Companies willingly or unknowingly give away 10 times more confidential information than could ever be hacked from a network or stolen from a file cabinet. Employees, from golfing CEO’s to helpful admins, cost their companies millions in lost business and fizzled strategies every day because trained business intelligence collectors and analysts take the bits gathered not only from employees, but suppliers, regulators, customers, the media, and even total strangers, and assemble them into accurate hypotheses about a company’s future actions. Then they can decide how neutralize each possible initiative.
Fortunately, the most practical and cost effective solutions to curb leakage of confidential information is essentially free, simply by implementing an awareness raising campaign and some information protection policies. No new hardware, software or headcount. Being proactive about safeguarding your sensitive information and understanding how competitive intelligence specialists operate, can save your company a ton of money and grief. Here are 10 vulnerabilities and solutions to get you started.
Know what your secrets really are. This is absolutely Number One. Most companies don’t know what information they can or should protect, or for how long. Even senior officers at most firms won’t often agree on what their company’s secrets are. As a result, employees at all levels make their own decisions “on the fly” about what information they can share with acquaintances, at the trade show or on the ‘Net. This makes a company vulnerable to an intelligence attack by rivals who interview as many of their target’s employees as possible to get the whole story.
Sensitive information is not limited to formulas and customer lists. The formula for Coca-Cola is one of the most closely guarded trade secrets, yet who would buy Fred’s Cola? But travel itineraries, for example, are almost bragged about. The extraction an exploitation works something like this: While waiting behind The Lunch Company’s sales person in the registration line at a trade show, The Shark Company’s intelligence collector simply starts complaining about business travel and his hectic schedule after the show. This elicits a macho one-upsmanship of Lunch’s post-show itinerary. That evening Shark’s collector sends a Flash-Urgent email warning his field staff in those cities of Lunch’s planned visit. There’s plenty of time for the Shark team to give their customers fresh objections to the Lunch’s product. Two weeks later, Lunch’s sales person has no recollection of the conversation, but also can’t figure out why all his customers got so difficult.
Solution: Management has to determine exactly what the company’s secrets are, and to safeguard them by insuring every employee is either aware the information is confidential, or has no knowledge of it. Guidelines and training sessions sensitize employees to all the opportunities there are for leaking information.
Compartment information. This means implementing a “need to know” policy for your company’s future plans and major projects. An engineering “team member” at Gillette was prosecuted a few years ago for delivering the complete plans for the Mach III razor to American Home Products prior to the razor’s launch. American Home didn’t bite on the offer and cooperated with Gillette on a sting operation. A nice piece of corporate responsibility, but why did an engineer have access to marketing plans in the first place?
Solution: Compartmenting information can be difficult to implement in today’s open door and open cubicle workplace, and remote workers make the situation worse. Nevertheless, employees can be made to understand that need-to-know has nothing to do being trustworthy and everything to do with limiting the number of people possessing the company’s complete plan. The fewer targets, the less likely one will be found and possibly exploited by a rival’s intelligence workers.
Track requests for information. Competition drives companies to be generous with information without much regard as to who is asking for it. As a result sensitive information may be too easily released. Few companies catalog information requests beyond calling them sales leads and passing them along.
For example, once a high tech software company began tracking domain names of website visitors they learned the domains of the top seven most frequent visitors were all owned by one of their largest competitors. Yet they anonymously visited the web site up to 400 times in the 24 hours after every new press release looking for the slightest snippet of useful information.
Solution: Analyzing inquiries for information, including print, electronic and interpersonal, reveals patterns that signal which competitor watches your every move, and what subjects are of interest. Inquiry analysis also provides an early warning of new competitors sizing up your company. Having a central point for information requests and a hot line for the real strange ones sensitizes employees that the company is an information target. Done correctly, vigilance has no impact on the flow of information to genuine prospects.
See your Web site as the competition does. Is your Web content too revealing? A wireless company offered enough information through white papers on their site and a shopping cart for other documents sufficient for a competitor on the other side of the world to copy its latest technology. In another example, entering a wildcard with a spreadsheet extension, *.xls, in the Search window of a home page caused a number of sensitive spreadsheets with past performance and future marketing budgets to fall out.
Solution: Forming a “red team” of employees with customer and competitor experience to review new Website material is very worthwhile. Projecting how competitors might interpret the new content can be a real product saver at no additional cost and very little investment in time. And never distribute internal information through your Website no matter how protected you think it may be. It isn’t.
Monitor blogs, chats and resume sites. No one can fault an employee for seeking greater opportunities by putting their resume on an employment site, or enhancing their professional reputation with discussions or publications on the internet. But a great deal can be learned from an over-detailed resume. Just the fact that lots of resumes from your company pop up on an employment sites can indicate employee insecurities within your company, attracting the interest of you rival’s intelligence officer. Compulsive chattering by employees on blogs may or may not leak confidential information, but more importantly such activity flags your employee as a willing talker who can be steered by an intelligence interviewer to confidential subjects.
Solution: Again, a high awareness projected throughout the company that every employee is an information target, and that the company’s success and their personal stock holdings can be seriously impacted with too much exposure.
Make employees feel genuinely valued. Hundreds of interviews with people convicted of leaking or selling government or commercial secrets reveal one motivation they all have in common. It was not money, revenge, or ideology that drove them to leak information, but feeling their work and loyalty was unappreciated.
Solution: Simple expressions of recognition make a powerful tool for reinforcing loyalty, and emphasizing the importance of adhering to information protection rules. After all, no one wants a company that values them to be hurt by competitors.
Follow the money, and then hide it. There are lots of leaks in your supply chain. A competitor doesn’t have to know how many widgets you make if the company supplying items like the cardboard boxes or training CD’s brags to a “prospect” about how much he sells to you.
Solution: Every link in your supply chain must agree that transactions with you are confidential and your company cannot be given as a reference. Other “cloaking” techniques can include patenting five things that don’t work for every one that does; creating shell companies to buy land parcels or other large, divisible purchases; or using an intermediary to file public documents such as environmental forms on behalf of the true company.
Everyone signs the non-disclosure. Too often managers sign non-disclosure agreements with customers, contractors or vendors but few people below management level are aware of what the agreement covers or that it even exists. An employee who is unaware of an NDA or what it protects can reveal a great deal to a trained interviewer and it will be very difficult to prove either party guilty of wrongdoing. This is doubly problematic considering today’s heavy use of outsourcing. Today’s contractor could work for tomorrow’s competitor. An engineering firm once hired temporary engineers to complete a new product on time. The temp firm got their engineers from another firm owned by the archrival of the original client. The new product line was dead on the drawing board.
Solution: Joint ventures should be started with bulletproof non-disclosures, due diligence and security briefings for all the employees involved. A control function should recover shared documents, disks, software, presentations, samples, or prototypes at the conclusion of the project. Again, not much investment in cash, just some changes in culture.
Over reliance on technology. Wireless networks at coffee shops are not the place to do business regardless of what type of encryption or password protection your files have. Wireless hot spots are designed to be as open and simple as possible, and there are plenty of tools available to sniff out your login. Actually wireless anything is risky. Perhaps you have booked a major sales meeting at an offsite location with all the multimedia bells and whistles. Unbeknownst to you, a competitor is sitting in her room at the hotel, sipping coffee in her bunny slippers, listening to your entire conference because the presenters at the “closed” meeting are using wireless microphones. Signal can carry 100 to 300 yards. Illegal? Absolutely. Done every day? Absolutely.
Solution: Again, awareness. The decision to use anything wireless needs to be balanced for convenience, leakage potential, and the value of information being sent over the connection. Also, keep camera phones and keychain hard drives out of sensitive areas. And unless you encrypt them, “smart” access cards and RFID chips are a really dumb idea. They can be downloaded with equipment available on Ebay, and a simple “brush by” in a crowd. You want the world at your doorstep but not in your laboratory.
Innocence. Everyone wants to believe the world is a nice place. And like most nice places the world has bad neighborhoods. Territory and ideology were long ago replaced by market share as the top interest of nation-states. A country that can’t compete for markets has little influence on the world stage, and a country that can’t support a healthy population with food, and infrastructure is very vulnerable to internal strife. Since the end of the Cold War thousands of government trained intelligence officers switched their focus from political success to the economic success of their countries. If your products involve high tech, construction, health care, natural resources, biotech, utilities of all kinds or food production, to name a few, they are “national interests.” You are on their radar.
Solution: Getting tired of hearing this? Awareness. There is a whole set of precautions that should be taken by business people traveling abroad where local companies often work hand in glove with their state intelligence services for the national good. From pulling hard drives out of your laptop left in a hotel, to being just a little skeptical of “new best friends,” at the fancy embassy cocktail party, the biggest information leaks start and stop with people, not hardware or software.