only systems, but also knowledge.”
The Spy Is Often
Right Next to You
At the end of the
interview, J. Hartmann formulates a simple, albeit uncomfortable thought:
“People are afraid of hackers, but the spy is usually right next to you – even
in the coffee queue. And it is this fact that changes the logic of security. If
an organization ignores the human factor, it leaves the easiest way to its
information.”
Today, more and more
organizations understand that resilience does not start with technology, but
with people. As a result, practical solutions – from employee training to
advanced assessment methods – are no longer an option, but a necessity. Such
training and services are also available in Lithuania – they are provided by
the official ALPHA Human Resilience partner PMC Training in the Baltic States.”
Komentarų nėra:
Rašyti komentarą