Principles of corporate security and intelligence
Updated: Aug 24, 2021
By Oronzo Brai
- In the rule of law and especially in Italy, no matter what you think, it is the private sector
citizen or legal person, only the possibilities of passive defense are delegated
(let's talk about the principle, not to be confused with the definitions of passive and active defenses of infrastructures). It means, briefly and superficially, that it is the State that belongs exclusively to them the judgment and repression of criminal acts. Translated on a pragmatic level, the company can move before the act of sabotage, while the state moves after this has happened.
There are obviously exceptions: among these, there are management protocols for the company of emergencies and crises after the event (business continuity and crisis management), while for the state there are intelligence activities before this happens. Wanting to stay on practical, however, it is useful to use this temporal distinction.
Acting first for the company means applying principles such as forecasting, prevention and deterrence. These principles, it is important to remember, that do not apply only to physical safety, but also for cyber security.
Forecast: all those specifically based activities go under this principle on intelligence, capable of handling precise assessments not only on the potential threats to infrastructures, but to all corporate assets, including cyber infrastructures and the brand.
These activities should have a broad look (strategic, we would say, and in the medium-long term term), facing both outwards and inwards, thus also and above all defining the points weak of the defensive perimeter.
The outward gaze is today the weakest in Italy, in what is missing in most companies, even in the largest ones, of units of specific intelligence in charge of monitoring contexts and potential threats: that is, it does not exist staff who constantly keep their senses focused on the impact that the company and the brand have have on all stakeholders, including territories, ideologies, environment (we talked a lot about anarcho insurrectionalism, but to it are added the extreme fringes of eco-environmentalists, alone to cite one among many examples), society, politics, etc ..
The constitution of these units and the presence within them of specialists able to monitor also and above all the deep and dark web they are a sine qua non to give companies the ability to move in all contexts with a certain safety and efficiency framework.
Prevention: a principle that we could also define as drawing weapons to the enemy.
Much of the attacks on companies, regardless of their origin, are based on weapons
literally provided by the weak points of the organization, processes and corporate culture. There prevention is carried out primarily through information security, a concept that does not it should never be read according to the cybernetic point of view alone, but according to the principle of need to know. Like fraud, sabotage is also potentially information-based go outside, voluntarily or not.
This means that every business should wisely manage access to information internally, avoiding - especially in “hot” periods such as those of crisis and layoffs - that these end up in the hands of those who do not need. In this sense, corporate governance must learn that even the location of one banal control unit is dangerous information if open to prying eyes. Under the same principle we can also insert the brand reputation and, adjacent to it, the psychological operations, also called psyops or more trivially propaganda.
Concepts such as sustainability and the green economy, far from being mere abstractions, also respond to this idea: they serve to increase the positive reputation of the company in the eyes of the population, by stemming local and global frictions, weakening and isolating the threats of the most extreme fringes. To do a trivial example, the concurrence of many brands to donations and support the health system during the current pandemic crisis has a double value: on the one hand that - certainly – of to contribute to public welfare, on the other hand, to advertise (of course: we do not use the term with a negative meaning) the positivity of your brand and your actions. It means, in substance, that communication is among the prevention measures of fundamental importance company, both externally and towards employees. Surprisingly, nevertheless, that the security functions often fail to recognize this importance.
Deterrence: under this principle, there are two more complicated concepts than it seems, linked to active and passive defenses.
We could say - always superficially for the sake of brevity – that these two types are linked to the consequences they should generate: the passive ones are those defenses whose task is to make difficult and inconvenient, due to waste of energy e resources with respect to the result obtained, the attack; they impact on a sort of balance between "Skills" and resources available to the hostile element with respect to the result that this can get. In practice, the greater the efficiency of the passive defenses, the greater they must be the ability and resources available to the attacker.
This has consequences for the company: on the one hand, if two young people (without any military or paramilitary competence) with a Molotov cocktail manage to interrupt the services of a company, it follows that it is obviously badly defended; such an event has some consequences that go far beyond the economic loss of materials and interrupted services, in how much the weak point of the company, the soft belly, was widely exposed and a single attack, especially if trivial and simple, could call it a flurry. On the other, a company that wants to avoid such direct and indirect losses inevitably would have to invest in defenses passive efficient.
Active defenses (e.g. surveillance systems) serve a mildly deterrent purpose different, which response to the principle, however effective the hostile event may be, the inevitable consequence is the identification of the actors involved. This principle is valid in security physics, but even more so in cybernetics, in which penetrating a computer system is more simple than doing it without leaving a trace. These defenses also impact what we could define the budget of hostile action or that complex system of costs-benefits planned by the enemy. The purpose of deterrence is to make that budget all in favor of whoever is defends against those who "besiege". The higher the costs (both in terms of resources spent on the attack, both in terms of consequences for the hostile element even in the event of a successful attack), plus the attack is unlikely to happen.
In conclusion: the problem of double asymmetry
Thus exposed, the principles on which defense against acts of sabotage and terrorism should be based it might seem simple. It is not so . Italian companies already present the problem of lack of investments in security (both in terms of security strictu sensu, and for as regards safety), especially in the segment of small and medium-sized enterprises. On this defect that we would call “genetic”, the complexity of the double asymmetry mounts: on the one hand the asymmetry of threats, understood as an extremely varied spectrum of hostile events that on the other hand, the asymmetry of corporate assets may arise.
The third millennium sees, in fact, the companies exposed on multiple levels, not least the cyber one. However, remaining within the scope more purely physical than defense, we have already seen the example of attacks on corporate fleets, reality that can hardly be protected by deterrence alone. In parallel, another example it can be that of multi-utility companies, the vast majority controlled by entities territorial, which have an infinite number of microstructures that should be adequately protected and which, de facto, present inefficient passive defense (when not existing) and quantum active defenses less antiquated (the writer speaks on the basis of assessments carried out on the ground).
The answer to these problems can only be just as complex, and must inevitably pass – like already seen in a previous paper - through more budgeted resources and a cultural renewal of the vision of security by corporate governance, which is not it can no longer be considered a mere cost on the basis of compliance, but an investment in terms to support business and brand reputation, integrating communication and intelligence with more traditional tools than security functions.
By Oronzo Brai, Employee of the Guardia di Finanza ( Financial Police ) Official Member of IPO Section Italy
