From the top of the Gherkin building in London, Crispin Sturrock points out an anonymous-looking office block in the swirling snow below. “There’s a device in there,” says the chief executive of White Rock Defence Systems, an information security consultancy that helps companies protect themselves against spies. “They’re not clients of ours, but whenever we scan for transmissions in nearby buildings, we pick it up. It’s been there for ages, just streaming information out.” The building in question is bugged with an electronic device transmitting information about one of its tenants. In the era of WikiLeaks, it is tempting to view all leaks as news headlines. But in general, corporate leaks tend to be of interest only to a very small group of people – an organisation’s competitors or potential buyer. “The reasons people engage in competitive information gathering are usually financial gain and leverage,” says Mr Sturrock. Some cases of corporate espionage have, of course, made it to the news pages. In 2006, Hewlett-Packard was investigated in the US by the House Committee on Energy and Commerce, the California attorney-general’s office and the Securities and Exchange Commission for spying on its board members’ e-mails and telephone records. It led to a number of resignations. And in a lawsuit filed last year, Starwood, the hotel chain, alleged that former executives had left the company to join Hilton, the hotel group, armed with confidential information. Hilton says the allegations are without merit. Mr Sturrock says: “High-profile cases are very few and far between. Ideally, the competition should never know you have spied on them because it ruins your chances of doing so in the future.” Moreover, the information might not be put to use immediately. If the spy is smart, he says, they “might be working to a five-year plan. It’s like poker. You don’t win every hand. Rather, you play the game until the jackpot gets big enough.” The jackpot can be phenomenal – tens of thousands spent on corporate espionage can result in a payback in the millions.

“Unfortunately,” says Rob Pope, an ethical hacker for the digital security company Vigilante Bespoke, “people tend to find out after the fact rather than before.” Your company may have lost a string of bids that it really should have won or your competitors may be demonstrating an uncanny ability to pre-guess your launches. Or a tip-off could come from a loyal customer who has been approached by a competitor who knows too much. Competitive intelligence gathering ranges from en-tirely legal to wholly illegal. On the one hand, talking someone into divulging information or putting pieces of information together in the right way is almost certainly legitimate. And on the other, bugging a boardroom or hacking into e-mails is likely to be criminal. If your suspicions are aroused, it might be time to investigate using such measures as sweeping sensitive rooms for bugs or adding traps to a database. “You can seed your database with information which, if acted on, will alert you,” says Phil Beckett, director of disputes and investigations at the corporate investigators arm of Navigant Consulting. He suggests planting a bogus contact that is in fact an e-mail address you have set up. Human fallibility may be the most vulnerable spot. Basic bugs sold for as little as ￡100 ($155) can be planted in a coffee room. Or a spy may befriend a junior member of staff with access to high-level information, such as a director’s PA. Mr Beckett says that once you know a leak is occurring and what information is being leaked, you can usually work out where it is coming from. “When it’s a known leak, we establish a sphere of influence and knowledge. Who knows this information or knows the people who do know – you draw a sort of Venn diagram. Then you narrow it down to a small group of individuals. That way you’re not on a fishing expedition. Once you’ve done that, you often look at the relationship data. Who’s e-mailing who – and what are their diaries like?” There are other ways to search too. Document tracking systems allow you to see who is looking at, or altering, important documents. Most devices create a time stamp whenever a USB drive is inserted. Or an employee might be acting strangely. “We had one person who came under suspicion because she was logging-on on Saturdays,” says Mr Beckett. “She was actually hiding a fraud and doing it at the weekend because she thought it was more suspicious to do it while she was working. But doing it at the weekends alerted us.” In a lot of cases, however, says Mr Pope, the information simply goes out via private webmail accounts. While these are encrypted by default, a company could note suspiciously large attachments being sent out. Moreover, he adds, there are often surprisingly unsophisticated ways to circumvent high-tech security measures. “I worked on one case where the files in the database couldn’t be saved. So the person in question was viewing each page and taking screenshots, then e-mailing them out as JPEGs.” Mr Pope adds that a leak may not even be from directly within your business. “You have to be very careful about rushing to conclusions. We looked at one company and the leaks were actually coming from the ac-counting firm that was auditing the business.” Similarly, says Mr Sturrock: “It could be a third-party location. If companies book off-site meetings, it is very easy to find out where and when.” Whatever the case, says Mr Beckett, the timing of your pounce can be a tough call: “Obviously, you’re losing valuable information. But stopping something straightaway may not be ideal from an investigative viewpoint. You need to secure the evidence and capture e-mails and PC records.” Mr Sturrock says: “If we find a dev-ice, we can kill it, but the company in question may want to find out who put it there or feed it disinformation or set a trap. To take an obvious example, if a device needs its batteries replaced, someone’s going to do it, and catching them in the act may lead you to a competitor and help you build a case.” Catching a culprit is not the end of the matter: there is the vexed question of what to do. The answer tends to be nothing public. Mr Beckett says: “I often see people putting tog-ether evidence in order to get an out-of-court settlement. They take a commercial and pragmatic viewpoint because reputationally they have to. It’s almost inevitable that it will never go to trial and an agreement will be reached behind closed doors.” Mr Pope points out that if the guilty party is an employee, they may get away with it entirely. “The way it works out is that the company usually wants people to leave quietly and without a fuss.” Ironically, this can mean that the guilty party gets a good reference and a pay-off.