If you came across an Al kaeda cell, would you think of calling your local policemen to deal with it - or would you call MI5, MI6 or CIA? So why do managers think that corporate spies can be repelled using IT security policies or Human Resources Personnel? After all, Corporate spies have a very different motive and capability than a 16 year old hanging off an ADSL modem out of a basement in Belarus or a stupid incompetent employee pressing all the wrong buttons.
Corporate Spies are only interested in three things:
1. Gaining 'just enough' access to the target organisation
2. Perpertrating a specific attack, such as sabotage, theft and/or installing a trojan horse.
3. Exiting out - or better still, being exited out - under a cover.
Corporate spies have absolutely no interest in the organisation other than gaining sufficient access to target areas, then maintaining and leveraging their position in the organisation until such a time as they have infilitrated their tradecraft to achieve the desired result.
A spy will not play the same games as security personnel expect them too. They will not attempt to gain access to a system, whilst sitting at a desk with a fixed ip address, so system logs can be later scanned and reveal their attempts at locating data inside the managing directors PC folder. They will not make any specific requests themselves for access to any resource, so they build up a record of attempted breakins. They will not allow themelves to be seen to see or do anything that can be classified as 'out of the ordinary'.
What they will do is take more documents to the photo copier than they needed to (maybe pocket the ones they weren't supposed to be copying). Perhaps print 2 copies of the same document (under the guise of being a mistake if detected -"only meant to print one guv!") and then fold the second copy into a paper airplane and slip it in to the top pocket.
What they will do is elicit certain types of information from staff by offering stories of past experiences designed to provoke the right kinds of response and to develop trust.
What they will do is to alter the AT settings on a modem to enable them to dial in to the network at midnight and lift one or two interesting company files.
What they will do is look technically inept, to enable them to engender pity and support from their peers, which usually leads to access to further information.
What they will do is test the strength of executive accumen and corporate strategy by demonstrating potentially viable business solutions or scope the security officers level of knowledge and confidence, by mentioning they have recently read an article on a new security threat, that they know you won't have implemented measures for.
No, the activities of the corporate spy will not be halted by conventional approaches to information security or personnel management.
They can only be halted by trained counter intelligence operatives. People who look beyond the obvious.