The Low Cost Technology That Could Collapse a Business

Why smart glasses, hidden cameras and everyday capture devices are now an insider risk issue

This is the first monthly blog from Insider Threat Limited®, so I wanted to start with something that I believe businesses need to take far more seriously.

Low cost personal technology is changing the insider risk landscape.

I am not just talking about Ray-Ban Meta glasses, although they are probably the best known example in the news at the moment. I am talking about the wider category of smart glasses, camera enabled eyewear, hidden camera pens, USB charger cameras, mini wireless cameras, small action cameras, voice recorder pens and other everyday devices that can capture sensitive information with very little effort and cost.

Some of this technology is designed for perfectly legitimate use. Some is marketed more directly towards covert recording. Either way, the risk to business is the same. The capability is now cheap, accessible, discreet and improving quickly.

By way of introduction, I am Simon Ball, Director and Founder of Insider Threat Limited®. My background is in Defence, policing, intelligence, cyber security, governance and insider threat. I have spent more than 20 years working in environments where information, people, trust and behaviour all matter. That experience now defines how I view insider risk.

At Insider Threat Limited®, we look at insider risk through a human focused intelligence lens. That means we are not only interested in cyber security controls. We are interested in people, their behaviour, organisational culture, welfare pressures, reporting confidence, leadership visibility and the small warning signs that often appear before major harm occurs.

This monthly blog will cover a wide range of themes connected to insider risk, current and emerging threats, the wider security landscape, and the evolving challenges facing UK and Western businesses today.

This is a longer first blog than I originally intended, but I make no apology for that. Some topics need more than a short post or a few headline points, and this is one of them. The risk is, in my view, still underestimated by many organisations. If businesses are serious about protecting their sensitive assets, people and reputation, this is exactly the type of risk that deserves proper discussion.

I wanted to start here because I think this particular issue exposes a major weakness in how many organisations still think about security.

Businesses are spending significant capital on cyber security technology, but a determined individual with a low cost recording device may still be able to sidestep many of those controls and capture what matters most.

Why this deserves an open discussion

Before going further, I want to be clear about why I think this subject should be discussed openly.

The risks associated with smart glasses, hidden cameras and small recording devices are not secret. The products are advertised openly. They are searchable online. The broad methods of misuse are not difficult to imagine. With modern AI tools, malicious actors can also obtain explanations, scenarios and tradecraft that would previously have required experience, training or access to restricted professional knowledge.

The world has changed.

In the past, security and law enforcement professionals (myself included) relied on the idea that certain tactics, techniques, equipment and procedures were known mainly by trained specialists, hostile states, organised criminals or sophisticated insiders. That assumption is becoming weaker every year.

Businesses now need to think more like Defence and national security organisations. Not in a theatrical or unnecessarily restrictive way, but in the sense of recognising that information will be captured through human behaviour, physical access, observation and simple technology, as well as through network compromise.

That is the point of this article. It is not to assist misuse. I genuinely want to help make readers, executives and security professionals aware of the risk and encourage proportionate mitigation within business and corporate environments.

This is not just about Ray-Ban Meta

Ray-Ban Meta glasses are a useful example because they have made smart glasses more socially acceptable. They look like normal eyewear, they are linked to a trusted consumer brand, and they sit in that dangerous space between convenience, novelty and data capture.

But this issue is much broader than Meta.

Oakley Meta HSTN shows the same direction of travel in performance eyewear, while lower cost smart glasses and discreet recording devices are now openly available through mainstream online marketplaces. The real shift is not one specific product. It is the normalisation of a capability that would previously have cost thousands of pounds, or been limited to specialist surveillance environments. Now they are available on Amazon for £20. 

A few years ago, someone wearing camera enabled glasses in a workplace may have stood out. In the next few years, it may not stand out at all. That is where the security problem begins.

The real risk is what becomes visible and audible

Most businesses still think about sensitive information as something stored in a system. That is true, but it is not the whole picture.

Sensitive information also appears on screens, in meetings, on whiteboards, in board packs, during calls and through screen sharing. It appears in warehouses, canteens, clinics, laboratories, classrooms, legal offices, design studios, control rooms, finance teams and executive spaces.

Once information is visible or audible, it can be captured outside the corporate system.

That is the uncomfortable reality.

A person does not always need to bypass technical controls to access valuable information. They may only need to be physically present, trusted, overlooked or underestimated.

This is why I view low cost capture technology as an insider risk issue rather than just a technology issue. It cuts across the entire business structure.

Whether the device is worn, carried, placed on a desk or built into an everyday object, the risk is the same. If sensitive information is visible, audible or accessible, it may be captured outside the monitored digital environment.

You get the point.

How this could damage a business

The obvious risk is theft of information, but the real business impact is wider than that.

Imagine discovering that someone had quietly recorded your sensitive source code, technical architecture, product designs, financial forecasts, pricing models, client information, personal data, medical records, supply routes, security procedures, internal investigations, legal advice or even board level discussions. A single short recording could capture enough of this and place it beyond your control.

That type of exposure can create commercial nightmare. It could compromise critical IP, assist a competitor, damage a sensitive client relationship, undermine a merger or acquisition, reveal security weaknesses, damage market confidence or trigger regulatory scrutiny.

There is also a more personal and equally serious risk.

A recording of an executive conversation, a sensitive HR matter, a disciplinary issue, a private negotiation, a heated leadership discussion or an inappropriate comment could be weaponised. It could be leaked, edited, misrepresented or used for coercion, extortion or reputational harm.

This is where low cost technology becomes a high impact business risk.

The device may cost less than a business lunch. The damage could run into millions.

Surely my cutting edge cyber tools will solve this?

This is the part that some IT and cyber security specialists may disagree with, but I think it needs to be said clearly.

DLP, SIEM and EUBA technologies are important, and I have seen this in action myself. They can identify unusual downloads, suspicious access, abnormal data movement, policy breaches, endpoint behaviour and network activity. A mature organisation must absolutely use appropriate technical controls.

However, the real issue is that adversaries already know this. There it is. I said it.

They understand they are being monitored on corporate systems. They know what activity is likely to be tracked, why it is tracked, and what will be reviewed. A malicious insider may have already read your policies, understood your processes, used open source material and adapted their behaviour accordingly.

The problem is that wearable capture technology does not behave like a traditional data loss event. Unlike a USB data dump, mass download or obvious exfiltration attempt, it may not trigger a clear alert. A malicious actor could drip feed information over a prolonged period, capturing small amounts during normal business activity, or wait for a targeted event where they know sensitive information will be visible or discussed. That may be a planned briefing, a board update, a project meeting, a site visit, or routine BaU access to sensitive systems. In that scenario, the insider is not always defeating the control. They are using legitimate access, at the right moment, with a device the organisation has failed to challenge or identify.

That does not make cyber security redundant. It means cyber security is only one part of the answer when it comes to insider threats.

The mistake is assuming that because an organisation has invested heavily in technology, the information itself is safe. A determined and educated insider does not always need to hack the system. They may only need to observe it.

Why this matters regardless of intent

Whether the recording is deliberate or accidental, the outcome for the organisation can be the same.

Sensitive information may still be exposed, intellectual property may still be lost, confidential discussions may still be compromised, and regulatory or reputational consequences may still follow.

That is why organisations should focus less on trying to predict intent and more on reducing opportunity and improving culture. Clear policies, sensible controls, staff awareness and good security culture all help reduce the likelihood of information being captured inappropriately, regardless of who is involved or why it happens.

Working from home makes this harder

Hybrid and remote working make this issue even more complex and create a serious challenge for security professionals.

In an office, an organisation can apply some level of control. It can manage meeting rooms, visitor access, signage, clean desk expectations, secure areas, physical layouts and rules around personal devices.

At home, that control is much weaker for obvious reasons.

Sensitive calls may take place in kitchens, bedrooms, shared accommodation, cafés, trains or public spaces. Screens may be visible to family members, visitors, smart home devices, personal cameras or other recording equipment. People may use personal technology nearby without thinking about what is visible or audible.

Is Siri, Alexa or another smart speaker listening in the background? Is a personal camera active nearby? Is a sensitive screen visible to someone else in the room?

This is not an argument against working from home. It is an argument for treating remote working as a real security environment.

The digital revolution has moved business information into more places than ever before. The security model has not yet caught up.

What businesses should do about it

The answer is not panic. It is proportionate control.

Businesses need to recognise that low cost capture technology is now a real part of the insider risk landscape. Once that is accepted, the response becomes much clearer. It can be dealt with like any other security risk.

The starting point is strong policy. Organisations should have clear rules on the use of smart glasses, camera enabled eyewear, personal recording devices, hidden cameras, wearable cameras and other capture technology in the workplace. This should apply across office, operational, client facing, sensitive and remote working environments.

The wording should not be buried inside a generic acceptable use policy. It should be explicit enough that a normal member of staff understands what is allowed, what is restricted and what is banned.

The second step is training. I know training is often the old answer to every security problem, but in this case it genuinely matters. People cannot follow expectations they do not understand. Training should explain the risk in plain English and use realistic examples that people recognise from their own working environment.

This should not be delivered in a way that makes staff feel accused or mistrusted. It should be delivered as part of normal positive security culture. The message should be simple: this technology is now common, it is out there, and we all have a responsibility to protect our business information and people.

The third step is physical and procedural control. Sensitive meetings should have clear expectations around personal devices. Some rooms may need a no personal device rule. Some environments may need visual checks. Screens should be positioned carefully. Whiteboards should be cleared or covered when not in use. Printed material should be controlled. Visitor and contractor rules should include wearable and recording technology.

The fourth step is reporting. Employees need a trusted way to report security concerns. If someone notices suspicious behaviour, potential security breaches or anything that appears unusual or out of place, they need to know where that concern should go. More importantly, they need to believe it will be handled properly.

Reporting confidence is key to developing positive security culture. Without it, warning signs remain trapped at workforce level and never reach the people who can act.

The fifth step is offboarding. This is a major insider risk point.

When someone resigns, is dismissed, is under investigation or becomes disgruntled, the risk profile changes and a clock starts ticking. I'll quickly caveat this by saying that  this does not mean every leaver is a threat. Most are not. But organisations should be honest that intent, motivation and opportunity may shift during notice periods or employment disputes.

Effective offboarding should include immediate and proportionate control of access, devices, data, meetings, shared drives, privileged accounts and sensitive knowledge. It should also consider what the person can still see, hear or attend during their remaining time in the organisation.

Too many businesses are slow to respond to this and focus only on disabling accounts at the end of employment. By then, it could be too late. 

Leadership needs to own this

If you have ever read a security framework, certification standard or governance guide, you will know that almost all of them emphasise leadership and top down ownership. There is a reason that message appears so often. Security professionals sometimes joke that you cannot open a framework without finding the words leadership commitment somewhere near the beginning, but the reality is that it matters. Security culture, priorities and behaviours are set and owned from the top.

This issue cannot sit only with IT.

IT teams will naturally focus on systems. That is their role. But this risk sits across the whole organisation. It is even more important for businesses that are not predominantly IT based, where many staff may work in operational, physical, customer facing or site based environments.

This is why insider risk needs joined up governance.

A single department will not see the full picture. That is usually where the weakness sits.

My view

My assessment is that low cost personal capture technology will become a significant and increasing threat to UK and US businesses over the next decade.

I believe this for several reasons:

• The technology is already small, cheap and accessible.

  
  

• AI will make captured material easier to search, summarise, translate, edit and exploit.

  
  

• Hybrid working will continue to place sensitive conversations and information outside controlled environments, making physical security measures harder to enforce and easier to circumvent.

  
  

• Employees will increasingly own wearable technology that can capture audio, video and contextual data both intentionally and unintentionally.

  
  

• Businesses will continue to invest heavily in cyber tools while underinvesting in cheaper and often more effective human, physical and behavioural controls.

  
  

• Hostile actors, criminals, competitors, malicious insiders and those acting on behalf of foreign states will continue to look for the easiest route to valuable information in the UK and Western aligned countries, particularly as geopolitical tensions increase.

In many cases, that route will not be through the firewall. Modern security technology is often highly advanced and, in many organisations, genuinely difficult to penetrate through traditional technical means.

This is the part many organisations find difficult to accept. When strong cyber controls are in place, the path of least resistance may be through the person, the environment and the culture, as it always has been.

That is the uncomfortable truth.

A final thought

Businesses do not need to ban every new technology in a blind panic. But they should be looking at it seriously, acknowledging it and understanding where it creates risk.

The practical answer is awareness, policy, proportionate control, trusted reporting and joined up governance. Organisations need to understand what is entering their environment, what information is visible or audible, and how quickly risk can change when trusted access is combined with personal capture technology.

This is not about paranoia. It is about the reality of today’s technology and today’s insider risk.

The workplace has changed. Technology has changed. The threat landscape has changed. The security mindset needs to change with it.

At Insider Threat Limited®, this is exactly why we focus on human, organisational and security signals. Insider risk is not only found in cyber security controls. It is found in behaviour, culture and the everyday environments where people interact with each other and sensitive information.

If this article made you think differently about the technology already entering your workplace, I would genuinely appreciate your support.

Please consider signing up for our monthly blog notifications (below), following the Insider Threat Limited® LinkedIn business page, sharing your thoughts in the comments and passing this article on to anyone responsible for security, governance, risk or leadership who may find it useful.

These conversations matter deeply to us, and every share, comment and discussion helps raise awareness of insider risk and the challenges UK and Western aligned organisations face today and tomorrow.

References and further reading

This article draws on open source product information, UK regulatory guidance, established insider risk guidance as well as our own experience. Product examples are included for awareness to demonstrate the increasing availability and normalisation of personal capture technology.

1. Ray-Ban Meta AI Glasses, Official product page

2. Oakley Meta HSTN, official product page.

3. ICO, Employee monitoring: is it right for your business? Use to support policy, privacy and workplace monitoring considerations.

4. NCSC, How to secure your online meetings. Use to support the working from home, online meeting and screen sharing risk sections.

5. NPSA, Insider Risk Guidance. Use to support the wider insider risk, governance and organisational security argument.

6. CISA, Insider Threat Mitigation Guide. Use as the supporting US reference for structured insider threat mitigation.