Every organization should be aware of the types of techniques competitors use to gather intelligence on their business or operations. It sometimes catches you by surprise to learn of the types of activity your competitors engage in. A friend of mine once interviewed at one of the Big Four accounting firms (PwC, KPMG, E&Y, Deloitte.) The person she interviewed with was ex-agency (CIA, NSA, FBI). The questions she had to answer were very telling:
1. You are sitting on an airplane next to a consultant from a competing organization. He has his laptop open and is working on a proposal. Do you lean back and read that proposal?
2. The airline passenger gets up to go to the bathroom, leaving a folder of documents on his seat. Do you leaf through it?
3. You find some key documents in a hotel lobby relating to a competitor’s bid on the same project you are working on. Do you keep the documents or turn them in to the hotel unread?
Yes, large companies do employ people who are charged with gathering this type of information. There are some great tools online for gathering competitive intelligence. Knowing what Google keywords your competitor is purchasing as well as what their total spend is can be useful. Page rank, Alexa data, banner ad programs are useful as well.
While some of this data cannot be hidden from snooping competitors there are some precautions you should be taking.
1. Make sure that you have no “unpublished” pages on your website. Directories such as /stage, /temp, /index2, /new, are easily discoverable.
2. Configure your email servers so they do not bounce emails sent to unknown users. Legitimate emails can be discovered by a lack of response from a brute force emailing to all combinations of first name – last name.
3. Check regularly for registrations of domain names that are simple misspellings of your primary domain.
This last point is an interesting one. Say an attacker is hoping to harvest interesting documents sent to your organization. Purchase orders, invoices, reports from your accountants, etc.? They can register a domain that is a common misspelling of yours and collect any emails accidently sent to it. A researcher at Symantec reported last week that he believes he has found such an attempt registered out of China.
There may be a fine line between competitive intelligence gathering and industrial espionage. In my mind, information that is in the public domain is legit for CI while internal documents are not. You should protect yourself from the gathering of both types of intelligence.
About Stiennon
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
An interesting subjcet
At least for me - rules learned in 70's in insurance business, etc. I used to hire an outside security company to check all that kind of holes in our security because trying to find those yourself doesn't always work. Why, because people know you so they automatically trust you more and are more careless. Of course you can always tell them that you shouldn't do this or that but if they get it on report (not always published - heh!) from outsider it is more effective.
In IT, we had very strong(?) authentication, authorization and auditing in place - accessing the system of company information and even for all the HW and HW manuals. Did catch one industrial spy, credentials correct but the operators got suspicious and called cops. Did catch many insiders - some mistakes, some malicious (big ones - a lot of money going around..) Competitors were not so bad, they had the same problems so we did work together - a meeting once a month on security and if any did even think someone distributing inside information, all were informed and it was checked out.
Today the view is a little (not much) different, Internet has created it's own problems, but the basics haven't changed. Don't leave information unsafe, don't let unauthorized persons to see it, try to minimize the mistakes caused by technology, layer you security and, most important, test and audit the security regularly.
Institute for Competitive Intelligence
We train Competitive Intelligence Professionals around the world. Competitive Intelligence is not Industrial Espionage it's more like collecting and analysing data.
The Institute for Competitive Intelligence offers 22 singele workshops or a complete certification program the "Certificate of Proficiency in Competitive Intelligence" (trademark).
Link: http://www.institute-for-competitive-intelligence.com/index.php
Post new comment