Security Expert Interview Series: Hannu Huttunen

If you are wondering how companies can avoid the substantial cost of industrial espionage and protect their businesses, then you need to read this interview that we did with Hannu Huttunen (see his Linkedin profile here). Hannu is a Security Advisor and specialized in corporate security, risk and continuity management. He holds over 28 years of professional experience in diverse areas ranging from security intelligence, executive protection, corporate espionage prevention and investigation and personnel security. We find his insights really interesting, hence we invite you to read the full interview below to uncover all his answers to our questions.

interview with cyber security expert

1. Thank you for joining us Hannu. Can you tell us a little bit about your experience with corporate security, risk, and continuity management?

Thank you, it is a pleasure to be interviewed by the Swiss Cyber Forum. This a long story. I came into security business nearly 30 years ago through a physical security sector and more particularly executive protection. Back then there was no official corporate security training in Finland, and everything related to corporate security was basically learned from networking and by doing things hands on, in practice.

I was very lucky to get two very good mentors in very early stages of my career, who had experience from working in government security and corporate security, who introduced me to corporate security and intelligence work.

So, it was an easy career transition from executive protection into corporate security, since in many cases executive protection happens in corporate environment and you get a very good understanding and hands on experience what security measures are required to make corporate environment secure, what works and what not and what kind of crime is targeted to companies. Skills you cannot learn in theory and without hands on doing.

During my years in the security business, I have got different types of security training from the private sector and government sector related to corporate security, corporate espionage prevention, and investigation, security intelligence, private investigation, information security, executive protection, etc. And of course, have done those things in practice.

I used to own and run a security consulting and risk management company for over 12 years which was licensed by the National Police Board. I was consulting corporate security, doing corporate espionage prevention and investigation, and consulting risk and continuity management.

At the same time, when I was running my security company, I was also working 11 years as a teacher in safety and security training program at local educational institute, teaching corporate security, risk and continuity management and information security.

Currently, I am offering services in corporate security, risk and continuity management consulting, and corporate espionage prevention and investigation. I am a hands-on person and love to do things in practice.

2. Looking back at your work in this area, can you summarize for us why continuity management matters?

In today’s modern society companies face different types of risks and threats than, let us say 10 years ago. Those risks and threats could in the worst-case scenario be the reason for a company ceasing operations following its inability to manage its continuity.

So, understanding and knowing how to prepare to manage those risks and threats by optimizing them to an acceptable level is vital for companies for their existence and continuity. When you are correctly prepared to face risk and threat realization, your chances of continue operating your business normally are much higher than without preparing. So, the consequences of neglecting continuity management can be severe.

I like to use the term “optimize” since as we know it is impossible to remove all risks and threats but optimizing them to an acceptable level is something more achievable.

“It is said that Germany is losing yearly 50 billion euros because of corporate espionage and nearly 70,000 jobs in Germany are directly threatened by industrial espionage.”

3. We know that you also have experience with corporate espionage prevention and investigation. Although espionage can happen anywhere, what industries are at the highest risk?

At the highest risk of corporate espionage are the hi-tech companies that are involved in research and product development of new technologies, bio- and medical research and development, and of course companies developing defense and military technology. As we know the development of new technologies is very expensive, so it is a lot cheaper to steal them from the original innovator.

Also, the startup companies are at risk, since they have limited resources to protect their innovations, which often are related to the development of new technologies. When the existence of the company, startup or not, is based on one innovation and when it gets stolen, the future is not that bright for the company.

We know that one of the biggest actors in the corporate espionage scene are certain foreign intelligence agencies and one of their missions are to improve the competitiveness of domestic companies. With basically unlimited resources they are a real threat that should be taken seriously. So not only the competitors are after your innovation, but also foreign intelligence agencies.

The costs of corporate espionage are huge for companies and countries. For example, it is said that Germany is losing yearly 50 billion euros because of corporate espionage and nearly 70,000 jobs in Germany are directly threatened by industrial espionage.

The study of the Institute for Criminal Law and Criminology at the University of Bern from the year 2020 says that one-third of the Swiss companies surveyed stated that they had been victims of industrial espionage at least once. So, industrial espionage poses a serious threat to Switzerland.

4. What are the most common reasons why the majority of organizations do not report cases of industrial espionage?

Normally there are two reasons for that. One is the fear of realization of image and financial risks if industrial espionage comes public domain and ultimately it will do more harm than good. Who would want to work with a company that has not taken corporate security and industrial espionage seriously?

The second is because companies do not have noticed industrial espionage, because they do not have an effective and working corporate security practices and guidelines. They can lose confidential information daily for months, even years and not to notice that and at the same time lose their competitive edge.

5. How can companies avoid the substantial cost of industrial espionage and protect their businesses?

The best way to avoid the substantial cost of industrial espionage and protect the business is to invest in professionally managed corporate security. Either hire someone on a permanent basis to work in corporate security or use a knowledgeable corporate security advisor on a project basis or hire him to work few days a month to work on corporate security, which is sometimes more sensitive than hiring some on a permanent basis.

Unfortunately, in my experience in some cases companies think they know by themselves how to do effective corporate security and try to do it by themselves to save money.

The responsibility of corporate security is given to someone inside the company, having not the needed skills and mindset for security. In addition, the professional knowledge the corporate security personnel needs is a correct mindset. They must think like a corporate spy but have a different moral. If you do not have the ability to think like a criminal, you will not understand how criminals find opportunities to do crimes, know where the real risks are and how to prevent the realization of risks.

Also, sometimes companies have certain misconceptions what the corporate security is, and it is often seen only as a cybersecurity or IT-security and therefore thought that if the those are OK, the whole corporate security is also OK.

6. What has been the most important lesson you have learned in 2020 through your work in information security?

It seems that some companies do not understand enough risks and threats they face every day until they become victims. Corporate crime, no matter what it is, is the new norm in today’s business world, and in many cases, it is pure luck if you have not been a target to it yet.

It is always cheaper to invest in corporate crime prevention than to pay costs of damages after crime.

7. What do you predict to be interesting trends in information security over the next 3 years?

Current signs show that international cybercrime is increasing in different types of scams and cyber-espionage targeted to organizations. Also, the increase of different scams involving cryptocurrencies will also increase. Also, the increased use of IoT devices their use for crimes will probably increase.

8. What are your 3 most important go-to-sources of information when you are stuck?

When I am stuck my network of international security professionals is my main go-to-source of information where I go. I can have conversations and sparring sessions in full confidence with my network and it is like having the world’s largest library of information in use. That information never gets outdated. I also use different databases for sources of information.

9. If you could give your 23-year-old self just one piece of career advice, what would it be?

Keep your knowledge up to date! To do that read, network, and get hands-on experience to become street smarts. This business is all about being able to do things in practice.

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.