Corporate spying: snooping, by hook or by crook

Corporate spies come in many guises, but they all have one thing in common: They want to use your company's secrets for competitive gain. This is a five-step guide to how snoops operate.

security threats and vulnerabilities

If a thief tries enough doors, odds are good he'll eventually find the one that's been left unlocked. Consider the following examples.

In the week before one company released its quarterly report, employees in units that report to the CFO received some 200 calls from people claiming to be with a credit reporting agency that needed information about the earnings report prior to its release. Employees were instructed to transfer all such inquiries to the security office, but the calls kept coming. A research company hired by the competition was betting that eventually, someone would slip.

An engineer regularly had lunch with a former boss now working for a competitor, and he fancied himself a hero as he collected rewards from management for gathering competitive intelligence. Little did he know that the information he was giving up in return caused his employer, formerly the market leader, to lose three major bids in 14 months.

Immigrants from Eastern Europe who were working as scientists on an American defense project kept getting unsolicited invitations from their home countries to speak at seminars or serve as paid consultants. The invitations appealed to them as scientiststhey wanted to share information about their work with peers. The countries saw this kind of intelligence gathering as cheaper than research and development.

All of the previous stories are true. "People think that stuff doesn't happen, that it's all TV and movies, but the fact is that these things do happennot every day, but with regularity," says William Boni, vice president and CISO of Motorola and a former Army counterintelligence officer who coauthored Netspionage: The Global Threat to Information.

"I call it the death of a thousand cuts," Boni continues. "Because most organizations don't have a means of tracking the loss of proprietary information; they go on constantly hemorrhaging, constantly losing market share. Gradually it takes the vitality out of the organization because it's hard to invent and create things faster than people are leaking it or stealing it. It might be seen as, oh well, that's just bad luck in business."

But it's bad luck that adds up to billions of dollars each year for U.S. businesses, according to a survey done by the American Society for Industrial Security. The 138 companies that responded to the September 2002 survey reported that the loss of proprietary information, often in the form of research and development or financial data, cost them at least $53 billion in 2001 alone.

Fortunately, hanging onto proprietary informationwhether it's a trade secret or just a few strategic details that may seem inconsequentialisn't just about luck. It's about understanding the dark forces that are trying to get information from your company and piece it together in a useful way. Some of these forces come in the guise of "competitive intelligence" researchers who, in theory anyway, are governed by a set of legal and ethical guidelines carefully wrought by the Society of Competitive Intelligence Professionals (SCIP). Others are outright spies, hired by competitors or even foreign governments, who'll stop at nothingbribes, thievery, a pressure-activated tape recorder hidden in your CEO's chair. Most tromp on a gray zone in between.

The boundaries between espionage and competitive intelligence might matter to those in the profession, but regardless of how these snoops operate, they all have one thing in common: They want to use your company's secrets for competitive gain. And the sometimes subtle distinctions between legal and illegal, ethical and unethical, should matter little to the CSO. "I don't care if they're ethical or not," says Richard Lew, director of security and risk management for Dial Corp. "It's our informationgo away."

Making them go away, however, depends on understanding them. To help, we've compiled a five-step primer on how the bad guys operate. Use it at your competition's risk.Find Out What's PublicLeonard Fuld has had this conversation before. "Everybody would like to think about the dark side," gripes Fuld, whose eponymous intelligence consulting company in Cambridge, Mass., has one of the less-blemished reputations among companies that deal in corporate secret gathering.... Excuse us, competitive intelligence.

"You need to make it clear to your audience," he lectures, "that more damage is done by a company being lax about how it handles information than by thieves. Sure, there are people out there who want to take your information, but more often than not, your own company is doing damage to itself by not being tight about how it controls information." That laxity, he insistsand not social engineering trickery or outright illegalityis what allows his company to gather competitive intelligence, both for companies that want to keep tabs on rivals and those that want to identify their own leaks.

Fuld has a point about those plain-sight opportunities. Salespeople show off upcoming products at trade shows. Technical organizations describe in great detail their R&D facilities in job listings, trying to attract top-notch scientists. Suppliers brag about sales on their websites. Publicity departments issue press releases about new patent filings. Companies in industries targeted by regulators over-report information about manufacturing facilities to the Environmental Protection Agency or OSHA, which can be part of the public record. Employees post comments on Yahoo bulletin boards.

Those pieces of data tell a competitor what your company is doing. Combined, the right details might help a rival reduce your first-to-market advantage, improve the efficiency of its manufacturing facility or focus research in a profitable direction. "The dots of data are out there in different forms; it's a matter of somebody piecing together that picture," says Fuld, who compares his job to looking at the dots of a pointillist painting and being able to imagine the greater picture.

And if the dots aren't in public places? He can start making phone calls.Work the PhonesYou'd be shocked by the things people tell John Nolan. This is the man who got his fingers burned in the infamous "dumpster diving" espionage case in 2001 involving Procter & Gamble and Unilever. Nolan won't comment on the case, which was settled out of court, but he insists that there's no need for his company to break the law. "In our experience, it's just not worth it," says Nolan, founder of the Phoenix Consulting Group. "It's just not necessary. It's a pain in the neck."

Nolan has other ways of getting people to talk. In fact, people like him are the reason that seemingly benign lists of employee names, titles and phone extensions, or internal newsletters announcing retirements or promotions, should be closely guarded. That's because the more information Nolan knows about the person who answers the phone, the better he can work that person for information.

"I identify myself and say, 'I'm working on a project, and I'm told you're the smartest person when it comes to yellow market pens. Is this a good time to talk?'" says Nolan, describing his methods. "Fifty out of a hundred people are willing to talk to us with just that kind of information."

The rest? They ask who Phoenix Consulting Group is. Nolan saysand this is truethat Phoenix is a research company working on a project for a client he can't name because of a confidentiality agreement. Fifteen people hang up, and the other 35 start talking. Not a bad hit rate. Nolan starts taking notes that will eventually make their way into two filesone, information for his client, and the second, a database of 120,000 past sources, including information about their expertise, how friendly they were, and personal details like hobbies or graduate school.

A former intelligence officer, Nolan doesn't ask direct questions but instead uses a method known as "elicitation," guiding the conversation in ways that seem innocuous. Suppose he wants to know how a company is pricing a product for government procurement so that his client can win a bid. He calls someone in accounting. "Nobody ever runs down to accounting and says, 'Ooh, this is so exciting.' So I convince him I'm interested in who he is and what he does. I can be really slow, and I can be confused. I can make purposely erroneous statements: 'You guys are probably getting $5,000 a widget out there.' And he'll say, 'You gotta be kidding, times are tough. We had to reduce our prices down to $3,200.'"


"People get pretty sophisticated in their scams," says Lew, who makes sure Dial employees receive awareness training. "They'll come up with a plausible answer to any question you might have. Before you know it, a five-minute survey turns into a 20-minute gut-wrenching experience, and you hang up thinking, 'I took care of that, I'm an expert.'" In fact, quite the opposite is true. You've just been duped.

This is the kind of social engineering that infamous hacker Kevin Mitnick glamorizes in his new book The Art of Deception. Such scams might also include "pretext" calls from someone pretending to be a student working on a research project, an employee at a conference who needs some paperwork or a board member's secretary who needs an address list to mail Christmas cards.

Most of those calls aren't even illegal. Although it is against the law to pretend to be someone else in particularSam up in the CEO's officeit's not illegal to be dishonest, points out Richard Horowitz, a New York attorney who helped formulate SCIP's guidelines. People do it all the time. "It's not illegal to lie and say to someone, 'Yes, your daughter looks beautiful on her wedding day,'" he says.

In the business world, "Whenever someone manages to get information about you that you didn't want them to have, you're going to call it espionage," he continues. "People use the words theft and spooking and spying when they don't like what the other person does."

Meanwhile, the other person has plenty more tricks.Go Into the FieldDuring the technology boom, one early morning flight from Austin, Texas, to San Jose, Calif., earned the nickname the "nerd bird." Shuttling businesspeople from one high-tech center to another, that flight and others like it became good places for job recruiters. They also became great places for competitive intelligence professionals, who might overhear useful discussions among coworkers talking loud enough to be heard over air vents and engine roar, perhaps behind a shoulder-surfable PowerPoint presentation or financial spreadsheet.

Any public place where employees go, snoops can also go: airports, coffee shops, restaurants, and bars near company offices and factories, and, of course, trade shows. There, an operative working for the competition might corner one of your researchers after a presentation or pose as a potential customer to the sales team to try to get a demo of a new product or learn about pricing.

Again, this isn't illegal or even, some say, unethical. Fuld & Co. once did a scruples survey asking 122 competitive intelligence professionals in Europe and North America whether it was normal, aggressive, unethical or illegal to take off your badge before approaching a competitor at a trade show. In North America, 34 percent of respondents considered this behavior aggressive, and 50 percent found it unethical. In Europe, however, 56 percent of respondents said this was normal behavior. That's your problem, by the way. "It behooves the person on the other side of the trade show booth to find out who you are," Fuld says.

It also behooves the chief security officer to ensure that employees know not to talk about sensitive business in public places, and to work with the marketing department to make sure the risks of revealing information at a trade show don't outweigh the benefits of drumming up business.

And then there are those times when a company lets a near-stranger inside its doors for that most delicate of all conversations: the job interview. It's unlikely that competitors would risk directly sending someone on a job interview, but it is entirely possible that they could hire a questionable competitive intelligence firm to check things outor, more likely, hire a reputable competitive intelligence firm that contracts out its dirty work.

"They would go through the interview process to find out about what type of work the person would be assigned to and what kind of experience the company was looking for," explains Richard Heffernan, president of R.J. Heffernan Associates, who has done consulting for IP-intensive clients in the technology and biotech sectors. Heffernan's work includes educating employees about counterintelligence. "They'd try to find out as many scientific and technical details as possible," he says.

This cuts both ways. A competitor also might invite one of your employees in for a job interview with no other purpose than gleaning information about your processes.

As with comments made in public places, even the most offhand statements ("We were working on XYZ, but we're expecting to work on ABC next year") can be incredibly useful to a competitor, Heffernan explains. "If I know an area that a company has not been working on and why, I will not spend time trying to duplicate a lot of research; I will use a different path," he says.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)