I Spy Your Company Secrets

By John J. McGonagle, Jr., and Carolyn M. Vella

Case Studies
In many cases, what is called theft may actually be the consequences of effective active CI against your company by a competitor. In some cases, your firm may even be placing competitively sensitive information in a nice, neat package, without the need for your competitors to exert any real effort to piece it together. The following examples, based on real cases (though all of the names are fictional), illustrate how intelligence can be gathered about any company and what countermeasures can prevent it.

Burger wars. Every time Big Rick’s Burgers launched a new product, its executives were distressed to see a major competitor, Little Joe’s, launch a similar product shortly before and for a few cents less. After this happened three times in a row, Big Rick’s executives became convinced that these occurrences were not coincidental and that a very serious breach of corporate security needed to be identified and stopped. At this point, no one knew whether it was a disloyal employee or a security hole in the computer system.

Senior management called in corporate security personnel to investigate. At the CIO’s suggestion, the competitive intelligence unit was also called in to run a parallel investigation. As it turned out, a loophole in the franchise agreements allowed an unethical franchisee to play for both sides, legally.

CI found these key facts to explain what was happening: New product announcements were sent to all franchisees. The announcements were not marked “confidential” because everyone assumed this was implicit and thus unnecessary. Franchise rules contained a blanket prohibition on owning competing franchises, but a handful of “legacy” franchises from the company’s early days were not subject to this prohibition. Among the holders of these legacy franchises, research disclosed that two also held Little Joe’s franchises.

When one of Big Rick’s CI analysts called some of the legacy franchisees, she learned that one was sharing the information with Little Joe’s because he felt loyalty to both sides and stood to benefit from transmitting the information. The franchisee explained that he was not doing Big Rick’s a similar favor because Little Joe’s communications to its franchise holders were all explicitly marked “confidential.”

How could this have been avoided? When a company disseminates information to third parties, whether they are franchisees or other parties, there is always the risk that the information will get disclosed beyond its intended audience, which might put it in the hands of competitors. There are a few proven steps that can minimize those risks:

First, the company should label all of the materials as “company confidential – not for redistribution or for public release,” or “not for release before…(a specified date).”

In addition, the company should review its distribution list on a regular basis to ensure that it includes only persons who should receive this type of information. If the company has someone else, such as an advertising company, make the distributions then someone from the company should review the list.

If you are the person charged with that task, what are you looking for? You are looking for individuals who are not associated with the proper recipients, such as journalists who have sent address changes when they went to work for competitors. You may find people or companies that no longer need the materials. Removing all such names increases protection while decreasing costs.

Any competitively sensitive distributions to groups or persons with whom the company has regular business contact should be reviewed in legal terms. You should ask for proof that those receiving the distributions have written agreements with the company concerning how and when they use these materials. If recipients cannot produce the documentation, the company should either withhold the materials or get the recipients to fill out the requisite agreement forms.

You or the appropriate contact should regularly remind persons and companies receiving such distributions of their obligations with respect to the materials. Do not assume that they recall the terms of what they or their predecessor in that position signed a few years ago.

The job interview. A chemical engineer, Mr. Jiminez, faced the prospect of almost certain layoff due to upcoming downsizing. After sending his résumé to several companies, he was contacted by two indirect competitors of his current company for job interviews.

The first firm, Mega, was not one he was particularly interested in, but he thought he should consider it because when you are facing unemployment, a job is a job. He really hoped that he might have a good chance with Giga, the second firm.

He was able to interview at both firms on the same day. Going first to Mega, he sat down with the director of manufacturing, Mrs. Nguyen. She was obviously trying to get him interested, but Jiminez wasn’t biting. In an effort to get him to consider Mega, she said, “Your résumé shows a wonderful background in the new polymer production technology. We are building a new plant right now in Charleston, South Carolina, based on that technology. Your management and technical background would make you a perfect facility manager.”

Jiminez made a vaguely affirmative sound, and Nguyen pressed her case. “You could be running a state-of-the-art facility for us. It is being built as we speak. Look at the technology we’ve put into this,” she said as she unrolled the plans and specifications for the plant. Mr. Jiminez looked the plans over and left shortly thereafter, still reluctant about joining the firm.

A couple of hours later, Jiminez was sitting in the vice president’s office at Giga. He had been taken there by security, and was now uncomfortably fingering his visitor’s badge. The VP, Mr. Hoh, was talking in a casual fashion about his own background and Giga’s overall philosophy, but he did not seem impressed by Jiminez, who felt that his chances of any job with Giga were slipping away.

While they were talking, Hoh’s assistant, Mr. Wilkins, walked into the room. Nodding to Jiminez, Wilkins looked at Hoh and said, “I’m sorry to interrupt, but we have to get going in a few minutes for Charleston. The high altitude photo shoot is set for tomorrow morning.” “Fine, I’ll be with you in a minute,” replied Hoh.

Sensing that his time and thus his chances were almost gone, Jiminez interrupted. “South Carolina? You mean you are going to take photos of the new Mega plant site?” Seeing the startled look on their faces, he continued, “You won’t see much there. The plant is already under roof. But maybe I can help you.”

After 15 minutes of conversation about the Mega plant, Hoh thanked Jiminez, who left. A few days later, Jiminez received a polite letter from Giga thanking him for interviewing but expressing regret that they did not require his services.

This case shows two CI security failures. The first, of course, was when Mega’s interviewer did not ask for a signed nondisclosure agreement before revealing confidential plant plans. The second failure was at Giga, where Wilkins, by speaking to Hoh in front of Jiminez, revealed Giga’s intentions to take aerial photos of Mega’s plant. Jiminez might well have gone back to Mega with that information.

How could this have been avoided? Awareness is the key to a good defensive CI program. This case study shows the importance of having employees be aware of the unintended impacts of several different elements of the hiring process.

The problem is that when someone routinely interviews job candidates, the presence of an outsider in that office soon becomes so mundane that the outsider becomes “wallpaper.” The individuals who regularly visit that employee’s office no longer notice the presence of a prospective employee. So an outsider can accidentally become privy to an inside conversation because his or her presence is ignored.

The second problem or risk in the hiring process is the understandable effort by an individual to impress a potential employer or by an employer trying to impress a potential employee. A firm must clearly inform its staff about the need to be circumspect in these situations and to bear in mind that whether they are speaking as a potential employee or as the representative of the company in its bid to become a potential employer, if the interview does not result in a new employment situation, the information relayed to the candidate could get to a competitor. It’s especially important to remind employees that they are bound by their nondisclosure agreements in these situations as well.

Two road warriors. One road warrior in coach quickly occupied the valued aisle seat that let him spread out before take-off and start to work on the papers dealing with a corporate planning retreat set for two weeks from the travel date. Oh yes, of course the papers were all stamped confidential.

How did we (the authors) know? The papers were almost completely covering the adjacent lap tray, which is where one of us was seated. We could see almost all of them at once.

In another case, the plane was not ready to take off. But this road warrior too could not wait to get to work. She was involved with something really important. How did we know? She took out both her laptop and her cell phone. Opening the laptop to her company’s proposal form, she then called her partner, loudly relating the details of the meeting with the potential client, whom she even named, and she then started to rework the proposal. Evidently, that revision was to meet a competing proposal just received by this potential client. She never stopped to think that the competitor or anyone who might relay information back to that company might be on this flight.

What are the odds, you say, that a competitor of yours, or a CI firm working for them, will see your people, your consultants, or your contractors doing things like these? Anecdotal evidence suggests it happens all the time.

A client of ours related the following story: She was traveling on business. The person sitting next to her on the plane opened up his laptop, without saying hello or asking who she was or where she worked. He pulled up what was clearly a comparative table showing his product’s sales and other data measured against a competitor’s product, including market projections.

The large screen on the laptop made it easily, almost inevitably, viewable from adjacent seats. As it turned out, our client was the product manager of that very competing product. So CI lightning does strike—and like real lightning, it takes only one hit to burn your company and put it out of commission.

How could this have been avoided? Business travelers should confine the work they do in public areas, such as on airplanes or in airport lobbies, to nonsensitive matters. Companies should instruct staff who travel to restrict work to safe subjects and to always assume that the person sitting next to them works for a competitor.

Defensive Measures
A defensive CI program protects a company’s information assets from legal and ethical collection efforts. Those charged with this task must have a working knowledge of CI techniques. Defensive CI typically involves CI professionals in an educational or advisory role. They help the firm determine what kinds of raw data competitors will probably try to capture. They then teach all company employees how to protect that data. The security department can lead this training effort if the company does not have a formal CI unit.

The company’s legal team, through the use of contracts and civil law, has an important role to play in the protection of information assets. Legal tools can include patents, nondisclosure agreements (NDAs), and noncompete agreements. Also critical is the creation and enforcement of a trade secret program.

The company will, of course, need to have good physical and IT security protocols and systems to prevent illegal activity, such as breaking and entering, hacking, and theft. These measures will also help the company to bolster claims in court should the company have to enforce its trade secret rights or nondisclosure agreements. In the real world, however, as the previous case studies show, information is often lost in ways that are beyond the control of office locks and IT firewalls.

Cloaking. Defensive CI can be viewed as having two parts. One component is the process of monitoring and analyzing your own business’s activities as your competitors and other outsiders see them. The other component, sometimes called cloaking, involves dealing with CI directed against your company. It has as its mission the protection of your company secrets from the CI efforts of its competitors.

By using the term cloaking, we are trying to evoke the image of a firm that has made itself virtually invisible to CI monitoring efforts. And that invisibility is based on an understanding of the ways in which it can be detected and tracked by its competitors through their CI efforts.

No firm can protect all of its potentially important information, however. Thus, no enterprise can be completely invisible to CI efforts. If it were, it could not compete, for it could not be in contact with its customers, its suppliers, or others with whom it must exchange information to do business.

It is possible to push cloaking too far, in fact. Whoever is operating that program must avoid the attitude that he or she will control everything that goes out to the public through every channel. That attitude is paranoid and damaging. At the same time, the company must strive to protect most of the information that could aid a competitor.

Cloaking seeks to protect not just 5 or 10 or 20 percent of a firm’s information assets from theft or misappropriation, but rather to keep as much as possible of the 80 to 90 percent that could be discovered through legal means from getting to competitors when and where they can use it.

How does a cloaking program work? In those firms that have a formal CI unit, it is preferable to have the CI manager run the cloaking program in close coordination with the personnel involved with security and intellectual property protection. In those cases where a firm lacks a CI unit, those involved with security issues should be charged with developing a cloaking program.

The core of cloaking lies in three basic concepts: First, the company must understand the channels through which a competitor could gather raw data on the firm. Second, it should then seek to control what goes into those channels. As a part of that, it should also determine what activities are of greatest competitive interest and focus CI efforts on protecting those areas. Third, the company should also understand how competitors would analyze collected data, which will help it assess the kind of data that competitors need to conduct their analysis.

Among these three cloaking program components, the most critical is the second one—determining what information would be of most use to CI analysts and protecting it. In addition, since it involves the least application of the basic tools of CI, it is the most logical concept to serve as the key of a cloaking program run by personnel not involved with CI.

What the program wants to accomplish is to make sure that your employees adopt a “cloaking attitude.” The program can be seen as a continuous screening process, by which you seek to protect the firm from the competitive intelligence efforts of competitors. You are not managing their perceptions; you are selectively depriving them of access to critical bits of data at critical points in time.

Realistically, no company can become invisible to its competitors. A combination of diligent data collection efforts placed in the hands of skilled analysts will enable any competitor to determine over time what it needs to know about what its competition is doing, planning to do, and capable of doing. That’s the bad news. The good news is that companies do not have unlimited resources to throw at these CI efforts.

CI units operate with limited assets, both in terms of time and money, so not all competitors can conduct the optimal scope of data collection. Similarly, while there are skilled competitive analysts in many competitive intelligence units, there are very few who can be considered “world-class.”

Consequently, a cloaking program can be successful merely by making it difficult for an average analyst to collect data and develop intelligence within time and budget constraints. On balance, while a company cannot become invisible, by making its operations difficult to track and analyze, it can cause many intelligence initiatives to be turned towards easier targets.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.