Collecting intelligence about competitors is a regular part of any organisation’s operations. Knowing how competitors are operating and their plans for the future play an important part in long-term business strategies.
Most competitor intelligence is gleaned from information available in the public domain: product literature and prices, websites, annual reports, patent applications etc. Legitimate and ethical research carried out into this intelligence provides insight into competitors marketing and corporate plans, as well as greater understanding of how markets are evolving.
However, there is another side to information gathering which strays into the illegal activity of industrial (or corporate) espionage. This happens when intelligence gathering crosses the line between information available to the public and that which is deemed private or confidential. New product development, mergers and takeovers, changes to operational structure and customer data is all information organisations would not want to fall into the hands of competitors or leaked to the media.
Understanding where the leaks might come from is the first step to ensuring the security of your business intelligence and maintaining competitive advantage.
- Insider leaks
There are two sides to the problem of employees leaking confidential or sensitive information. On the one hand a disgruntled employee might be quite easy to talk into collecting and providing information over a drink, or with the promise of a job in a competing company. Whilst on the other hand, many organisations have a strong emphasis on being helpful and most employees don’t fully understand that information handed out quite innocently to a general enquiry, might become more powerful or profitable when combined with information available in the public domain.
- Social engineering
Criminals are using ever inventive ways to circumvent stronger security measures adopted by businesses. One which is becoming increasingly popular is to exploit weaknesses in the human element of security regimes through social engineering. The act of social engineering is to use psychological manipulation of people in order to get them to perform a specific action or to divulge confidential information.
Common techniques used to commit this crime include pretexting (making up elaborate lies to get staff to divulge information or perform a certain action), diversion theft, phishing (fraudulently obtaining private information by email, text or phone) and baiting (leaving discs, cd-roms or USB sticks lying around which will install malware as soon as a curious victim picks one up and plugs it into a computer).
- Technology
Alongside the new opportunities technological developments bring to organisations, they also bring a number of security threats as criminals devise ways to use them to collect intelligence. Mobile phones are commonly used as bugs to pick up and transmit private conversations. An eavesdropper need only leave an innocent looking target phone in a room in order to covertly call in and eavesdrop on private conversations taking place. The camera and video function on mobile phones are also means of stealing imagery of new products and confidential documents.
Similar to mobile phones, small GSM bugs can be hidden in a room and dialled into from anywhere in the world to pick up audio. These bugs are so small they are hard to detect and can also be hidden as everyday office items such as a PC mouse or phone charger. Making their discovery even more difficult.
Keystroke loggers are another technical means of collecting data from a pc. These clever devices allow the eavesdropper to record and track the keys being hit on a keyboard. Not only does this provide information on the content of emails and documents, but also bank and credit card details.
To stem these leaks there are a number of actions an organisation can take.
-
Decide which information is sensitive or confidential and classify it as such.
-
Inform all employees which information is sensitive.
-
Train employees in how to handle sensitive information. I.e. Who is allowed access to what, how to verify the identity of someone requesting sensitive information, how to act if an information request arouses suspicion.
-
Conduct regular unannounced tests of security and implement physical, procedural and technological improvements.
Alongside these internal security checks and measures, organisations can call upon the services of TSCM (technical surveillance counter measures) professionals to assist with the task of detecting and removing electronic eavesdropping threats. Calling on counter surveillance experts to conduct regular bug sweeps of offices and board rooms will ensure that information intended to be private will remain so and competitive advantage maintained.