Tim Richards
Posted on 24 Jan 2014

Are your assets tamper proof?

A strong company reputation is hard to build but easy to lose. Exceptional customer service or a strong, identifiable brand identity can create a stellar reputation. Most would agree though, that a good quality product is critical. In the current environment, a company cannot simply sit back and let a product move from design to end-consumer without taking steps to ensure the product is tamper free.

Tampering is generally referred to as the deliberate altering of a product – either subtle alteration of the contents or even the outright theft of the internal product, usually with the packaging left in-tact. Network packages and systems are not immune from tampering. Reliance on ever sophisticated technology has become the norm, but does your company really have watertight systems in place to ensure that it is tamper proof? Losses can have a heavy burden on finances and many technologies are embedded in products which would be extremely costly to replace.

There is no single solution to ensuring that assets are tamper-proof. The issue of security – really useful, complex security (a far step beyond a burglar alarm and a Yale key) – often features low on a company's agenda. It is important to undertake a full review of the product and systems to assess where vulnerabilities may lie. It is just as important to have a frank discussion to identify who the potential tamperer might be. For example, are you at risk from hackers, external interferers or the company's own employees? Each potential tamperer will have a different level of information and knowledge of the risk-asset, and will have a different level of sophistication. It is common knowledge that hackers are getting far more adroit and complex in their methods and yet there is still is little information in the public domain about utilising appropriate security. As well as identifying potential tamperers, it is also important to identify all means of access to the asset. For employees, this may be evident, but not so easy to identify the access from an external threat.

Having faith in your employees is not a replacement for having adequate internal security mechanisms. You must assess the scope of your employees' exposure to the company's assets. For example, do they have unfettered access to all technology and documents? If they do, it would be prudent to control and limit their access to technology and sensitive information. A Global Fraud Report (undertaken by Kroll) reported that 60% of fraud affecting companies in 2011/12 was carried out by employees. When recruiting, make sure all new staff are vetted. Tampering activity can be very hard to spot and you may find the full financial repercussions are evident when it is too late. It is legal to carry out credit, National Insurance and criminal record checks, and all information given to you by an employee should be verified. This won't reveal whether or not your employee is likely to tamper, but at least the relationship can begin with full disclosure. The repercussions of employee tampering can be devastating. An employee at a supermarket in Michigan injected 1700 pounds of packaged beef burgers with insecticide in an attempt to get his supervisor into trouble. Fortunately there were no fatalities, but over a hundred people became very ill. The employee was given a 9 year custodial sentence, but the company's reputation was ruined.

One of the easiest steps to take is to scope tamper-evident product packaging. This is not a new phenomenon. Even relatively recently, legal documents were bound with a wax seal to show that no other person had interfered with the content.  It was commonplace until the 18th Century for tamperers to replace flour with chalk and sugar with sand and resell the surplus. Sadly, this is still common practice in developing countries.

Product packaging has a big job to do. It has to contain and protect the product, as well as sell the brand, communicate and inform the consumer and be convenient. It must ensure that the product is received sterile with no alterations in consistency or chemical balance. When balancing all these characteristics, perhaps it's no surprise that being tamper-proof is not at the forefront of package design.

Security labels are often used, designed to leave no visible residue on the surface. Some labels can indicate evidence through supported technology of any attempt to remove the label. This can alert a company to potential tampering and enable them to make investigations before any major losses have occurred. Some tamper-evident labels are suitable for internal use, which have embedded technology to bring up data such as the repair and service history of the product, as well as any unlawful interference. Plastic seals are often used for food and drink, but it may be worth investigating more sophisticated asset protection for your product. Tampering can be an impulsive action; therefore, the longer it takes and the harder it is for a tamperer to access a product (or a system), the more likely that they will give up and move on.

The Chicago Tylenol case in 1982 is a prime example of when tampering has dramatic effects. Seven people lost their lives as a result of tamperers replacing Tylenol (one of the leading-brand paracetamol products in the US) with potassium cyanide before the end-sale. The case is still unsolved, but resulted in tough legislation tackling tampering in the US. The Pharmaceutical Association of Great Britain followed suit, issuing Guidelines on Security Packaging. The packaging of medicine is now contained in the Human Medicine Regulations 2012, which contains detailed requirements for pharmaceutical packaging.

End consumers are becoming more aware of the issue of tampering and have been subtly educated to look out for warning signs. Most customers know that they should not purchase a glass jar where the popped lid is depressed. Food packaging must be compliant with the guidelines set out by the Food Standard Agency and with the many European Regulations. It is important to ensure that your products comply as, if evidence of tampering is found, it may be necessary to recall all your stock, a measure that can only result in financial loss and a damaged reputation.

Assets are extremely vulnerable during any delivery process. Attacks are becoming increasingly common as organised criminal gangs are targeting lorries carrying high value assets. Vehicles parked in unlit lay-bys and trucks parked with their fuel tanks facing away from the road are key targets. Recent figures indicate that theft of goods in transit is costing businesses in Europe in excess of £6.6 billion a year.

There are a variety of safeguards which companies should consider implementing in order to avoid the significant financial implications of tampering during transit. When contracting a specialist haulage company, it is important to carry out full background checks on the haulage company. Well established, reputable haulage companies are likely to understand the importance of handling valuable goods with care and precision. Companies should beware of people tipping off or bribing security officers and drivers and so it is important to carry out verification checks on the haulage company's employees, for example by checking licences and references of the drivers.

Security of technology can be complex and costly, but there are simple steps a company can take to ensure their systems remain tamper free. Within the office, you should ensure that all network cabling is visible (perhaps by use of clear conduits) and all switches and sockets are displayed in a glass fronted cabinet. This will deter a tamperer from attaching any unusual device to the network and any signs of interference will be evident. Computers holding sensitive information can be housed in glass cases, which keep a record of when the case was last opened. It is also possible to set such a case with a radio controlled alarm, which transmits a silent alarm when the case has been opened unlawfully. Cryptographic technology can also be used to create a tamper-evident layer of protection to documents (also known as an electronic signature).

Most companies embrace the opportunity to share information in cyberspace and many are heavily reliant on this means of promotion. However, companies are hugely vulnerable when utilising the internet. It opens up a company's system to hackers and tamperers who could infiltrate their systems and alter or steal their intellectual property. Hacking is widespread, usually free and very simple to learn. A tamperer can happily interfere with your systems with very low effort in the comfort of their own home, but their actions can have a huge effect. The threat of hacking can be internal as well as external; therefore it is important to put in place internal security measures. The tools of cyber criminals are developing in sophistication and security measures must step up to meet this risk head-on.

Protecting assets is not simply a one-stop shop. There are many means a tamperer can use to cause significant damage to a company, and therefore, different measures must be taken to meet those risks. A company must carry out a thorough risk assessment and talk seriously about how to tackle any identifiable vulnerabilities. Not only will this ensure the protection of a company's assets, but also a commitment to security will impress end-consumers and suppliers.

For more information please contact Tim Richards on tim.richards@michelmores.com