Increasingly, criminals are using more sophisticated methods to target and steal goods from trucks. To counter this, security companies and logistics groups are developing better methods to protect the assets they are responsible for. Door locks, tracking systems, electric fences, surveillance cameras and manned guarding have all had an impact on the protection of drivers, vehicles, premises and cargo. Unfortunately there continues to be one area of security that is woefully overlooked and is being exploited time and again by criminals throughout Europe – information security.
What is Information Security?
Simply put, Information Security is any method or procedure that protects information from unauthorised access either by criminals or persons with no bone fide reason to know – which includes employees. Using PIN numbers and locking cabinets and not telling drivers what they are carrying is a good start but information is more than what is written down: it is what is known.
Human beings are social animals who chat and gossip and share things – and this is where the process breaks down. In Russia last month, the police cracked a gang that had been targeting drivers for many years and were able to identify likely targets by the simple method of buying them a drink in a bar. Time and again it is apparent from the criminals’ actions that they had detailed knowledge of the cargo being carried and which vehicle it was on. In most of these cases it was people who passed the information, knowingly or otherwise, that allowed the criminals to target shipments rather than a breach of physical security.
The criminal gangs are not breaking into transport offices in the dead of night and picking the locks on cabinets or breaking into computers. They are watching, listening and talking.
Methods of gathering information
Human weakness – Many employees have vices, habits and weaknesses that leave them vulnerable to leverage from an outside party. Whether it is talking too much after a drink, dependency on alcohol or drugs, financial difficulties or even just enjoying talking about their jobs too much. All of these are used by unscrupulous individuals to gain leverage over them, and in the worst case, to blackmail them. In some cases, the sheer thrill that comes from playing both sides against the middle and no-one knowing is something that can drive employees to pass on information willingly.
Disgruntled staff – a member of staff who might feel slighted, unappreciated or overlooked for promotion can sometimes become a threat to the security of the organisation. People bearing a grudge or seeking retribution will sometimes act against the company’s (and even their own) best interests.
Threats – Criminals will target individuals if they believe have access to the information they need, or are able to get them access. This was evident in the recent robbery at the secure cash location in Kent where the manager was forced to allow the criminals access. The use of violence, threats to family and livelihood are all methods that can induce fear in the target and persuade them to allow access.
Loose lips – People talk, it is a fact of life. Unfortunately other people listen and remember. Talking about your job is a normal practice however, if you occupy a position with responsibility for security or access to information about the movement of cargo then certain people will listen harder.
Social engineering – this is the process used to get someone to give information about their organisation that enables the questioner to gain access to people and information that they would not ordinarily have. People trust the telephone, especially if the person on the other end seems to know the right things to say and the right names to mention. This technique has been used to great effect in recent diversion thefts in London.
Garbage – ask any tabloid journalist or intelligence operator about the contents of peoples bins and you will be surprised at what can be discovered about someone simply by looking through their rubbish bins. In the same way, companies who dispose of their office waste insecurely are leaving themselves open to the criminals. Bills of lading, invoices, emails with contact details, notes on shipments etc all give the criminals vital pieces of the puzzle when deciding who, what and how to target.
Hacking – Not a common threat at this time, in the context of freight crime, however insecure use of IT will become a greater risk as times goes by. Key logging software, Trojan horses and viruses all represent a clear method for criminals to gain access to information you may consider to be safe.
Surveillance - possibly the most commonly used method of gaining information on cargo movements, vehicles used, routes and drop off/pick up/stopping locations. Smaller companies who have maybe one or two vehicles they use for high value moves are especially susceptible to this type of operation. In addition, deliveries to locations that deal with one or two specific types of goods also leave the delivering vehicle susceptible to an information gathering operation. Your driver may not know what he is moving or what the drop off location handles, but you can be sure that any criminal who has done his homework does know.
Infiltration – the hardest to detect until it is too late. Placing someone in a transport company or with access to its premises with no apparent prior record or bad references gives the criminals the ability to access any information there that is not protected. The finger of blame is most often pointed at the driver as, due to supply and demand, these are the most likely positions to be filled in a hurry and without proper checks. However cleaning staff, clerical personnel and warehouse workers are all just as useful to the criminals.
Defence
No individual system is totally foolproof and a determined criminal can eventually find a way around individual security measures. However, the more barriers put in their way, the less likely it is that the time and effort needed to breach them will be worth it – this is the concept of “defence in depth”. Multiple layers and procedures overlapping and co-ordinated make it less and less easy for someone breach your security in an acceptable timescale.
That said, as you will see from what I have said above, the human aspect should not be ignored as it provides the easiest access to protected information. Any physical security process that are put in place should also take into consideration the possible weaknesses posed by the human aspect and provide processes and procedures to address this. For example:
• Solid, reliable vetting procedures
• A confidential reporting process for staff to alert security to possible threats and approaches made to them.
• Termination of contract process (gardening leave etc) combined with changing of codes, passwords, lock codes etc that the member of staff may have had access too
• IT security process and auditing
• Compartmentalisation of information access
• Regular auditing of process
• Staff training on the threat and methods
• Secure waste disposal
This is not a comprehensive list but shows a number of the key components that should be in an information security plan.
Remember, if more than one person knows a secret, its no longer a secret!